Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
BOSSARD_ORDER_4923521.exe

Overview

General Information

Sample name:BOSSARD_ORDER_4923521.exe
Analysis ID:1519341
MD5:a9ea323ea2de4868acfb99b7959b54b6
SHA1:b66217db6ffda157a9252611f6b1d528f76f0420
SHA256:e17765cd72f6b95c8167f428ed734688d3b545c45c23e07407361e8979b49167
Tags:exeuser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • BOSSARD_ORDER_4923521.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe" MD5: A9EA323EA2DE4868ACFB99B7959B54B6)
    • powershell.exe (PID: 6884 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7056 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 7000 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 5016 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • BOSSARD_ORDER_4923521.exe (PID: 1440 cmdline: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe" MD5: A9EA323EA2DE4868ACFB99B7959B54B6)
  • CkVzvA.exe (PID: 6784 cmdline: C:\Users\user\AppData\Roaming\CkVzvA.exe MD5: A9EA323EA2DE4868ACFB99B7959B54B6)
    • schtasks.exe (PID: 7296 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • CkVzvA.exe (PID: 7348 cmdline: "C:\Users\user\AppData\Roaming\CkVzvA.exe" MD5: A9EA323EA2DE4868ACFB99B7959B54B6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2916549567.0000000002B7E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.2917730355.00000000030CE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ParentImage: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, ParentProcessId: 6368, ParentProcessName: BOSSARD_ORDER_4923521.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ProcessId: 6884, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ParentImage: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, ParentProcessId: 6368, ParentProcessName: BOSSARD_ORDER_4923521.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ProcessId: 6884, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\CkVzvA.exe, ParentImage: C:\Users\user\AppData\Roaming\CkVzvA.exe, ParentProcessId: 6784, ParentProcessName: CkVzvA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp", ProcessId: 7296, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, Initiated: true, ProcessId: 1440, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ParentImage: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, ParentProcessId: 6368, ParentProcessName: BOSSARD_ORDER_4923521.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", ProcessId: 5016, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ParentImage: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, ParentProcessId: 6368, ParentProcessName: BOSSARD_ORDER_4923521.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ProcessId: 6884, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe", ParentImage: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe, ParentProcessId: 6368, ParentProcessName: BOSSARD_ORDER_4923521.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp", ProcessId: 5016, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeReversingLabs: Detection: 31%
                    Multi AV Scanner detection for submitted file
                    Source: BOSSARD_ORDER_4923521.exeReversingLabs: Detection: 31%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: BOSSARD_ORDER_4923521.exeJoe Sandbox ML: detected
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: oKHN.pdbSHA256 source: BOSSARD_ORDER_4923521.exe, CkVzvA.exe.0.dr
                    Source: Binary string: oKHN.pdb source: BOSSARD_ORDER_4923521.exe, CkVzvA.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: Joe Sandbox ViewASN Name: ASLAGIDKOM-NETUA ASLAGIDKOM-NETUA
                    Source: global trafficTCP traffic: 192.168.2.4:49733 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000008.00000002.2916549567.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, CkVzvA.exe, 0000000D.00000002.2917730355.00000000030D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724448779.0000000002D77000.00000004.00000800.00020000.00000000.sdmp, CkVzvA.exe, 00000009.00000002.1763566964.0000000002967000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731769517.00000000056D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, BOSSARD_ORDER_4923521.exe, 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: BOSSARD_ORDER_4923521.exe
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 0_2_02B7DE4C0_2_02B7DE4C
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 0_2_0AC01E180_2_0AC01E18
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 0_2_0AC01E180_2_0AC01E18
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 0_2_0AC049E80_2_0AC049E8
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_02984A988_2_02984A98
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_02989B388_2_02989B38
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_02983E808_2_02983E80
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_0298CDB08_2_0298CDB0
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_029841C88_2_029841C8
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_060856D88_2_060856D8
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_06082F008_2_06082F00
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_06083F488_2_06083F48
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_0608BD008_2_0608BD00
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_0608DD008_2_0608DD00
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_06089AE08_2_06089AE0
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_06088B888_2_06088B88
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_060800408_2_06080040
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_0608363B8_2_0608363B
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 8_2_06084FF88_2_06084FF8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_00F3DE4C9_2_00F3DE4C
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E873689_2_04E87368
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E800409_2_04E80040
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E8001F9_2_04E8001F
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E873589_2_04E87358
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E89D4D9_2_04E89D4D
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_06E00EF89_2_06E00EF8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_06E00EE89_2_06E00EE8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_06E03AB09_2_06E03AB0
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_06E00EF89_2_06E00EF8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_01369B3813_2_01369B38
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_01364A9813_2_01364A98
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0136CDB013_2_0136CDB0
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_01363E8013_2_01363E80
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_013641C813_2_013641C8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_062456E013_2_062456E0
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_06243F5013_2_06243F50
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0624BD0813_2_0624BD08
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0624DD0813_2_0624DD08
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_06249AE813_2_06249AE8
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_06242B0013_2_06242B00
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_06248B9013_2_06248B90
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0624004013_2_06240040
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0624323B13_2_0624323B
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 13_2_0624500013_2_06245000
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1704810139.0000000000EAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724448779.0000000002D77000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000000.1672418889.00000000009E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameoKHN.exeD vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1735842235.0000000007D00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000008.00000002.2913146096.00000000009F8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exe, 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exeBinary or memory string: OriginalFilenameoKHN.exeD vs BOSSARD_ORDER_4923521.exe
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: CkVzvA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mKrm5ZWF2QgTgeTpdY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mxmaXhgBpebV5pfOrf.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mKrm5ZWF2QgTgeTpdY.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@1/1
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile created: C:\Users\user\AppData\Roaming\CkVzvA.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5232:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6904:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7304:120:WilError_03
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile created: C:\Users\user\AppData\Local\Temp\tmp64C0.tmpJump to behavior
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: BOSSARD_ORDER_4923521.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: BOSSARD_ORDER_4923521.exeReversingLabs: Detection: 31%
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile read: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\CkVzvA.exe C:\Users\user\AppData\Roaming\CkVzvA.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Users\user\AppData\Roaming\CkVzvA.exe "C:\Users\user\AppData\Roaming\CkVzvA.exe"
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Users\user\AppData\Roaming\CkVzvA.exe "C:\Users\user\AppData\Roaming\CkVzvA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: oKHN.pdbSHA256 source: BOSSARD_ORDER_4923521.exe, CkVzvA.exe.0.dr
                    Source: Binary string: oKHN.pdb source: BOSSARD_ORDER_4923521.exe, CkVzvA.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: BOSSARD_ORDER_4923521.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: CkVzvA.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.5560000.7.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2da4290.3.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mxmaXhgBpebV5pfOrf.cs.Net Code: ed65TkbHtL System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2d55300.2.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2dad8a8.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2d5e918.1.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mxmaXhgBpebV5pfOrf.cs.Net Code: ed65TkbHtL System.Reflection.Assembly.Load(byte[])
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: 0xA209C897 [Wed Feb 23 16:49:27 2056 UTC]
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeCode function: 0_2_02B7EF83 push eax; iretd 0_2_02B7EF89
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_00F3EF83 push eax; iretd 9_2_00F3EF89
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E8A5CD pushad ; ret 9_2_04E8A5D3
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeCode function: 9_2_04E8A5DF pushad ; ret 9_2_04E8A5E3
                    Source: BOSSARD_ORDER_4923521.exeStatic PE information: section name: .text entropy: 7.866071059583154
                    Source: CkVzvA.exe.0.drStatic PE information: section name: .text entropy: 7.866071059583154
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.5560000.7.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2da4290.3.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, Xny04lqbFXsCnUxD3s.csHigh entropy of concatenated method names: 'j5JRLlVcFD', 'akpRxBF431', 'GxthrUJtP9', 'nwbhyhHvJy', 'jVRRJ3GHbD', 'RD1RaQryq6', 'L17RceAXjs', 'wejR7ge4m6', 'XtwRbFaCqF', 'H7PROZyucf'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, RIYZoacIuFoJ120Lfj.csHigh entropy of concatenated method names: 'b9yvWPCBv6', 'AViv6I2naj', 'hYYv9HgNOE', 'SK0vptbjXn', 'XdevjAIjks', 'HCFvAUeXyA', 'DskvCrCHsw', 'fSrv8htm3D', 'K90vlKQnB5', 'fOkvJDyJnL'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, cyoH3vGnrh74jGY2lE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lUMdiC9XPZ', 'KbUdxnaN8K', 'm3jdzOOG9s', 'PAHIrbJ1nP', 'n96IybiNNr', 'fFeIdWHQTL', 'LYkIIQHko8', 'RUo9hWASRPrL9NtElGc'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, Ao6gAMyILU2F5bb0gZu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lQW4716Xv3', 'qWV4bQ78TO', 'Q0b4OJnlTn', 'Hw34VxhHvT', 'G0Q4u01TdU', 'hZJ4q3ZMOB', 'TD84kBjHG2'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, aWCsek73D53MfenO7m.csHigh entropy of concatenated method names: 'mjktlpTfy4', 'Rp4taOQEXy', 'YjSt78pZ3c', 'J7Etbe6xpE', 'QPOtp8ABNr', 'tvFtf8YMpn', 'mUUtjkBpW8', 'L9XtAPtZrb', 'SchtKdkdg0', 'cwytCIwUKF'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, Gecj6f9kmhWiXgSByj.csHigh entropy of concatenated method names: 'LB0EQuMx5F', 'J10EsBOXlu', 'aAZEmCLxRv', 'AWlEHZejWd', 'AxEEgwquqH', 'lK3muXFAD4', 'pAPmqLih3s', 'Y9emkLJJgV', 'VsLmLqmZHA', 'rmfmi6ToVM'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mKrm5ZWF2QgTgeTpdY.csHigh entropy of concatenated method names: 'pQls7PkpkQ', 'fh3sb2HBIW', 'TpBsOmRD37', 'RjOsVepSD1', 'Ktbsu8nlK9', 'YhSsqdjf0P', 'zuTskn1eCP', 'ajbsLxteng', 'WIasilBOX0', 'TaXsxrx4cx'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, rvUvKy5Z1sueYJ30wT.csHigh entropy of concatenated method names: 'SX3yHKrm5Z', 'u2QyggTgeT', 'eN3y3fj1nf', 'TVVyZEqvpb', 'WuVyttS9ec', 'I6fy0kmhWi', 'Pg4S0FMh1g8v8nW48c', 'WEWOXOfkq3VLXG5CDO', 'd5VyyESY2g', 'bD3yIH1axh'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, VvpbNYoo2PkwJLuVtS.csHigh entropy of concatenated method names: 'CSXmPPW4oG', 'KIGmeUFLav', 'AdmGfnq8vZ', 'qO3GjpMu2G', 'XA8GASUhop', 'QyLGK9SqgF', 'RyaGCbMPrJ', 'xg2G8teOrs', 'kJgGMGZT46', 'TmWGlBubLy'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, g8jmQ56N3fj1nfVVVE.csHigh entropy of concatenated method names: 'kxnGS3rjqk', 'p4UGYTd4Sp', 'mq5GWYGN3E', 'huQG6iYe3O', 'GUmGtXsanp', 'ie0G079Aic', 'xU4GRf3wVw', 'ITBGhQV8G1', 'l8rGnIkjvM', 'SjbG43fxBZ'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, uFhw1WMQUqjiFqTAjO.csHigh entropy of concatenated method names: 'o8THXj3xFN', 'N2SHNkeICO', 'F8KHT0aqQ1', 'aICHSJxjxc', 'GjiHPyTEYV', 'l1CHY7tT9E', 'YcWHekpk5L', 'UZ5HWlhMHW', 'Tj2H605HGZ', 'mV2HoDbQLl'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, bhBpeJLEmcnMThu6JI.csHigh entropy of concatenated method names: 'YKphBSUm4w', 'Kgwhs996Bq', 'tNvhGLRcpN', 'RcIhmGxj6c', 'cl4hEfiXoh', 'Sw2hHQdluZ', 'xDOhg4JW8Z', 'YLWhDYTlIY', 'Fgyh3bPnNY', 'RkahZvisFZ'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, YNjRvCsw443RUYT5RT.csHigh entropy of concatenated method names: 'Dispose', 'vcIyikVVAD', 'TjHdpMktGN', 'oV9QQQKRUy', 'RyhyxBpeJE', 'icnyzMThu6', 'ProcessDialogKey', 'OIedrBoq8y', 'Dqody4w20S', 'OZkdd2eOdv'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, mxmaXhgBpebV5pfOrf.csHigh entropy of concatenated method names: 'Gx3IQpxt4q', 'SulIB522us', 'GZ2Isj5JAn', 'H14IGEV5xm', 'tcRImYhLmx', 'M16IEmPnqZ', 'EX8IHqtUQ7', 'DH8IgTd84Y', 'jMhIDq8xfl', 'K28I3uZCZq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, xeOdv1x0KKioHCQ1hl.csHigh entropy of concatenated method names: 'F46nyZkQkc', 'RrynI9nMkZ', 'z0Tn51tUYO', 'vm1nBZMysI', 'cU5nsmMpR3', 'XxEnmpugaB', 'GwrnECXdtY', 'QsDhkwIJBJ', 'l1phL0TLlE', 'UgbhirCoqX'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, EZvuMUyya9v19EOyHVv.csHigh entropy of concatenated method names: 'ToString', 'sFb4IJayvd', 'm1k45M8qVb', 'w9d4Q2LHQI', 'YtH4B7HTad', 'HpA4sqRxRS', 'wmZ4G4ZqcP', 'kV04mV7MXs', 'm1PWS9LlWwild1LOgrH', 'XFEOo4LCGQFyZG9gjwH'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, pafKDwyrSBn4LMXh6Xv.csHigh entropy of concatenated method names: 'cBUnXQERBP', 'znKnNNpsfJ', 'IRXnTmO2wp', 'wp4nSA57FO', 'UW0nP7WXu7', 'bPonYsb5AP', 'I06neaNDE7', 'VObnWp98uM', 'ewJn6WRPho', 'YK5noE1a5x'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, m8KAT1dbj7BUQ7cYcH.csHigh entropy of concatenated method names: 'oP4TT0mqD', 'sKESl1Tal', 'Q0BYhwJP7', 'ElMeCunAJ', 'HAq6QVwu0', 'zbJogYSg6', 'cxM73TIjpannsyYstv', 'c2JjE6oWBkCH4VXOjj', 'AaFh1meuC', 'pLk4FxPVm'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, CBoq8yieqo4w20SJZk.csHigh entropy of concatenated method names: 'Fa8h9lVsd9', 'DEQhp04S0j', 'J9HhfJRygw', 'DC1hjfFoGo', 'EBeh780ZCk', 'IiXhAp6S9D', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.7d00000.8.raw.unpack, wZoB3eCiGElJysUaVl.csHigh entropy of concatenated method names: 'HE9HBDMFFd', 'YNhHGumheD', 'zQ7HEB6nxy', 'taQExP8nTV', 'MYHEzBnQ6a', 'pl1Hrs39yJ', 'I1dHy67HZR', 'pXCHdJBHsI', 'Mq4HIWlW0E', 'W4eH5r9gQ7'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2d55300.2.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2dad8a8.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.2d5e918.1.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, Xny04lqbFXsCnUxD3s.csHigh entropy of concatenated method names: 'j5JRLlVcFD', 'akpRxBF431', 'GxthrUJtP9', 'nwbhyhHvJy', 'jVRRJ3GHbD', 'RD1RaQryq6', 'L17RceAXjs', 'wejR7ge4m6', 'XtwRbFaCqF', 'H7PROZyucf'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, RIYZoacIuFoJ120Lfj.csHigh entropy of concatenated method names: 'b9yvWPCBv6', 'AViv6I2naj', 'hYYv9HgNOE', 'SK0vptbjXn', 'XdevjAIjks', 'HCFvAUeXyA', 'DskvCrCHsw', 'fSrv8htm3D', 'K90vlKQnB5', 'fOkvJDyJnL'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, cyoH3vGnrh74jGY2lE.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'lUMdiC9XPZ', 'KbUdxnaN8K', 'm3jdzOOG9s', 'PAHIrbJ1nP', 'n96IybiNNr', 'fFeIdWHQTL', 'LYkIIQHko8', 'RUo9hWASRPrL9NtElGc'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, Ao6gAMyILU2F5bb0gZu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lQW4716Xv3', 'qWV4bQ78TO', 'Q0b4OJnlTn', 'Hw34VxhHvT', 'G0Q4u01TdU', 'hZJ4q3ZMOB', 'TD84kBjHG2'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, aWCsek73D53MfenO7m.csHigh entropy of concatenated method names: 'mjktlpTfy4', 'Rp4taOQEXy', 'YjSt78pZ3c', 'J7Etbe6xpE', 'QPOtp8ABNr', 'tvFtf8YMpn', 'mUUtjkBpW8', 'L9XtAPtZrb', 'SchtKdkdg0', 'cwytCIwUKF'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, Gecj6f9kmhWiXgSByj.csHigh entropy of concatenated method names: 'LB0EQuMx5F', 'J10EsBOXlu', 'aAZEmCLxRv', 'AWlEHZejWd', 'AxEEgwquqH', 'lK3muXFAD4', 'pAPmqLih3s', 'Y9emkLJJgV', 'VsLmLqmZHA', 'rmfmi6ToVM'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mKrm5ZWF2QgTgeTpdY.csHigh entropy of concatenated method names: 'pQls7PkpkQ', 'fh3sb2HBIW', 'TpBsOmRD37', 'RjOsVepSD1', 'Ktbsu8nlK9', 'YhSsqdjf0P', 'zuTskn1eCP', 'ajbsLxteng', 'WIasilBOX0', 'TaXsxrx4cx'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, rvUvKy5Z1sueYJ30wT.csHigh entropy of concatenated method names: 'SX3yHKrm5Z', 'u2QyggTgeT', 'eN3y3fj1nf', 'TVVyZEqvpb', 'WuVyttS9ec', 'I6fy0kmhWi', 'Pg4S0FMh1g8v8nW48c', 'WEWOXOfkq3VLXG5CDO', 'd5VyyESY2g', 'bD3yIH1axh'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, VvpbNYoo2PkwJLuVtS.csHigh entropy of concatenated method names: 'CSXmPPW4oG', 'KIGmeUFLav', 'AdmGfnq8vZ', 'qO3GjpMu2G', 'XA8GASUhop', 'QyLGK9SqgF', 'RyaGCbMPrJ', 'xg2G8teOrs', 'kJgGMGZT46', 'TmWGlBubLy'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, g8jmQ56N3fj1nfVVVE.csHigh entropy of concatenated method names: 'kxnGS3rjqk', 'p4UGYTd4Sp', 'mq5GWYGN3E', 'huQG6iYe3O', 'GUmGtXsanp', 'ie0G079Aic', 'xU4GRf3wVw', 'ITBGhQV8G1', 'l8rGnIkjvM', 'SjbG43fxBZ'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, uFhw1WMQUqjiFqTAjO.csHigh entropy of concatenated method names: 'o8THXj3xFN', 'N2SHNkeICO', 'F8KHT0aqQ1', 'aICHSJxjxc', 'GjiHPyTEYV', 'l1CHY7tT9E', 'YcWHekpk5L', 'UZ5HWlhMHW', 'Tj2H605HGZ', 'mV2HoDbQLl'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, bhBpeJLEmcnMThu6JI.csHigh entropy of concatenated method names: 'YKphBSUm4w', 'Kgwhs996Bq', 'tNvhGLRcpN', 'RcIhmGxj6c', 'cl4hEfiXoh', 'Sw2hHQdluZ', 'xDOhg4JW8Z', 'YLWhDYTlIY', 'Fgyh3bPnNY', 'RkahZvisFZ'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, YNjRvCsw443RUYT5RT.csHigh entropy of concatenated method names: 'Dispose', 'vcIyikVVAD', 'TjHdpMktGN', 'oV9QQQKRUy', 'RyhyxBpeJE', 'icnyzMThu6', 'ProcessDialogKey', 'OIedrBoq8y', 'Dqody4w20S', 'OZkdd2eOdv'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, mxmaXhgBpebV5pfOrf.csHigh entropy of concatenated method names: 'Gx3IQpxt4q', 'SulIB522us', 'GZ2Isj5JAn', 'H14IGEV5xm', 'tcRImYhLmx', 'M16IEmPnqZ', 'EX8IHqtUQ7', 'DH8IgTd84Y', 'jMhIDq8xfl', 'K28I3uZCZq'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, xeOdv1x0KKioHCQ1hl.csHigh entropy of concatenated method names: 'F46nyZkQkc', 'RrynI9nMkZ', 'z0Tn51tUYO', 'vm1nBZMysI', 'cU5nsmMpR3', 'XxEnmpugaB', 'GwrnECXdtY', 'QsDhkwIJBJ', 'l1phL0TLlE', 'UgbhirCoqX'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, EZvuMUyya9v19EOyHVv.csHigh entropy of concatenated method names: 'ToString', 'sFb4IJayvd', 'm1k45M8qVb', 'w9d4Q2LHQI', 'YtH4B7HTad', 'HpA4sqRxRS', 'wmZ4G4ZqcP', 'kV04mV7MXs', 'm1PWS9LlWwild1LOgrH', 'XFEOo4LCGQFyZG9gjwH'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, pafKDwyrSBn4LMXh6Xv.csHigh entropy of concatenated method names: 'cBUnXQERBP', 'znKnNNpsfJ', 'IRXnTmO2wp', 'wp4nSA57FO', 'UW0nP7WXu7', 'bPonYsb5AP', 'I06neaNDE7', 'VObnWp98uM', 'ewJn6WRPho', 'YK5noE1a5x'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, m8KAT1dbj7BUQ7cYcH.csHigh entropy of concatenated method names: 'oP4TT0mqD', 'sKESl1Tal', 'Q0BYhwJP7', 'ElMeCunAJ', 'HAq6QVwu0', 'zbJogYSg6', 'cxM73TIjpannsyYstv', 'c2JjE6oWBkCH4VXOjj', 'AaFh1meuC', 'pLk4FxPVm'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, CBoq8yieqo4w20SJZk.csHigh entropy of concatenated method names: 'Fa8h9lVsd9', 'DEQhp04S0j', 'J9HhfJRygw', 'DC1hjfFoGo', 'EBeh780ZCk', 'IiXhAp6S9D', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.BOSSARD_ORDER_4923521.exe.3fad250.4.raw.unpack, wZoB3eCiGElJysUaVl.csHigh entropy of concatenated method names: 'HE9HBDMFFd', 'YNhHGumheD', 'zQ7HEB6nxy', 'taQExP8nTV', 'MYHEzBnQ6a', 'pl1Hrs39yJ', 'I1dHy67HZR', 'pXCHdJBHsI', 'Mq4HIWlW0E', 'W4eH5r9gQ7'
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile created: C:\Users\user\AppData\Roaming\CkVzvA.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 6368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CkVzvA.exe PID: 6784, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 2D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 4D20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 7E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 8E80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 9040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: A040000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: 4B30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: F30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 4910000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 75C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 85C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 8770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 9770000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 1320000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 3080000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeMemory allocated: 2E10000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4461Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4000Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWindow / User API: threadDelayed 5308Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWindow / User API: threadDelayed 4483Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWindow / User API: threadDelayed 2279
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWindow / User API: threadDelayed 7552
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6964Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1368Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7068Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 5408Thread sleep count: 5308 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -99782s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -99503s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -99194s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -99073s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98952s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98822s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98717s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98579s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98438s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98319s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98169s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97923s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97797s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 5408Thread sleep count: 4483 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -96110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -95110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94521s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -94063s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -93094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -92985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -92875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -92766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe TID: 7044Thread sleep time: -92641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7244Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep count: 39 > 30
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -35971150943733603s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7428Thread sleep count: 2279 > 30
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99889s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7428Thread sleep count: 7552 > 30
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99780s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99365s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -99110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98979s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -98110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97982s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -97086s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96969s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96838s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96711s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -96110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -95110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94981s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94335s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -94102s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -93985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -93875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exe TID: 7420Thread sleep time: -93764s >= -30000s
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 99782Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 99503Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 99194Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 99073Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98952Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98822Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98717Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98579Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98438Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98319Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98169Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97923Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97797Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97344Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96610Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96485Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96360Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96235Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 96110Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95985Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95860Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95735Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95610Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95485Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95360Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95235Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 95110Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94985Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94813Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94521Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94391Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94281Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94172Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 94063Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93938Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93813Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93688Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93578Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93469Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93344Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93235Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 93094Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 92985Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 92875Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 92766Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeThread delayed: delay time: 92641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99889
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99780
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99594
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99365
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99235
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 99110
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98979
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98860
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98735
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98610
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98485
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98360
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98235
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 98110
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97982
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97860
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97735
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97610
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97485
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97360
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97235
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 97086
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96969
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96838
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96711
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96594
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96485
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96360
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96235
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 96110
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95985
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95860
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95735
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95610
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95485
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95360
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95235
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 95110
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94981
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94860
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94735
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94610
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94485
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94335
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94219
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 94102
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 93985
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 93875
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeThread delayed: delay time: 93764
                    Source: BOSSARD_ORDER_4923521.exe, 00000000.00000002.1704810139.0000000000F17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}2Ei
                    Source: BOSSARD_ORDER_4923521.exe, 00000008.00000002.2913676454.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, CkVzvA.exe, 0000000D.00000002.2915835080.000000000143D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeProcess created: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeProcess created: C:\Users\user\AppData\Roaming\CkVzvA.exe "C:\Users\user\AppData\Roaming\CkVzvA.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\OFFSYMXL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Users\user\AppData\Roaming\CkVzvA.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Users\user\AppData\Roaming\CkVzvA.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2916549567.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2917730355.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2917730355.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 6368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 1440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CkVzvA.exe PID: 7348, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\CkVzvA.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2917730355.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 6368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 1440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CkVzvA.exe PID: 7348, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 8.2.BOSSARD_ORDER_4923521.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f6b850.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.BOSSARD_ORDER_4923521.exe.3f30e30.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2916549567.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2917730355.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.2917730355.0000000003081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 6368, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: BOSSARD_ORDER_4923521.exe PID: 1440, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: CkVzvA.exe PID: 7348, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519341 Sample: BOSSARD_ORDER_4923521.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 11 other signatures 2->56 8 BOSSARD_ORDER_4923521.exe 7 2->8         started        12 CkVzvA.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\CkVzvA.exe, PE32 8->38 dropped 40 C:\Users\user\...\CkVzvA.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp64C0.tmp, XML 8->42 dropped 44 C:\Users\...\BOSSARD_ORDER_4923521.exe.log, ASCII 8->44 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 14 BOSSARD_ORDER_4923521.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 24 CkVzvA.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 68 Loading BitLocker PowerShell Module 18->68 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal ftp login credentials 24->74 76 Tries to harvest and steal browser information (history, passwords, etc) 24->76 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    BOSSARD_ORDER_4923521.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic
                    BOSSARD_ORDER_4923521.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\CkVzvA.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\CkVzvA.exe32%ReversingLabsByteCode-MSIL.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe
                    http://www.apache.org/licenses/LICENSE-2.00%Avira URL Cloudsafe
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truetrue
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.apache.org/licenses/LICENSE-2.0BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://www.fontbureau.comBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersGBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/?BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/bTheBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      https://account.dyn.com/BOSSARD_ORDER_4923521.exe, 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, BOSSARD_ORDER_4923521.exe, 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers?BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://mail.iaa-airferight.comBOSSARD_ORDER_4923521.exe, 00000008.00000002.2916549567.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, CkVzvA.exe, 0000000D.00000002.2917730355.00000000030D6000.00000004.00000800.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: malware
                      		unknown
                      http://www.tiro.comBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designersBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.goodfont.co.krBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.carterandcone.comlBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sajatypeworks.comBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.typography.netDBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/cabarga.htmlNBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cn/cTheBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/staff/dennis.htmBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.founder.com.cn/cnBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers/frere-user.htmlBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.jiyu-kobo.co.jp/BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.galapagosdesign.com/DPleaseBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fontbureau.com/designers8BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.fonts.comBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sandoll.co.krBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.urwpp.deDPleaseBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.zhongyicts.com.cnBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameBOSSARD_ORDER_4923521.exe, 00000000.00000002.1724448779.0000000002D77000.00000004.00000800.00020000.00000000.sdmp, CkVzvA.exe, 00000009.00000002.1763566964.0000000002967000.00000004.00000800.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown
                      http://www.sakkal.comBOSSARD_ORDER_4923521.exe, 00000000.00000002.1731856610.0000000006EC2000.00000004.00000800.00020000.00000000.sdmp, BOSSARD_ORDER_4923521.exe, 00000000.00000002.1731769517.00000000056D0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      46.175.148.58
                      		mail.iaa-airferight.comUkraine
                      		56394ASLAGIDKOM-NETUAtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1519341
                      Start date and time:2024-09-26 11:46:09 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 7m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:19
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:BOSSARD_ORDER_4923521.exe
                      Detection:MAL
                      Classification:mal100.troj.spyw.evad.winEXE@19/15@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 127
                      • Number of non-executed functions: 2
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtCreateKey calls found.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: BOSSARD_ORDER_4923521.exe

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      05:47:01API Interceptor172x Sleep call for process: BOSSARD_ORDER_4923521.exe modified
                      05:47:03API Interceptor42x Sleep call for process: powershell.exe modified
                      05:47:07API Interceptor175x Sleep call for process: CkVzvA.exe modified
                      10:47:03Task SchedulerRun new task: CkVzvA path: C:\Users\user\AppData\Roaming\CkVzvA.exe

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      46.175.148.58Telco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                        Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                          Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                            PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                              PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                  SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                    LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                      SPW AW25 - PO.010.exeGet hashmaliciousAgentTeslaBrowse
                                        Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          mail.iaa-airferight.comTelco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ASLAGIDKOM-NETUATelco 32pcs New Purchase Order.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Ningbo - Past Due Invoices.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Samsung PO 20240920.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PO-3500036071.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          PI #OVES1912196.scr.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          LEVER STYLE SEP BUY ORDER & C248SH12.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          SPW AW25 - PO.010.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58
                                          Asco Valve Shanghai OrderPO-011024.exeGet hashmaliciousAgentTeslaBrowse
                                          • 46.175.148.58

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BOSSARD_ORDER_4923521.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Reputation:high, very likely benign file
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CkVzvA.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\CkVzvA.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:modified
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379184608538005
                                          Encrypted:false
                                          SSDEEP:48:bWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:bLHyIFKL3IZ2KRH9Oug8s
                                          MD5:32C8C204432B7687016ADE524CBB8A38
                                          SHA1:5BB5C1542B1C92A3AD3D32D903F9EC6BDECDBEC7
                                          SHA-256:4416494F034C07C8AAEC8816DDE9F3F85DF5BE5B4991E9D49DB4D38A6C01E084
                                          SHA-512:B0860D749404827522ABF2A6885A9CC0D45A573BB3D328DF09020CC9FA1B225DDD7FFD9EDC83CF577C96904668AD1E1FFED9D073C4C53F6EE45A07DD22210DD3
                                          Malicious:false
                                          Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_12mmlfra.ayw.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5kxtit4a.fg3.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c2f5xbht.xbr.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ekrs41ot.u2z.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pbwatn4d.1dp.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ul1al3gv.np1.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xeme1vl4.0fn.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zvwfnbf2.g1w.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmp64C0.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1572
                                          Entropy (8bit):5.113713628449464
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaOxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTTv
                                          MD5:1107D8281CAFBA00C3880F9C67A1754A
                                          SHA1:9116B83D4CEAFB53752309054553C67B25D4614D
                                          SHA-256:60EEA995A4897660AC1C8BF0B81CBED10AAA5F539FA87AF551650D959BADC8B6
                                          SHA-512:BC879967D6667640CACB01C45FFD24466ED645914B532F257D186570D4900A8EC0A65D9DE4A1619218FD299E290964E2577055E90C10EBB2138B0C7888120F1E
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                          C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\CkVzvA.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1572
                                          Entropy (8bit):5.113713628449464
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaOxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTTv
                                          MD5:1107D8281CAFBA00C3880F9C67A1754A
                                          SHA1:9116B83D4CEAFB53752309054553C67B25D4614D
                                          SHA-256:60EEA995A4897660AC1C8BF0B81CBED10AAA5F539FA87AF551650D959BADC8B6
                                          SHA-512:BC879967D6667640CACB01C45FFD24466ED645914B532F257D186570D4900A8EC0A65D9DE4A1619218FD299E290964E2577055E90C10EBB2138B0C7888120F1E
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                          C:\Users\user\AppData\Roaming\CkVzvA.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):873472
                                          Entropy (8bit):7.376673811007661
                                          Encrypted:false
                                          SSDEEP:12288:27auaN1gTyQcG+yDXEdKemm6EIJtZcIuE4VGnYZzHmPKuDVFSrdtTJHlgrdm4Vzu:27sQclMXk6OVGn2zGS6VAd
                                          MD5:A9EA323EA2DE4868ACFB99B7959B54B6
                                          SHA1:B66217DB6FFDA157A9252611F6B1D528F76F0420
                                          SHA-256:E17765CD72F6B95C8167F428ED734688D3B545C45C23E07407361E8979B49167
                                          SHA-512:EFF66D932BA7D246B20FE71DA264ECBABB430D27BEC97BBE258F0B4CA6A43843426F5251579B444AE5FD02FBCF8D9EE8CB9030C7E7C20727BB36E813E1B3117F
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 32%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.................................;...O.......@...............h4..............p............................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc...............R..............@..B................o.......H........]...3......#.......E............................................{....*"..}....*....0..f...........3...%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}.....(.....*...0.._........s....}.....s....}......}.....(.......(......{....(.......{....(......{....(.......{....(.....*..0............{....r...po.......o.....+d..(.......{......3...%..oB....%.r...p.%..oF......(.....%.r...p.%..oD......(.....%.(.....(....o........(....-...........o ...

                                          C:\Users\user\AppData\Roaming\CkVzvA.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.376673811007661
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:BOSSARD_ORDER_4923521.exe
                                          File size:873'472 bytes
                                          MD5:a9ea323ea2de4868acfb99b7959b54b6
                                          SHA1:b66217db6ffda157a9252611f6b1d528f76f0420
                                          SHA256:e17765cd72f6b95c8167f428ed734688d3b545c45c23e07407361e8979b49167
                                          SHA512:eff66d932ba7d246b20fe71da264ecbabb430d27bec97bbe258f0b4ca6a43843426f5251579b444ae5fd02fbcf8d9ee8cb9030c7e7c20727bb36e813e1b3117f
                                          SSDEEP:12288:27auaN1gTyQcG+yDXEdKemm6EIJtZcIuE4VGnYZzHmPKuDVFSrdtTJHlgrdm4Vzu:27sQclMXk6OVGn2zGS6VAd
                                          TLSH:7905F182E514A622ED56A7B45A32C93403227EED7930D52E6EF97CDB3FBE7D20005213
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:c5949296969e8473

                                          Static PE Info

                                          General

                                          Entrypoint:0x49ed8e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xA209C897 [Wed Feb 23 16:49:27 2056 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:
                                          Signature Issuer:
                                          Signature Validation Error:
                                          Error Number:
                                          Not Before, Not After
                                            Subject Chain
                                              Version:
                                              Thumbprint MD5:
                                              Thumbprint SHA-1:
                                              Thumbprint SHA-256:
                                              Serial:

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x9ed3b0x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x38140.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x9d8000x3468
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xda0000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x9d6d80x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000x9cd940x9ce00c3be370bc274fa525843bd31968055a1False0.9377163222111554data7.866071059583154IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xa00000x381400x382003f3a641b8034071c5191a6919350dfe6False0.3080413070712695data5.206507587630557IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0xda0000xc0x20091f06036304ee13148f9959bfb96978aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xa04600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                              RT_ICON0xa0ac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                              RT_ICON0xa0db00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                              RT_ICON0xa0f980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                              RT_ICON0xa10c00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                              RT_ICON0xa77fc0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                              RT_ICON0xa86a40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                              RT_ICON0xa8f4c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                              RT_ICON0xa96140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                              RT_ICON0xa9b7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                              RT_ICON0xba3a40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                              RT_ICON0xc384c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                              RT_ICON0xca0340x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                              RT_ICON0xcf4bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                              RT_ICON0xd36e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                              RT_ICON0xd5c8c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                              RT_ICON0xd6d340x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                              RT_ICON0xd76bc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                              RT_GROUP_ICON0xd7b240x102data0.5697674418604651
                                              RT_VERSION0xd7c280x32cdata0.4273399014778325
                                              RT_MANIFEST0xd7f540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 11:47:06.220204115 CEST4973325192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:07.385039091 CEST4973325192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:09.393054008 CEST4973325192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:10.484371901 CEST4973625192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:11.497778893 CEST4973625192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:13.393122911 CEST4973325192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:13.596170902 CEST4973625192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:17.596160889 CEST4973625192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:21.393035889 CEST4973325192.168.2.446.175.148.58
                                              Sep 26, 2024 11:47:25.611836910 CEST4973625192.168.2.446.175.148.58

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Sep 26, 2024 11:47:05.766307116 CEST5195153192.168.2.41.1.1.1
                                              Sep 26, 2024 11:47:05.934362888 CEST53519511.1.1.1192.168.2.4

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Sep 26, 2024 11:47:05.766307116 CEST192.168.2.41.1.1.10x74beStandard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Sep 26, 2024 11:47:05.934362888 CEST1.1.1.1192.168.2.40x74beNo error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:05:46:59
                                              Start date:26/09/2024
                                              Path:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                                              Imagebase:0x940000
                                              File size:873'472 bytes
                                              MD5 hash:A9EA323EA2DE4868ACFB99B7959B54B6
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1724979279.0000000003D29000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:2
                                              Start time:05:47:01
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                                              Imagebase:0x800000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:05:47:01
                                              Start date:26/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:05:47:01
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\CkVzvA.exe"
                                              Imagebase:0x800000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:05:47:01
                                              Start date:26/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:05:47:02
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp64C0.tmp"
                                              Imagebase:0x770000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:05:47:02
                                              Start date:26/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:05:47:02
                                              Start date:26/09/2024
                                              Path:C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\BOSSARD_ORDER_4923521.exe"
                                              Imagebase:0x7ff7699e0000
                                              File size:873'472 bytes
                                              MD5 hash:A9EA323EA2DE4868ACFB99B7959B54B6
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2916549567.0000000002B7E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2912731371.000000000042D000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2916549567.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              General

                                              Target ID:9
                                              Start time:05:47:03
                                              Start date:26/09/2024
                                              Path:C:\Users\user\AppData\Roaming\CkVzvA.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\CkVzvA.exe
                                              Imagebase:0x510000
                                              File size:873'472 bytes
                                              MD5 hash:A9EA323EA2DE4868ACFB99B7959B54B6
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 32%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:05:47:05
                                              Start date:26/09/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff693ab0000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:05:47:07
                                              Start date:26/09/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CkVzvA" /XML "C:\Users\user\AppData\Local\Temp\tmp7BE1.tmp"
                                              Imagebase:0x770000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:05:47:08
                                              Start date:26/09/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff7699e0000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:05:47:08
                                              Start date:26/09/2024
                                              Path:C:\Users\user\AppData\Roaming\CkVzvA.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\AppData\Roaming\CkVzvA.exe"
                                              Imagebase:0xbb0000
                                              File size:873'472 bytes
                                              MD5 hash:A9EA323EA2DE4868ACFB99B7959B54B6
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2917730355.00000000030CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2917730355.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2917730355.0000000003081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:8.9%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:45
                                                Total number of Limit Nodes:5
                                                execution_graph 18823 ac02c00 18824 ac02c26 18823->18824 18825 ac02d8b 18823->18825 18824->18825 18828 ac02e80 PostMessageW 18824->18828 18830 ac02e78 PostMessageW 18824->18830 18829 ac02eec 18828->18829 18829->18824 18831 ac02eec 18830->18831 18831->18824 18832 2b7afb0 18836 2b7b097 18832->18836 18841 2b7b0a8 18832->18841 18833 2b7afbf 18837 2b7b0b9 18836->18837 18838 2b7b0dc 18836->18838 18837->18838 18839 2b7b2e0 GetModuleHandleW 18837->18839 18838->18833 18840 2b7b30d 18839->18840 18840->18833 18842 2b7b0dc 18841->18842 18843 2b7b0b9 18841->18843 18842->18833 18843->18842 18844 2b7b2e0 GetModuleHandleW 18843->18844 18845 2b7b30d 18844->18845 18845->18833 18846 2b7d340 18847 2b7d386 18846->18847 18851 2b7d520 18847->18851 18854 2b7d50f 18847->18854 18848 2b7d473 18858 2b7d0b8 18851->18858 18855 2b7d54e 18854->18855 18856 2b7d51e 18854->18856 18855->18848 18856->18855 18857 2b7d0b8 DuplicateHandle 18856->18857 18857->18855 18859 2b7d588 DuplicateHandle 18858->18859 18860 2b7d54e 18859->18860 18860->18848 18861 2b74668 18862 2b7467a 18861->18862 18863 2b74686 18862->18863 18865 2b74779 18862->18865 18866 2b7479d 18865->18866 18870 2b74879 18866->18870 18874 2b74888 18866->18874 18872 2b748af 18870->18872 18871 2b7498c 18871->18871 18872->18871 18878 2b744b4 18872->18878 18876 2b748af 18874->18876 18875 2b7498c 18875->18875 18876->18875 18877 2b744b4 CreateActCtxA 18876->18877 18877->18875 18879 2b75918 CreateActCtxA 18878->18879 18881 2b759cf 18879->18881

                                                Executed Functions

                                                Function 0AC01E18 Relevance: .2, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1737943415.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ac00000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e607375e63110465efc4f7b7a3445f129936071cd272a592e7d2066942f1f6e
                                                • Instruction ID: 678868225209af34e5eebe1e795560ed24acfb1d3dd13c6cc49cc9ec93dcf25a
                                                • Opcode Fuzzy Hash: 1e607375e63110465efc4f7b7a3445f129936071cd272a592e7d2066942f1f6e
                                                • Instruction Fuzzy Hash: F3A11575D092299FDB24CF66C844BEDFBB6BF89300F1582EAD508A7291DB705A85CF40
                                                Function 02B7B0A8 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 391 2b7b0a8-2b7b0b7 392 2b7b0e3-2b7b0e7 391->392 393 2b7b0b9-2b7b0c6 call 2b79b14 391->393 395 2b7b0fb-2b7b13c 392->395 396 2b7b0e9-2b7b0f3 392->396 399 2b7b0dc 393->399 400 2b7b0c8 393->400 402 2b7b13e-2b7b146 395->402 403 2b7b149-2b7b157 395->403 396->395 399->392 446 2b7b0ce call 2b7b331 400->446 447 2b7b0ce call 2b7b340 400->447 402->403 404 2b7b17b-2b7b17d 403->404 405 2b7b159-2b7b15e 403->405 410 2b7b180-2b7b187 404->410 407 2b7b160-2b7b167 call 2b7ad10 405->407 408 2b7b169 405->408 406 2b7b0d4-2b7b0d6 406->399 409 2b7b218-2b7b2d8 406->409 412 2b7b16b-2b7b179 407->412 408->412 441 2b7b2e0-2b7b30b GetModuleHandleW 409->441 442 2b7b2da-2b7b2dd 409->442 413 2b7b194-2b7b19b 410->413 414 2b7b189-2b7b191 410->414 412->410 415 2b7b19d-2b7b1a5 413->415 416 2b7b1a8-2b7b1b1 call 2b7ad20 413->416 414->413 415->416 422 2b7b1b3-2b7b1bb 416->422 423 2b7b1be-2b7b1c3 416->423 422->423 424 2b7b1c5-2b7b1cc 423->424 425 2b7b1e1-2b7b1ee 423->425 424->425 427 2b7b1ce-2b7b1de call 2b7ad30 call 2b7ad40 424->427 432 2b7b211-2b7b217 425->432 433 2b7b1f0-2b7b20e 425->433 427->425 433->432 443 2b7b314-2b7b328 441->443 444 2b7b30d-2b7b313 441->444 442->441 444->443 446->406 447->406
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02B7B2FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 6d8fed81d70c39c64f8e8b22828ce223dd62d8ae1ea95b23f7a06e79dac58a25
                                                • Instruction ID: 5964eed7f767d66db5329685b56db6e2d113b6435caefce862620dde4b86d783
                                                • Opcode Fuzzy Hash: 6d8fed81d70c39c64f8e8b22828ce223dd62d8ae1ea95b23f7a06e79dac58a25
                                                • Instruction Fuzzy Hash: 60712270A10B058FD724DF29D54579ABBF1FF88308F008A6DD4AA9BA50DB75E885CF90
                                                Function 02B7590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 448 2b7590c-2b759d9 CreateActCtxA 450 2b759e2-2b75a3c 448->450 451 2b759db-2b759e1 448->451 458 2b75a3e-2b75a41 450->458 459 2b75a4b-2b75a4f 450->459 451->450 458->459 460 2b75a51-2b75a5d 459->460 461 2b75a60-2b75a90 459->461 460->461 465 2b75a42-2b75a4a 461->465 466 2b75a92-2b75b14 461->466 465->459 469 2b759cf-2b759d9 465->469 469->450 469->451
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02B759C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 2016ed7521947851fb59c05f7d334b537c34c55a64219be69c5e81ca6c1d9089
                                                • Instruction ID: 619463051d871cb04c7373310619e6b4ab6e0dee4bfbc0a49321b8231e68ac63
                                                • Opcode Fuzzy Hash: 2016ed7521947851fb59c05f7d334b537c34c55a64219be69c5e81ca6c1d9089
                                                • Instruction Fuzzy Hash: 7E4115B1C00719CFDB24CFA9C884BCEBBB1BF49304F6480AAD418AB255D7756985CF90
                                                Function 02B744B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 470 2b744b4-2b759d9 CreateActCtxA 473 2b759e2-2b75a3c 470->473 474 2b759db-2b759e1 470->474 481 2b75a3e-2b75a41 473->481 482 2b75a4b-2b75a4f 473->482 474->473 481->482 483 2b75a51-2b75a5d 482->483 484 2b75a60-2b75a90 482->484 483->484 488 2b75a42-2b75a4a 484->488 489 2b75a92-2b75b14 484->489 488->482 492 2b759cf-2b759d9 488->492 492->473 492->474
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 02B759C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 03e9ec9453c3b2dc69453591ef2bd0b1794ef6be6694c3308db5306e2bf4c196
                                                • Instruction ID: d56180cf81aa97f1eb260b50c7c74bfba7f9eccfa7a5e02f8c986f26b0100012
                                                • Opcode Fuzzy Hash: 03e9ec9453c3b2dc69453591ef2bd0b1794ef6be6694c3308db5306e2bf4c196
                                                • Instruction Fuzzy Hash: 3441D3B1C00719CBDB24CFA9C884A9EBBF5BF48304F6480AAD418AB255DB756985CF90
                                                Function 02B7D0B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 493 2b7d0b8-2b7d61c DuplicateHandle 495 2b7d625-2b7d642 493->495 496 2b7d61e-2b7d624 493->496 496->495
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B7D54E,?,?,?,?,?), ref: 02B7D60F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: a4f98f913f5ceeb7cd1c49c6aba57182460fd20a2259bb5269b2e888fb5e4c42
                                                • Instruction ID: 405520b38d2d41b351060ffe7d14c48c12061dcbd1ac330c6b85e7bf8bb60874
                                                • Opcode Fuzzy Hash: a4f98f913f5ceeb7cd1c49c6aba57182460fd20a2259bb5269b2e888fb5e4c42
                                                • Instruction Fuzzy Hash: 3B2103B59002099FDB10CF9AD984AEEBBF4EF48314F10845AE958A7311D378A944CFA4
                                                Function 02B7D581 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 499 2b7d581-2b7d61c DuplicateHandle 500 2b7d625-2b7d642 499->500 501 2b7d61e-2b7d624 499->501 501->500
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02B7D54E,?,?,?,?,?), ref: 02B7D60F
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 5f9ce4fd8d9ee243ed3d12a90de621035fa3894ca21843876bee54065074f5f7
                                                • Instruction ID: e967d0ffbfb9cc10fce4aaa16bc1374fbb61ada4e11969e96bccd38608512472
                                                • Opcode Fuzzy Hash: 5f9ce4fd8d9ee243ed3d12a90de621035fa3894ca21843876bee54065074f5f7
                                                • Instruction Fuzzy Hash: 382112B5D002089FDB10CFA9D584AEEBBF4EB08320F14845AE958A3310D378A940CFA4
                                                Function 02B7B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 504 2b7b298-2b7b2d8 505 2b7b2e0-2b7b30b GetModuleHandleW 504->505 506 2b7b2da-2b7b2dd 504->506 507 2b7b314-2b7b328 505->507 508 2b7b30d-2b7b313 505->508 506->505 508->507
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 02B7B2FE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 9c7254adc132d17c3b62ce2b14abbb9ca0c2bd2ef0128f96bf6280f636fd4776
                                                • Instruction ID: 6b494d57da7a8850e2d4591d1a28eb9dc311d56472b6779405267b71dfc18422
                                                • Opcode Fuzzy Hash: 9c7254adc132d17c3b62ce2b14abbb9ca0c2bd2ef0128f96bf6280f636fd4776
                                                • Instruction Fuzzy Hash: B611E0B6D007498FDB10CF9AD444ADEFBF4EF88328F10846AD469A7210D375A545CFA5
                                                Function 0AC02E78 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 510 ac02e78-ac02eea PostMessageW 511 ac02ef3-ac02f07 510->511 512 ac02eec-ac02ef2 510->512 512->511
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 0AC02EDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1737943415.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ac00000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: c23027da6d6b8be567926465817d874c9004a341bf847d261f263fd1c3aaaccb
                                                • Instruction ID: 962206d5c821336090c41ec4f74309eb50efabf249f37dba09a41d71f6d196f9
                                                • Opcode Fuzzy Hash: c23027da6d6b8be567926465817d874c9004a341bf847d261f263fd1c3aaaccb
                                                • Instruction Fuzzy Hash: 491133B9800248CFDB10CF99D548BDEBFF8FB48314F10845AD5A8A7610C378A984CFA4
                                                Function 0AC02E80 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 514 ac02e80-ac02eea PostMessageW 515 ac02ef3-ac02f07 514->515 516 ac02eec-ac02ef2 514->516 516->515
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 0AC02EDD
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1737943415.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ac00000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: aa0cefa54b227fe13df999eb35a630df0549c059603a75bebdca18dc27e5e806
                                                • Instruction ID: 2aba612aa6184dde529192c4911e0e4e18216c45122567e63ded6442c3f0e21c
                                                • Opcode Fuzzy Hash: aa0cefa54b227fe13df999eb35a630df0549c059603a75bebdca18dc27e5e806
                                                • Instruction Fuzzy Hash: 6A1103B5800349DFCB10DF9AD449BDEBBF8EB48324F10845AD568A7240C375A984CFA5
                                                Function 011DD1FC Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1710114574.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11dd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dc693d3696d8714ce5eb30836c5922fa4fbbb88510c9c3cb0e3cfeb5de97822c
                                                • Instruction ID: f8c94ecc1d14eacd0fe3594c7fcdd115963ab58d9b29c100419977880f0841ba
                                                • Opcode Fuzzy Hash: dc693d3696d8714ce5eb30836c5922fa4fbbb88510c9c3cb0e3cfeb5de97822c
                                                • Instruction Fuzzy Hash: 7C21C471504240DFDF09DF98E9C4B2BBF65FB88324F24C569E9054A296C336D456CBA2
                                                Function 011FD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711330643.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11fd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c660eacfd2794f07f38b3ffc577a685d16ff9dd9746fa2fbcf930823df89c3df
                                                • Instruction ID: ca32de7b5cc74a33c216bfd5bc69f511c2d0cd0b190af41d0cc11b839e37ec0e
                                                • Opcode Fuzzy Hash: c660eacfd2794f07f38b3ffc577a685d16ff9dd9746fa2fbcf930823df89c3df
                                                • Instruction Fuzzy Hash: CC212271604200DFDF19DF58E984B26BFA5EB84314F20C66DEA0A4B256C33AD447CA62
                                                Function 011FD006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1711330643.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11fd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d5547d7d5285b0d8542d34195360bf877371a491cf5b45ba842c3889f37962ae
                                                • Instruction ID: 97c352b623e070e0b9346a939b467439feec3263ae7f4333c6c6c56ac5ef3024
                                                • Opcode Fuzzy Hash: d5547d7d5285b0d8542d34195360bf877371a491cf5b45ba842c3889f37962ae
                                                • Instruction Fuzzy Hash: 3121AE755093808FDB07CF24D994B15BF71EB46214F28C5EED9498F6A7C33A980ACB62
                                                Function 011DD1F7 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1710114574.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11dd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                • Instruction ID: d411b461dde2cd60b0336340bb1d27dd3e97c3d93bb35c476c527c56a17d39f5
                                                • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                                • Instruction Fuzzy Hash: 8A219D76504240DFDF06CF54D9C4B56BF72FB84324F24C5A9DD090A696C33AD42ACBA2
                                                Function 011DD731 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1710114574.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11dd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f058f9b39b9c471c9c9150c33fb90af9067b8c7f0f4b44630cd77eef15424808
                                                • Instruction ID: 5f8cb870ae72fe02b6adf4cd10ce6e432eeddabe525d6b6abcaf83277d5a9157
                                                • Opcode Fuzzy Hash: f058f9b39b9c471c9c9150c33fb90af9067b8c7f0f4b44630cd77eef15424808
                                                • Instruction Fuzzy Hash: 0A012B310087849AEB194AA9DDC4767FFD8EF45328F19C8A9ED084A1C2D378D840C672
                                                Function 011DD730 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1710114574.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_11dd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0c2f27cec3819a9aef7f5a20c12b37e8344b982d1efd71fb8faca674392fb6cf
                                                • Instruction ID: b3c9b2a8411d67f2cd95f977eb0f895055e073149789834057576475fb9d9a88
                                                • Opcode Fuzzy Hash: 0c2f27cec3819a9aef7f5a20c12b37e8344b982d1efd71fb8faca674392fb6cf
                                                • Instruction Fuzzy Hash: 54F0C2710043849AEB158A1AD884B62FFA8EB84738F18C45AED480E282C3799844CA71

                                                Non-executed Functions

                                                Function 0AC049E8 Relevance: .3, Instructions: 349COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1737943415.000000000AC00000.00000040.00000800.00020000.00000000.sdmp, Offset: 0AC00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_ac00000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: acfec8e3d03b6cafe69a4b93658f85d3b736fc5f8c8256b397784ef5d53c4611
                                                • Instruction ID: bf9bbc43084e300fbfe8c18cddaf89bba1c1fc6c47623e0af9742678af7deae9
                                                • Opcode Fuzzy Hash: acfec8e3d03b6cafe69a4b93658f85d3b736fc5f8c8256b397784ef5d53c4611
                                                • Instruction Fuzzy Hash: DED199706007009BDB69EB79C650B6FB7E7AF89700F1688ADD2558B2D1CB35EA01CB91
                                                Function 02B7DE4C Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.1714889685.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_2b70000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cd485d87b7fd9ca5558a3b113e7eafbb364f2beb02de93fa97ccef40bcbe19d6
                                                • Instruction ID: 105504f248f494e1b8a234fb6c93b032d7c75e1651d42836d64c278ea7d989d5
                                                • Opcode Fuzzy Hash: cd485d87b7fd9ca5558a3b113e7eafbb364f2beb02de93fa97ccef40bcbe19d6
                                                • Instruction Fuzzy Hash: 7BA15F32E0020ACFCF15DFB4C9845AEB7B2FF84304B1545AAE816AB265DB71E955CF80

                                                Execution Graph

                                                Execution Coverage:10.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 26925 608e280 26926 608e2c6 GlobalMemoryStatusEx 26925->26926 26927 608e2f6 26926->26927

                                                Executed Functions

                                                Function 02989B38 Relevance: 2.8, Instructions: 2811COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a259b613b2947c61d7d5b04c12015b49985002608d8d84aee2163ce3955e2829
                                                • Instruction ID: f11ab5e59fc4aaec8ee4ddbeb1e82f33d2c4ab7a0f5c90de26089702089ef09b
                                                • Opcode Fuzzy Hash: a259b613b2947c61d7d5b04c12015b49985002608d8d84aee2163ce3955e2829
                                                • Instruction Fuzzy Hash: 2D53F831C10B1A8ADB15EF68C8806A9F7B1FF99300F55D79AE45877125FB70AAC4CB81
                                                Function 0298CDB0 Relevance: 2.3, Instructions: 2305COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e002ec719b8ed4f834950f8097d7203c378906ffd7c84f376a1ba5117bc5aaa3
                                                • Instruction ID: e3f840c4ef80ae5de8c3f479e10271dea0078780936971e4ea8cac4799fc3a1b
                                                • Opcode Fuzzy Hash: e002ec719b8ed4f834950f8097d7203c378906ffd7c84f376a1ba5117bc5aaa3
                                                • Instruction Fuzzy Hash: E4332F31D10B198ECB15EF68C8906ADF7B5FF99300F14D69AE448A7225EB70EAC5CB41
                                                Function 02984A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21f7bc8d2d271f30ee9eb184feecbc57e53eee71eb15e47b1e584272e5db3a84
                                                • Instruction ID: 90a25fd420816166d374363f2237f48d98aa9347d06b757dcf4d2e5102a6279e
                                                • Opcode Fuzzy Hash: 21f7bc8d2d271f30ee9eb184feecbc57e53eee71eb15e47b1e584272e5db3a84
                                                • Instruction Fuzzy Hash: 85B16E70E0020ACFDB10DFA8C9817DDBBF6AF88314F189529D815EB254EB749845CF91
                                                Function 02983E80 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 782b2795f2fd9934742600836e6c1e8a2f1c0deb816891fe8a88cd551059622d
                                                • Instruction ID: d5101f51d6bfc22ecad159e53ac3f91c8e7bb89f4ca8eb97c318e60cab5e9fb2
                                                • Opcode Fuzzy Hash: 782b2795f2fd9934742600836e6c1e8a2f1c0deb816891fe8a88cd551059622d
                                                • Instruction Fuzzy Hash: BD917C70E0020ACFDF10DFA8C9857AEBBF6AF98714F189529E415EB254EB749845CF81
                                                Function 02986ED8 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2271 2986ed8-2986f42 call 2986c40 2280 2986f5e-2986f8c 2271->2280 2281 2986f44-2986f5d call 2986764 2271->2281 2286 2986f8e-2986f91 2280->2286 2288 2986fcd-2986fd0 2286->2288 2289 2986f93-2986fc8 2286->2289 2290 2986fe0-2986fe3 2288->2290 2291 2986fd2 2288->2291 2289->2288 2292 2986fe5-2986ff9 2290->2292 2293 2987016-2987019 2290->2293 2315 2986fd2 call 2987908 2291->2315 2316 2986fd2 call 29880f1 2291->2316 2303 2986ffb-2986ffd 2292->2303 2304 2986fff 2292->2304 2295 298701b-2987022 2293->2295 2296 298702d-298702f 2293->2296 2294 2986fd8-2986fdb 2294->2290 2297 2987028 2295->2297 2298 29870eb-29870f1 2295->2298 2299 2987031 2296->2299 2300 2987036-2987039 2296->2300 2297->2296 2299->2300 2300->2286 2302 298703f-298704e 2300->2302 2307 2987078-298708e 2302->2307 2308 2987050-2987053 2302->2308 2305 2987002-2987011 2303->2305 2304->2305 2305->2293 2307->2298 2311 298705b-2987076 2308->2311 2311->2307 2311->2308 2315->2294 2316->2294
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq$LRkq
                                                • API String ID: 0-2882777380
                                                • Opcode ID: 9009ff4cfc6e8a76b5362d3ff1f9641b0ea73f625e409c5c4ba3a6060d739700
                                                • Instruction ID: 55b412748004b7c6ee245edbbb3d7af370797909672f19ee8acbc513beb39da1
                                                • Opcode Fuzzy Hash: 9009ff4cfc6e8a76b5362d3ff1f9641b0ea73f625e409c5c4ba3a6060d739700
                                                • Instruction Fuzzy Hash: 6751A135A002159FDB25EFA8C5507AEBBBAEF8A300F248469E405EB394DB75DC41CB91
                                                Function 0608E280 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2929 608e280-608e2f4 GlobalMemoryStatusEx 2931 608e2fd-608e325 2929->2931 2932 608e2f6-608e2fc 2929->2932 2932->2931
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0608E2E7
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2927063848.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6080000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 0e41d0688db9ff8ff403e4e3aaa9666ee6ade1819b34d95aacce082c5174ea55
                                                • Instruction ID: 879a83bb799708af2f90eb26f48d927f407c6eab09c9807ffa79f223f1826818
                                                • Opcode Fuzzy Hash: 0e41d0688db9ff8ff403e4e3aaa9666ee6ade1819b34d95aacce082c5174ea55
                                                • Instruction Fuzzy Hash: D2111FB1C0026A9FCB10DF9AC444BDEFBF4BB48320F10816AE858A7241D778A940CFA5
                                                Function 0608E27F Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2935 608e27f-608e2be 2936 608e2c6-608e2f4 GlobalMemoryStatusEx 2935->2936 2937 608e2fd-608e325 2936->2937 2938 608e2f6-608e2fc 2936->2938 2938->2937
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0608E2E7
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2927063848.0000000006080000.00000040.00000800.00020000.00000000.sdmp, Offset: 06080000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_6080000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 0052705bc64263c4dd386a0d93fe27c88f55e3bcf77c98a6bdce90c4ca49977d
                                                • Instruction ID: 8039c65dc49ca19da91ae89ad79790a2d06d505f4780ec71c0320ca07f919cfa
                                                • Opcode Fuzzy Hash: 0052705bc64263c4dd386a0d93fe27c88f55e3bcf77c98a6bdce90c4ca49977d
                                                • Instruction Fuzzy Hash: 92110DB2C0026A9BCB10DF9AC544B9EFBB4AB08320F14816AD858A7241D378A940CFA5
                                                Function 0298F2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: c9e22994512f3fcce6b06c98a5d27f2496b2a50ca1e413e2a07eac3fc25b2482
                                                • Instruction ID: 87c6fc4ef6f7af5ebd8f8635a73b19fcc284c7672fd667cced516268b961ad9d
                                                • Opcode Fuzzy Hash: c9e22994512f3fcce6b06c98a5d27f2496b2a50ca1e413e2a07eac3fc25b2482
                                                • Instruction Fuzzy Hash: 2441FF30B002008FCB16BB34D65466E7BEAAFCA340F685469D406EB799DF39CC46CB91
                                                Function 02986F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq
                                                • API String ID: 0-1052062081
                                                • Opcode ID: 51088b711197188e204c8670255a2fb9c88bcdb2dfd2136b4691a02801dc0c5f
                                                • Instruction ID: 4ecc9ec2576db75d2469586baca0b0f3c7379ab01950e42bebf93fa2d92bf2f7
                                                • Opcode Fuzzy Hash: 51088b711197188e204c8670255a2fb9c88bcdb2dfd2136b4691a02801dc0c5f
                                                • Instruction Fuzzy Hash: E7316F35E102199BDB25DFA4D5407EEF7B9FF89300F248525E406EB290EB71D941CB50
                                                Function 02986B9F Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq
                                                • API String ID: 0-1052062081
                                                • Opcode ID: c0ca30c30b1cb6ef252e400dc2605b5dcbe13b6982233103854a4a9120062404
                                                • Instruction ID: 86564f09b3cda31ab6b07977edfcf04e482682d967bd2c6e16ec69feea77e44a
                                                • Opcode Fuzzy Hash: c0ca30c30b1cb6ef252e400dc2605b5dcbe13b6982233103854a4a9120062404
                                                • Instruction Fuzzy Hash: 4221DE357042505FC716BB7D94502AE7BA7EF8A344B1485EAD006CF7AAEF319C068B91
                                                Function 02987908 Relevance: .6, Instructions: 554COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 028c3f81d26b5379f3c7629afd74cc2882ecbba16bb81dde61a17749e279cdb3
                                                • Instruction ID: 9acb8f66e9bc2e4ebf432ae7786505c4ee343fe71c0d167992feb09de0831d0b
                                                • Opcode Fuzzy Hash: 028c3f81d26b5379f3c7629afd74cc2882ecbba16bb81dde61a17749e279cdb3
                                                • Instruction Fuzzy Hash: AA127038B00205DFDB15AB78E68426CB6A7EB89304B648979E406CB355CF75DC86CF85
                                                Function 02989364 Relevance: .4, Instructions: 385COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4155f4613c407d95e49bb866e90f8cb004a7d167d15e0e78c005988ec5f768e
                                                • Instruction ID: 85a8b19450daf8f1005e0e3201d7f7c5ec3a7c1ba035aa9ac58c0c79c9871cc7
                                                • Opcode Fuzzy Hash: b4155f4613c407d95e49bb866e90f8cb004a7d167d15e0e78c005988ec5f768e
                                                • Instruction Fuzzy Hash: B5E14135B002158FEB14EF69D694A7EBBB6EF89314F244469E406DB3A4DB35DC81CB40
                                                Function 029896E0 Relevance: .4, Instructions: 350COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f483ac0e23a02a735156a11afa095757776b44e3dd5a431c3a7c5ddcc980c433
                                                • Instruction ID: f152620e1468c20b863d20637ed2cb579b55010f7a590f87d7b7ba910eec3696
                                                • Opcode Fuzzy Hash: f483ac0e23a02a735156a11afa095757776b44e3dd5a431c3a7c5ddcc980c433
                                                • Instruction Fuzzy Hash: CCC1BE75A002058FEB14EFA9D9807AEB7B6FF88314F24856AE509EB395D730DC41CB80
                                                Function 02984A8E Relevance: .3, Instructions: 260COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 993ac7427a308f004b25988ba507a8a6e9e094fb33325253baf242c6c107f2a6
                                                • Instruction ID: 95989508d23727f10a992ef27871a13565b8178b1f8b303e9a1a592ee365c48e
                                                • Opcode Fuzzy Hash: 993ac7427a308f004b25988ba507a8a6e9e094fb33325253baf242c6c107f2a6
                                                • Instruction Fuzzy Hash: 18A16C70E0020ACFDB10DFA8D9857DDBBF6AF48318F189529D819EB254EB749885CF91
                                                Function 02983E74 Relevance: .2, Instructions: 236COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 37d2cbbe6cf289a345b3518839cb464898b333fc09d0e7a22012defa61f27dfe
                                                • Instruction ID: 95e429bc1c662d71c5d13341ba515d278d686fd0e3dc0e6c42dae13aa49fd1bb
                                                • Opcode Fuzzy Hash: 37d2cbbe6cf289a345b3518839cb464898b333fc09d0e7a22012defa61f27dfe
                                                • Instruction Fuzzy Hash: C6A17D70E0020ADFDB10EFA8C9857EEBBF6AF58718F189129E415E7254EB749845CF81
                                                Function 02986CDE Relevance: .1, Instructions: 142COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2a8d42bfd1073d7318225b650e855f6fb8afd5c5a9fd031a22a8dcb0bc412d91
                                                • Instruction ID: d69a89cda521e52d89c44f506011c0af3f8ddad36fdd5a3cd3c8ae0d933dc849
                                                • Opcode Fuzzy Hash: 2a8d42bfd1073d7318225b650e855f6fb8afd5c5a9fd031a22a8dcb0bc412d91
                                                • Instruction Fuzzy Hash: 07512471D002288FDB14DFA9C885B9EBBF9BF48304F188529E819AB365D774A844CF94
                                                Function 02986CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae6e468867239267fc3c1013b9ead61314dcb35406ec45ede14db7906c42fb10
                                                • Instruction ID: f0e4c3d9782df1737ded7c70ca3f7b717b723d5d9bba81d90810881953e45779
                                                • Opcode Fuzzy Hash: ae6e468867239267fc3c1013b9ead61314dcb35406ec45ede14db7906c42fb10
                                                • Instruction Fuzzy Hash: 60511371D002188FDB14DFA9C884B9EBBF9BF48314F188529E819BB355D774A844CF94
                                                Function 02981128 Relevance: .1, Instructions: 126COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6226c7e0e7e39ccfa05e93fcc50af902b8da1342548343180fec4ba648dbc356
                                                • Instruction ID: ee885503f9c78132d4b3edb064dd4993042ea691da287857e3962e60fded1529
                                                • Opcode Fuzzy Hash: 6226c7e0e7e39ccfa05e93fcc50af902b8da1342548343180fec4ba648dbc356
                                                • Instruction Fuzzy Hash: D65111357811558FCB06FB28FB8095E7FA5FB923093048969D2044FB7EDB306A89CB41
                                                Function 02981138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fab9e2cce635f12014b33126048a76eff7dba12746de38dc9b4508f1a8c030cd
                                                • Instruction ID: 728400618fb7ce4c21c7c713f5f057dd019c74827bee7b80e28892269ebf00d9
                                                • Opcode Fuzzy Hash: fab9e2cce635f12014b33126048a76eff7dba12746de38dc9b4508f1a8c030cd
                                                • Instruction Fuzzy Hash: B651EF357811658FCB06FB28FB8095E7BA5FB9230D3058969D2044FB7DDB306A89CB91
                                                Function 0298F1B0 Relevance: .1, Instructions: 96COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b4f9ba620b961da34470e3920cea726c86d7c21a09bacc278e1294f296146d86
                                                • Instruction ID: 8bb191872e25f847c3c0575ae109002f6492f7b638275e3549c2416773031f7a
                                                • Opcode Fuzzy Hash: b4f9ba620b961da34470e3920cea726c86d7c21a09bacc278e1294f296146d86
                                                • Instruction Fuzzy Hash: 98319034E106058BDB14DFA4D6556AEB7F6FF89300F548929E816E7B94EB70EC42CB80
                                                Function 029826DC Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dd166649aab7d0a19c02020da447645a8a5975cb6039198cb0b237a4c4e0b971
                                                • Instruction ID: 66ef6df0f805576e083f0630cd203f4230c0ab0972c690258b801919fc072eae
                                                • Opcode Fuzzy Hash: dd166649aab7d0a19c02020da447645a8a5975cb6039198cb0b237a4c4e0b971
                                                • Instruction Fuzzy Hash: 9541DFB0D00389DFDB10DFA9C584A9EBFF5FF48314F14842AE819AB264DB75A945CB90
                                                Function 0298F1C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 70441f9f4dcdb1d7eee244f3b77d23996450b94e2c88bd21c80d4e734313cce9
                                                • Instruction ID: f735fd66f5e17f34b3a2aa564b67a9eea570eeafd75d2b54deb21e8bf8e1239d
                                                • Opcode Fuzzy Hash: 70441f9f4dcdb1d7eee244f3b77d23996450b94e2c88bd21c80d4e734313cce9
                                                • Instruction Fuzzy Hash: 0D319234E102099BDF14DFA4D554A9EB7B6FF89300F548929E816E7B94EB70EC42CB80
                                                Function 029826E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 852cb1834771dd0e2448f5eb98dc4088094e4c56406ffa88dd77fe3458a56861
                                                • Instruction ID: 05272eb8db55e8689e61bc6e63e01e9ee41969755c10780e41c10e803c0ea3d7
                                                • Opcode Fuzzy Hash: 852cb1834771dd0e2448f5eb98dc4088094e4c56406ffa88dd77fe3458a56861
                                                • Instruction Fuzzy Hash: 4741CEB0D00349DFDB10DFA9C584A9EBFF5FF48314F14842AE819AB254DB75A945CB90
                                                Function 029816A0 Relevance: .1, Instructions: 84COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 491db2aef24567d835241b2bf72772b30e97c23cd25625a082c0ae538c0cade8
                                                • Instruction ID: 5b421ea9431fc0b6000427843732c18134359f833f03a7c2b8c699fd7c3f8271
                                                • Opcode Fuzzy Hash: 491db2aef24567d835241b2bf72772b30e97c23cd25625a082c0ae538c0cade8
                                                • Instruction Fuzzy Hash: 643107346001514FDF12FB38EA8875E3BA9EF41308F190A69D04ECB76ED728D886CB91
                                                Function 02989250 Relevance: .1, Instructions: 82COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4cdc46782c05c25468dc3fb33b5cf08d86c41ce440d8e23b3594d0244b7a0655
                                                • Instruction ID: b932f97361e6d9010f9e2e0fa0da109e03d17034d4c0d13ca00f08fbc499eea0
                                                • Opcode Fuzzy Hash: 4cdc46782c05c25468dc3fb33b5cf08d86c41ce440d8e23b3594d0244b7a0655
                                                • Instruction Fuzzy Hash: 9931A075E002098BEF05DFA4DA807AEB7B6FF89300F14852AE805EB354EB709846CB40
                                                Function 02989260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4d39d3b6b0c16bc268be565e873a2db597e72455aec8fcccd71ba592b117ab7
                                                • Instruction ID: 5b0caa378862e27cc2003b4eb3de9f715f273182a35ecf8ae155831451f43c98
                                                • Opcode Fuzzy Hash: e4d39d3b6b0c16bc268be565e873a2db597e72455aec8fcccd71ba592b117ab7
                                                • Instruction Fuzzy Hash: 52217135E1020A9BDF15DFA5D9806AEF7B6FF89300F14852AE805EB354DB719881CB91
                                                Function 029817C2 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: daaea7b40e99a908d096ae341e773cde42aac85fd9325ba5a638b9513247a1a8
                                                • Instruction ID: 53bcf339a7b23fe62eb970265f0c302908f98baec8f74b840b06312ffc27a32c
                                                • Opcode Fuzzy Hash: daaea7b40e99a908d096ae341e773cde42aac85fd9325ba5a638b9513247a1a8
                                                • Instruction Fuzzy Hash: CA21CF75F006118FDF21AB79E98479E7BE9EB88264F140925E50AC7359EB24C9428B81
                                                Function 0298148A Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8da2dd4ec2e80c43b3393cfb135a26f879ad163818ca566fcd2fc4d8670026be
                                                • Instruction ID: 60d382b905030d350876999aecbb00aa45eb80d9eaaf2dc1635dc83363ce006d
                                                • Opcode Fuzzy Hash: 8da2dd4ec2e80c43b3393cfb135a26f879ad163818ca566fcd2fc4d8670026be
                                                • Instruction Fuzzy Hash: 5521C331A012508FCF21BBB894503AE7BF5EF85359F18087AD84ED7305D735C9428B95
                                                Function 02989150 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 35f7ceb62e1313d7bb3fd76fa6e5730738314a885315d4678924d9dea451f956
                                                • Instruction ID: 026ff798e6627fc33f67e7e13c7469905d01f3a79d37e1603f2c5ca4ecdb145e
                                                • Opcode Fuzzy Hash: 35f7ceb62e1313d7bb3fd76fa6e5730738314a885315d4678924d9dea451f956
                                                • Instruction Fuzzy Hash: 6821A730E042058BDF18DFA4D554AEEF7B2AF85300F14852AE816FB350DB709946CB51
                                                Function 02981380 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3422ddad78c83894a042683447aeeecb9aa68a1249a8b62961cd1e700612a87
                                                • Instruction ID: a4c6f2d43b00668e9c62e0c903c66b525dd8d46c0b059d5bc94cd2b6f543e4dc
                                                • Opcode Fuzzy Hash: d3422ddad78c83894a042683447aeeecb9aa68a1249a8b62961cd1e700612a87
                                                • Instruction Fuzzy Hash: 0221D274B002008FDF367678E498B6E3B69EB02355F18086AE50ECB7D4D729C982CB42
                                                Function 028FD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915237770.00000000028FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_28fd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: cbf4dbb13d86293306f31bc1278b26849e43c06cebf259e1467018c0e168998d
                                                • Instruction ID: eb0c93a2e4006fd325f20f99e828f5a24e485570daa46e9bdc9e91bc9f60ab45
                                                • Opcode Fuzzy Hash: cbf4dbb13d86293306f31bc1278b26849e43c06cebf259e1467018c0e168998d
                                                • Instruction Fuzzy Hash: BF21F27D604204DFDB54DF14D984B26BBA5EBC4318F20C569EB0A8B756C33AD447CA61
                                                Function 02984F88 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1cd780959fa8e38f4b3da836acfbb482f2f4fec6c4c69c61191ec69d616200f3
                                                • Instruction ID: 7c7df1f0ec6d48a3ca45c1c8dcf30fb119503058e4ec686a767da88424ba4881
                                                • Opcode Fuzzy Hash: 1cd780959fa8e38f4b3da836acfbb482f2f4fec6c4c69c61191ec69d616200f3
                                                • Instruction Fuzzy Hash: 5D215C30A40259CFDB14EF78D598BAD7BF2AF89308B1504A8D406EB365DB369D05CB90
                                                Function 02989160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6ada6cfc6bfb50acf5b61ab4696bddcfd04a240625824de6a2d73511624fded8
                                                • Instruction ID: 6261df2f4b6871fd51bf11946e17cbd7254c4cc75a43f8f6be4e00bf1b1f50fc
                                                • Opcode Fuzzy Hash: 6ada6cfc6bfb50acf5b61ab4696bddcfd04a240625824de6a2d73511624fded8
                                                • Instruction Fuzzy Hash: 0E218030E0420A9BDB18DFA4D944AAEF7B6AF89300F14892AE816F7350DB70A845CB51
                                                Function 02981888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b633b98e7ffb08519867bd8078c545a45149c4feb3cb2a14838c64a68eaa6c2c
                                                • Instruction ID: 99e506c4575d2179e11edef1e5a3ce77d877bebca2dce06322175ccef9fbfe3f
                                                • Opcode Fuzzy Hash: b633b98e7ffb08519867bd8078c545a45149c4feb3cb2a14838c64a68eaa6c2c
                                                • Instruction Fuzzy Hash: 0D213C30B002158FDB14FB68D5547AE77F6AB89344F240868D40AEB3A4DF369D42CBA1
                                                Function 029816B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1f1c9b6aafae15eb0d5f673dc7c76fe3661f27b2e59d95bdadd7c2bc0fb13344
                                                • Instruction ID: 3c18c542b8cd58bbe7dc36a217e5192741518b2142fe40d57311d3cbbb097a6b
                                                • Opcode Fuzzy Hash: 1f1c9b6aafae15eb0d5f673dc7c76fe3661f27b2e59d95bdadd7c2bc0fb13344
                                                • Instruction Fuzzy Hash: FC2172386401114FDF22FB28EA84B5E77A9EB45319F154A35D00ECB76DDB38D8868B91
                                                Function 0298187A Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f3099452c221d63bd1858d5252fd3451210bd0a92d8f8b3ed325dc7158eea17d
                                                • Instruction ID: 7ec89f6e5fd982262b61baf70efbdd2b1c59452ed2ec0f0348701ccbfc76b833
                                                • Opcode Fuzzy Hash: f3099452c221d63bd1858d5252fd3451210bd0a92d8f8b3ed325dc7158eea17d
                                                • Instruction Fuzzy Hash: 29215930B00215CFDB14FB74D5547AE77F6AB89348F280868D40AEB3A4DB369D42CBA1
                                                Function 02984F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd9d1626f1db425069c3e5702046947a6bcf5f206a3cd50105085d31a18ee016
                                                • Instruction ID: 6e9a8745b88abbefc8dce2b8536efd888a0f4a9df63d4c26c605f39a46d54acb
                                                • Opcode Fuzzy Hash: fd9d1626f1db425069c3e5702046947a6bcf5f206a3cd50105085d31a18ee016
                                                • Instruction Fuzzy Hash: E021E934A40219CFDB14EF78D598BAE77F5AF89304B154868E406EB3A4DB369D04CB91
                                                Function 029880F1 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3b31e49cdd30d21f7f22e88e594b8f3ea19935f83fb8d06fc87e902a525765b9
                                                • Instruction ID: 90966d9c576627ff9c338eae4b1fe09a16e20ea6d39a1cf16ca946720d2c990f
                                                • Opcode Fuzzy Hash: 3b31e49cdd30d21f7f22e88e594b8f3ea19935f83fb8d06fc87e902a525765b9
                                                • Instruction Fuzzy Hash: D121A234A10209DFDF11EF78EA4469EBBB2FF85304F1046B9D405DB2A9EB31D9858B91
                                                Function 02980838 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 53330e7d2288aae5bf9c4904f4d00b342a1c5f521ac529a0e279fc249f0ee72f
                                                • Instruction ID: f467478a5deb238a23ac038b1394b39708de77b7bfdb01b5ded90da3fa1b1338
                                                • Opcode Fuzzy Hash: 53330e7d2288aae5bf9c4904f4d00b342a1c5f521ac529a0e279fc249f0ee72f
                                                • Instruction Fuzzy Hash: 6711C230B012149FEF217A78C55436F77A9EB42314F198A79D406DF286DB66CCC98BD2
                                                Function 02980848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2e6aa8f6114b358045db8a55d707cf8924994b36e61519cf92ed871670b1456c
                                                • Instruction ID: 207e44bca61d477e679ffb5bcc7d247a69ba63a3aece6a739b017e8cb7ea95a3
                                                • Opcode Fuzzy Hash: 2e6aa8f6114b358045db8a55d707cf8924994b36e61519cf92ed871670b1456c
                                                • Instruction Fuzzy Hash: A811A034B012149FEF24BA78C54472F7299EB85314F294A79D006DB355DB66CCC98BC1
                                                Function 028FD007 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915237770.00000000028FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_28fd000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
                                                • Instruction ID: 7f68b75aadebd1a14f666e8736424b13323ecae420a95bc24d880b4b4c4fa850
                                                • Opcode Fuzzy Hash: 3088c0ec5e7e9046fbc3d1eb5a71f5d8d818eeabbcf8559fea00e8da29ec0afa
                                                • Instruction Fuzzy Hash: 4D21A4795093C08FCB02CF24D594715BF71EB86214F28C5EAD949CF6A7C33A940ACB62
                                                Function 02981498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 15ecf49fa05369b2eda6845ac28687528ea7499f6f9cd169b03709ad21f28938
                                                • Instruction ID: b3e803ed41142b3e70f82b192c8fe96ec537ba8ef9ab6d28831f92c7cb77c4f7
                                                • Opcode Fuzzy Hash: 15ecf49fa05369b2eda6845ac28687528ea7499f6f9cd169b03709ad21f28938
                                                • Instruction Fuzzy Hash: D6014031A016149FCB25FFB994502AE7BFAEF88211F18447AD80AE7301E735D8428B95
                                                Function 02981524 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b96b12a876cc4a43a853722b1a1dd6650eafe93b9f40676f4ab7fdde3feb4f4f
                                                • Instruction ID: 5239ffbad1a7af59b832bc780a4f80e920c1b3bf35c697b453301b558799c2da
                                                • Opcode Fuzzy Hash: b96b12a876cc4a43a853722b1a1dd6650eafe93b9f40676f4ab7fdde3feb4f4f
                                                • Instruction Fuzzy Hash: C9F0B477A04150CFDB22ABB498A02ACBFA5FE9522171D40E7D80EDB256D735D843CB51
                                                Function 02987090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 28e817d560e4a8d5cb651f2c588cd721e57d9a8a77d1aa2951e809dba91c6912
                                                • Instruction ID: f1ba1f21716a2e434f35fbad255c753fb962310836d470fc4e83df4a2845066f
                                                • Opcode Fuzzy Hash: 28e817d560e4a8d5cb651f2c588cd721e57d9a8a77d1aa2951e809dba91c6912
                                                • Instruction Fuzzy Hash: 51F0E739B40218CFDB14EB64D698BAC77B2EF88755F1444A8E5069B3B9DF31AD42CB40
                                                Function 02988100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000008.00000002.2915879392.0000000002980000.00000040.00000800.00020000.00000000.sdmp, Offset: 02980000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_8_2_2980000_BOSSARD_ORDER_4923521.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4301d3747dd410d6d8f975577508f6b7946708b5984ec7e70a1de32d0767659d
                                                • Instruction ID: 8658b71bc96a2d27473ff3dcc995e26a629242736a0bc7f6d44ea872df0f68e8
                                                • Opcode Fuzzy Hash: 4301d3747dd410d6d8f975577508f6b7946708b5984ec7e70a1de32d0767659d
                                                • Instruction Fuzzy Hash: 99F0E134A50119EFCF01FFA8FB5199DBBB2EF44704F5046B8C40597268EB31AE488B95

                                                Execution Graph

                                                Execution Coverage:8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:78
                                                Total number of Limit Nodes:7
                                                execution_graph 31867 6e01cd0 31869 6e01cd4 31867->31869 31868 6e01e5b 31869->31868 31872 6e01f50 PostMessageW 31869->31872 31874 6e01f4a 31869->31874 31873 6e01fbc 31872->31873 31873->31869 31875 6e01f50 PostMessageW 31874->31875 31876 6e01fbc 31875->31876 31876->31869 31828 bed01c 31829 bed034 31828->31829 31830 bed08e 31829->31830 31833 4e82c08 31829->31833 31841 4e81434 31829->31841 31835 4e82c19 31833->31835 31834 4e82c79 31857 4e8155c 31834->31857 31835->31834 31837 4e82c69 31835->31837 31849 4e82d93 31837->31849 31853 4e82da0 31837->31853 31838 4e82c77 31842 4e8143f 31841->31842 31843 4e82c79 31842->31843 31845 4e82c69 31842->31845 31844 4e8155c CallWindowProcW 31843->31844 31846 4e82c77 31844->31846 31847 4e82da0 CallWindowProcW 31845->31847 31848 4e82d93 CallWindowProcW 31845->31848 31847->31846 31848->31846 31850 4e82db4 31849->31850 31861 4e82e58 31850->31861 31851 4e82e40 31851->31838 31854 4e82db4 31853->31854 31856 4e82e58 CallWindowProcW 31854->31856 31855 4e82e40 31855->31838 31856->31855 31858 4e81567 31857->31858 31859 4e8435a CallWindowProcW 31858->31859 31860 4e84309 31858->31860 31859->31860 31860->31838 31862 4e82e69 31861->31862 31864 4e8429e 31861->31864 31862->31851 31865 4e8155c CallWindowProcW 31864->31865 31866 4e842aa 31865->31866 31866->31862 31793 f3afb0 31797 f3b097 31793->31797 31802 f3b0a8 31793->31802 31794 f3afbf 31798 f3b0dc 31797->31798 31800 f3b0b9 31797->31800 31798->31794 31799 f3b2e0 GetModuleHandleW 31801 f3b30d 31799->31801 31800->31798 31800->31799 31801->31794 31803 f3b0dc 31802->31803 31804 f3b0b9 31802->31804 31803->31794 31804->31803 31805 f3b2e0 GetModuleHandleW 31804->31805 31806 f3b30d 31805->31806 31806->31794 31877 f3d340 31878 f3d344 31877->31878 31882 f3d520 31878->31882 31885 f3d50f 31878->31885 31879 f3d473 31889 f3d0b8 31882->31889 31886 f3d54e 31885->31886 31887 f3d51e 31885->31887 31886->31879 31887->31886 31888 f3d0b8 DuplicateHandle 31887->31888 31888->31886 31890 f3d588 DuplicateHandle 31889->31890 31892 f3d54e 31890->31892 31892->31879 31807 f34668 31808 f3467a 31807->31808 31809 f34686 31808->31809 31811 f34779 31808->31811 31812 f3479d 31811->31812 31816 f34879 31812->31816 31820 f34888 31812->31820 31817 f348af 31816->31817 31818 f3498c 31817->31818 31824 f344b4 31817->31824 31822 f348af 31820->31822 31821 f3498c 31821->31821 31822->31821 31823 f344b4 CreateActCtxA 31822->31823 31823->31821 31825 f35918 CreateActCtxA 31824->31825 31827 f359db 31825->31827 31827->31827

                                                Executed Functions

                                                Function 00F3B0A8 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1291 f3b0a8-f3b0b7 1292 f3b0e3-f3b0e7 1291->1292 1293 f3b0b9-f3b0c6 call f39b14 1291->1293 1295 f3b0fb-f3b13c 1292->1295 1296 f3b0e9-f3b0f3 1292->1296 1300 f3b0c8 1293->1300 1301 f3b0dc 1293->1301 1302 f3b149-f3b157 1295->1302 1303 f3b13e-f3b146 1295->1303 1296->1295 1348 f3b0ce call f3b331 1300->1348 1349 f3b0ce call f3b340 1300->1349 1301->1292 1304 f3b17b-f3b17d 1302->1304 1305 f3b159-f3b15e 1302->1305 1303->1302 1310 f3b180-f3b187 1304->1310 1307 f3b160-f3b167 call f3ad10 1305->1307 1308 f3b169 1305->1308 1306 f3b0d4-f3b0d6 1306->1301 1309 f3b218-f3b296 1306->1309 1314 f3b16b-f3b179 1307->1314 1308->1314 1341 f3b298-f3b29b 1309->1341 1342 f3b29c-f3b2d8 1309->1342 1311 f3b194-f3b19b 1310->1311 1312 f3b189-f3b191 1310->1312 1315 f3b1a8-f3b1b1 call f3ad20 1311->1315 1316 f3b19d-f3b1a5 1311->1316 1312->1311 1314->1310 1322 f3b1b3-f3b1bb 1315->1322 1323 f3b1be-f3b1c3 1315->1323 1316->1315 1322->1323 1324 f3b1e1-f3b1ee 1323->1324 1325 f3b1c5-f3b1cc 1323->1325 1331 f3b211-f3b217 1324->1331 1332 f3b1f0-f3b20e 1324->1332 1325->1324 1327 f3b1ce-f3b1de call f3ad30 call f3ad40 1325->1327 1327->1324 1332->1331 1341->1342 1343 f3b2e0-f3b30b GetModuleHandleW 1342->1343 1344 f3b2da-f3b2dd 1342->1344 1345 f3b314-f3b328 1343->1345 1346 f3b30d-f3b313 1343->1346 1344->1343 1346->1345 1348->1306 1349->1306
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F3B2FE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: e0150bba4ffe4a86f5ce4c6cbee5ab331e65a662b1c69bd1fb1f08aef9d2b825
                                                • Instruction ID: 3fcb4c7ad22497bbeeaed5aac7a873de41db3479afa618362c8bdaf64c05924f
                                                • Opcode Fuzzy Hash: e0150bba4ffe4a86f5ce4c6cbee5ab331e65a662b1c69bd1fb1f08aef9d2b825
                                                • Instruction Fuzzy Hash: FA712170A00B058FD724DF2AD46179ABBF1BF88320F008A2AD58AD7B50DB75E945CB91
                                                Function 04E8155C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1366 4e8155c-4e842fc 1370 4e843ac-4e843cc call 4e81434 1366->1370 1371 4e84302-4e84307 1366->1371 1378 4e843cf-4e843dc 1370->1378 1372 4e84309-4e84340 1371->1372 1373 4e8435a-4e84392 CallWindowProcW 1371->1373 1380 4e84349-4e84358 1372->1380 1381 4e84342-4e84348 1372->1381 1375 4e8439b-4e843aa 1373->1375 1376 4e84394-4e8439a 1373->1376 1375->1378 1376->1375 1380->1378 1381->1380
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 04E84381
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1771433481.0000000004E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_4e80000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: b1ff3894aaf049cca24f62c4482b90ab56a87f89b6d96f66d4103000f7fc4680
                                                • Instruction ID: 02bae9235e7722c4933e52fd9c908af9768c1078a255a9b7a523a5b13da06c79
                                                • Opcode Fuzzy Hash: b1ff3894aaf049cca24f62c4482b90ab56a87f89b6d96f66d4103000f7fc4680
                                                • Instruction Fuzzy Hash: 1E4108B4A003099FDB14DF99C448AAEFBF5FB88314F25C459E519AB361D774A841CFA0
                                                Function 00F3590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1350 f3590c-f359d9 CreateActCtxA 1352 f359e2-f35a3c 1350->1352 1353 f359db-f359e1 1350->1353 1360 f35a4b-f35a4f 1352->1360 1361 f35a3e-f35a41 1352->1361 1353->1352 1362 f35a51-f35a5d 1360->1362 1363 f35a60 1360->1363 1361->1360 1362->1363 1365 f35a61 1363->1365 1365->1365
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00F359C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: e7dceeb9e1f217473eb8ce3666bcfbfa560ddbda94e04c881144e9d2ec86c171
                                                • Instruction ID: 1023457140d2a84c99f5dd4c2cbc9511cd28609051c26d736fb8a097b75b6d57
                                                • Opcode Fuzzy Hash: e7dceeb9e1f217473eb8ce3666bcfbfa560ddbda94e04c881144e9d2ec86c171
                                                • Instruction Fuzzy Hash: 9241F3B1C00719CFDF24CFA9C88478EBBB5BF88714F24816AD408AB255DB756946CF90
                                                Function 00F344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1384 f344b4-f359d9 CreateActCtxA 1387 f359e2-f35a3c 1384->1387 1388 f359db-f359e1 1384->1388 1395 f35a4b-f35a4f 1387->1395 1396 f35a3e-f35a41 1387->1396 1388->1387 1397 f35a51-f35a5d 1395->1397 1398 f35a60 1395->1398 1396->1395 1397->1398 1400 f35a61 1398->1400 1400->1400
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00F359C9
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 55337d6aa87e8b07df42e5950acb904d40b8da031279c3012559fddf72219a49
                                                • Instruction ID: a71af610f6a667007c0f8c85de5c598393867b4f41eda7023d4728c5dcea9178
                                                • Opcode Fuzzy Hash: 55337d6aa87e8b07df42e5950acb904d40b8da031279c3012559fddf72219a49
                                                • Instruction Fuzzy Hash: 2641F1B1C0061DCBDF24CFA9C884B8EBBB5BF88714F24806AD408AB255DB756946DF90
                                                Function 00F3D0B8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1401 f3d0b8-f3d61c DuplicateHandle 1404 f3d625-f3d642 1401->1404 1405 f3d61e-f3d624 1401->1405 1405->1404
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F3D54E,?,?,?,?,?), ref: 00F3D60F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: ce7305497a4a4eb935c0a4c550d18783f77917deec53afb3c0ed1bce1bcf1155
                                                • Instruction ID: 6a498e9524b0f73f95b93bef6909f5794e150144b64ec188f018132c78e80342
                                                • Opcode Fuzzy Hash: ce7305497a4a4eb935c0a4c550d18783f77917deec53afb3c0ed1bce1bcf1155
                                                • Instruction Fuzzy Hash: 8821E4B59002589FDB10CF9AD984ADEFFF8EB48324F14841AE918A7311D378A954DFA4
                                                Function 00F3D581 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1408 f3d581-f3d586 1409 f3d588-f3d58b 1408->1409 1410 f3d58c-f3d61c DuplicateHandle 1408->1410 1409->1410 1411 f3d625-f3d642 1410->1411 1412 f3d61e-f3d624 1410->1412 1412->1411
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F3D54E,?,?,?,?,?), ref: 00F3D60F
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 0069e43a19f32bb23d4b65d70264689ee5effb1bd5f5e3af089ffca432f37d8e
                                                • Instruction ID: 1eb4a78edf28428ccaf8715477b39bcbab075fcc90d16868a9958a8de8b79bcc
                                                • Opcode Fuzzy Hash: 0069e43a19f32bb23d4b65d70264689ee5effb1bd5f5e3af089ffca432f37d8e
                                                • Instruction Fuzzy Hash: 1521E4B5D002189FDB10CF9AD984AEEFFF8EB48324F14841AE918A7311D374A954DFA5
                                                Function 00F3B298 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1415 f3b298-f3b2d8 1417 f3b2e0-f3b30b GetModuleHandleW 1415->1417 1418 f3b2da-f3b2dd 1415->1418 1419 f3b314-f3b328 1417->1419 1420 f3b30d-f3b313 1417->1420 1418->1417 1420->1419
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00F3B2FE
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1761381383.0000000000F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_f30000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 0302cd782c75eaa8fe1ed143353871f8c209dc3ec2c45466ada147e4e230cc31
                                                • Instruction ID: 09c5b6c060ce36fb5461bfe107caa6a016f34c7c6c5ff0e81c8dacca100a346b
                                                • Opcode Fuzzy Hash: 0302cd782c75eaa8fe1ed143353871f8c209dc3ec2c45466ada147e4e230cc31
                                                • Instruction Fuzzy Hash: 2911E0B5C002598FCB10DF9AD444ADEFBF4AF88324F10846AD959A7210C375A545CFA5
                                                Function 06E01F4A Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1422 6e01f4a-6e01fba PostMessageW 1424 6e01fc3-6e01fd7 1422->1424 1425 6e01fbc-6e01fc2 1422->1425 1425->1424
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06E01FAD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1774210097.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6e00000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: 5e9df92ac97600f8c848cea24a6e2ab7a8803dfaf8365731bed7cc3ef9a180b1
                                                • Instruction ID: 2e81e9d737e1e09eebac636b07c9ccde2496f2b186b0310c28a9578be0d7d348
                                                • Opcode Fuzzy Hash: 5e9df92ac97600f8c848cea24a6e2ab7a8803dfaf8365731bed7cc3ef9a180b1
                                                • Instruction Fuzzy Hash: CA1106B58003489FDB10DF9AD885BDEFBF8EB48324F10841AE554A7240C379A584CFA5
                                                Function 06E01F50 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1427 6e01f50-6e01fba PostMessageW 1428 6e01fc3-6e01fd7 1427->1428 1429 6e01fbc-6e01fc2 1427->1429 1429->1428
                                                APIs
                                                • PostMessageW.USER32(?,?,?,?), ref: 06E01FAD
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1774210097.0000000006E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E00000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_6e00000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: MessagePost
                                                • String ID:
                                                • API String ID: 410705778-0
                                                • Opcode ID: e8956c5e48a405f1decbaaf6dbf73007be07f3404cae882e010587dc3bd35679
                                                • Instruction ID: 8b161b0eae1554c22235280ac507f7409f62e3171c64f9a75792de29e14456c6
                                                • Opcode Fuzzy Hash: e8956c5e48a405f1decbaaf6dbf73007be07f3404cae882e010587dc3bd35679
                                                • Instruction Fuzzy Hash: 4F1103B58003489FDB10DF9AD845BDEFBF8EB48324F20841AE558A7240C375A984CFA1
                                                Function 00BDD3D8 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: af51c5ceb246c1781e289036adcd322530e5c9f1ce73002be39c2ff1238a4fc7
                                                • Instruction ID: ea82f403132636e690c0e3853eb02ded9b28cbd18de6e9fe6e06cb68332c7bf1
                                                • Opcode Fuzzy Hash: af51c5ceb246c1781e289036adcd322530e5c9f1ce73002be39c2ff1238a4fc7
                                                • Instruction Fuzzy Hash: 3D212571500204DFDB05DF14D9C0B2AFFA5FB98324F20C6AAE9494B356D336E856CAA2
                                                Function 00BDD4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 43c48cdf3736c38a829662127d916eb668c03b62c39be051ece2a2ae777dafde
                                                • Instruction ID: d44a6b553c54f09919ad8f9249512f4740c14d050d10c263503453e770525f6c
                                                • Opcode Fuzzy Hash: 43c48cdf3736c38a829662127d916eb668c03b62c39be051ece2a2ae777dafde
                                                • Instruction Fuzzy Hash: F7210371540240DFDB05DF14E9C0B2AFFA5FBA8318F20C5AAE8890B356D336D856CBA1
                                                Function 00BED01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756428881.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bed000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
                                                • Instruction ID: b7a09ac6b5dcb0f3567fbaa9a16fac67702bf0077cd66a8a86dbc9c0330cd85d
                                                • Opcode Fuzzy Hash: 95c1c8fe01435508362e276654f8e70cd4c00fc4764b774446ceb41f281d5224
                                                • Instruction Fuzzy Hash: 9D21F271604280DFCB14DF15D9D4B26BBA5FB84314F28C5ADD80A4B297C3BAD847CA61
                                                Function 00BED006 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756428881.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bed000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
                                                • Instruction ID: bf970bc0bc59c2620b5907c30b3c387694d7af79bbb3c5306e72521d5cf4a353
                                                • Opcode Fuzzy Hash: f6ccdebbb06e4b2bab58f9dad2a7c5fdb82631ab6f3d104d3b34998694fdad3e
                                                • Instruction Fuzzy Hash: A321A4755093C08FCB02CF20D594715BFB1EB45314F28C5EAD8498B297C33AD80ACB62
                                                Function 00BDD4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: 99777a6515e7be2e8dfd2fcf2f5176c5d7703cb729a13285660dfceaf46ab1c9
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: 0111B176504280DFCB16CF14D5C4B16FFB1FBA4318F24C6AAD8490B656C336D85ACBA1
                                                Function 00BDD3D3 Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction ID: 2bb0975c039676d4721197191ee6fb7359f2934b3dd43542566f9442111a43f1
                                                • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                • Instruction Fuzzy Hash: E511CD72504240DFCB16CF00D5C4B16BFA1FB94324F24C2AAD8490A356C33AE85ACBA1
                                                Function 00BDD731 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4fda4f81d183cafa90c6a696cc688292612ce14658063f0df20f34e76e9b1ce2
                                                • Instruction ID: 0d28532df6529c0de15e42e8bbd7f2d11683fdd4eeab8366a8729fa36ff8c166
                                                • Opcode Fuzzy Hash: 4fda4f81d183cafa90c6a696cc688292612ce14658063f0df20f34e76e9b1ce2
                                                • Instruction Fuzzy Hash: 7A01F7311083049AE7104B25CDC4767FFD8EF41324F18C8EBEC484A386E2789C40C671
                                                Function 00BDD730 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000009.00000002.1756327088.0000000000BDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BDD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_9_2_bdd000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 79285a3da66d3a09f1e53d8a67af120b8f2dc6f4a2e058584783aff03c758cbb
                                                • Instruction ID: d7de750b96a42f9d4443d2f88a1a32e554441e6f3dc54ee7341865ef1ab64b01
                                                • Opcode Fuzzy Hash: 79285a3da66d3a09f1e53d8a67af120b8f2dc6f4a2e058584783aff03c758cbb
                                                • Instruction Fuzzy Hash: B0F062714043449AE7148B16CD84B66FFE8EB91735F18C99AED484F286D2799C44CA71

                                                Execution Graph

                                                Execution Coverage:11.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:3
                                                Total number of Limit Nodes:0
                                                execution_graph 26172 624e288 26173 624e2ce GlobalMemoryStatusEx 26172->26173 26174 624e2fe 26173->26174

                                                Executed Functions

                                                Function 01369B38 Relevance: 2.8, Instructions: 2817COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49da86f3fb0f2d36224868c228709d4bf65214f3ef0a39640019bb4e456ea43e
                                                • Instruction ID: 5ddb909dc8b90fa17f3f8dbd55d569513f4464a81a6930165368ed3317e38418
                                                • Opcode Fuzzy Hash: 49da86f3fb0f2d36224868c228709d4bf65214f3ef0a39640019bb4e456ea43e
                                                • Instruction Fuzzy Hash: 5053F931D10B1A8ADB11EF68C8846A9F7B1FF99300F51D79AE45877125FB70AAC4CB81
                                                Function 0136CDB0 Relevance: 2.3, Instructions: 2313COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 129ae69275967102f0ccc439b8654e0dd7013522194c7948296d24b6c0ce54ad
                                                • Instruction ID: 4d794ebee712f9a79145984dd3d4cd3c5bcfb7f5caaa3116c504f6a938d9d16d
                                                • Opcode Fuzzy Hash: 129ae69275967102f0ccc439b8654e0dd7013522194c7948296d24b6c0ce54ad
                                                • Instruction Fuzzy Hash: 35333F31D107198ECB15EF68C8906ADF7B5FF99300F14D69AD448AB225EB70EAC5CB81
                                                Function 01364A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d855c54b98c33160b5270f9e988340bfc489512e1c527a2106d6ae3612b3c75
                                                • Instruction ID: 059fbd3538c18bf115ac3b68d2bde4f1c6e0393577b8ee7be27e0b8d09fe8640
                                                • Opcode Fuzzy Hash: 8d855c54b98c33160b5270f9e988340bfc489512e1c527a2106d6ae3612b3c75
                                                • Instruction Fuzzy Hash: DCB14A70E002099FDB14CFA9D9857ADBBF6AF88318F14C129D855AB358EB749885CB81
                                                Function 01363E80 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8d372f7508fa896e2a0b5529eb577661a49430282f454b13de33648fd0275500
                                                • Instruction ID: 7000f7852bdd559226cd07b65f9f3f122d2bc13c3573870234966f488fac89b2
                                                • Opcode Fuzzy Hash: 8d372f7508fa896e2a0b5529eb577661a49430282f454b13de33648fd0275500
                                                • Instruction Fuzzy Hash: 9C916D70E00219CFDB14CFA9C98579EBBF6BF98318F14C129E419AB258EB749845CB81
                                                Function 01366ED8 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2228 1366ed8-1366f42 call 1366c40 2237 1366f44-1366f5d call 136638c 2228->2237 2238 1366f5e-1366f8c 2228->2238 2242 1366f8e-1366f91 2238->2242 2244 1366f93-1366fc8 2242->2244 2245 1366fcd-1366fd0 2242->2245 2244->2245 2246 1366fd2 2245->2246 2247 1366fe0-1366fe3 2245->2247 2270 1366fd2 call 13680f1 2246->2270 2271 1366fd2 call 1367908 2246->2271 2272 1366fd2 call 1360ca9 2246->2272 2248 1367016-1367019 2247->2248 2249 1366fe5-1366ff9 2247->2249 2251 136702d-136702f 2248->2251 2252 136701b-1367022 2248->2252 2259 1366fff 2249->2259 2260 1366ffb-1366ffd 2249->2260 2250 1366fd8-1366fdb 2250->2247 2256 1367036-1367039 2251->2256 2257 1367031 2251->2257 2254 13670eb-13670f1 2252->2254 2255 1367028 2252->2255 2255->2251 2256->2242 2258 136703f-136704e 2256->2258 2257->2256 2263 1367050-1367053 2258->2263 2264 1367078-136708d 2258->2264 2261 1367002-1367011 2259->2261 2260->2261 2261->2248 2267 136705b-1367076 2263->2267 2264->2254 2267->2263 2267->2264 2270->2250 2271->2250 2272->2250
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq$LRkq
                                                • API String ID: 0-2882777380
                                                • Opcode ID: eb067926a07d7dabda1a66bddb4fd7ccf62b09d6bf3d22c0e92eeb5a0077d06e
                                                • Instruction ID: fafa1bae9c9ad82a7ba6b2786dbd4a428dbafc2080a3c8ce73b50a58e60a7bf5
                                                • Opcode Fuzzy Hash: eb067926a07d7dabda1a66bddb4fd7ccf62b09d6bf3d22c0e92eeb5a0077d06e
                                                • Instruction Fuzzy Hash: 8351E230A002559FDB15DF78C4517AEBBB6EF85308F20C569E401EB299DB759C46CB50
                                                Function 0624E286 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2889 624e286-624e2c6 2891 624e2ce-624e2fc GlobalMemoryStatusEx 2889->2891 2892 624e305-624e32d 2891->2892 2893 624e2fe-624e304 2891->2893 2893->2892
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0624E2EF
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2927400875.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_6240000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 3b9a35c4ebaead0340302ff83d588ceca995029a53fbb71ce7ff2f6d78de45d1
                                                • Instruction ID: ac3e62b5bb5c7d29fa13bee89d467dadb4434116377784238014a337b90eead1
                                                • Opcode Fuzzy Hash: 3b9a35c4ebaead0340302ff83d588ceca995029a53fbb71ce7ff2f6d78de45d1
                                                • Instruction Fuzzy Hash: 551129B1C006599BDB10DF9AC5447DEFBF4BF48320F11812AD814B7250D378A940CFA5
                                                Function 0624E288 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 2896 624e288-624e2fc GlobalMemoryStatusEx 2898 624e305-624e32d 2896->2898 2899 624e2fe-624e304 2896->2899 2899->2898
                                                APIs
                                                • GlobalMemoryStatusEx.KERNELBASE ref: 0624E2EF
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2927400875.0000000006240000.00000040.00000800.00020000.00000000.sdmp, Offset: 06240000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_6240000_CkVzvA.jbxd
                                                Similarity
                                                • API ID: GlobalMemoryStatus
                                                • String ID:
                                                • API String ID: 1890195054-0
                                                • Opcode ID: 250be701da48f89aea9239c94f4f402e0a975851adf2fcc4371a1598dc52a8f9
                                                • Instruction ID: 3b793eda083ebbfb9d6e17114e462688e59aafae293ca5edd2d8499b2dfa8d98
                                                • Opcode Fuzzy Hash: 250be701da48f89aea9239c94f4f402e0a975851adf2fcc4371a1598dc52a8f9
                                                • Instruction Fuzzy Hash: F81123B1C0026A9BCB10DF9AC544BDEFBF4BF48320F11812AE818B7250D378A940CFA5
                                                Function 0136F2ED Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: PHkq
                                                • API String ID: 0-902561536
                                                • Opcode ID: cd73c992c62a255705b391f88ceec12675400c24cef5da62953797e0df27499b
                                                • Instruction ID: 49460b6caedb5fdad94403c5c2538d0b7ab2d6b2c68d67cb13d36fe17f1727d4
                                                • Opcode Fuzzy Hash: cd73c992c62a255705b391f88ceec12675400c24cef5da62953797e0df27499b
                                                • Instruction Fuzzy Hash: 2B4118307002018FDB16AB34E56466E7BEBAF85604F24847CD406EB39AEF79DC46CB95
                                                Function 01366F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq
                                                • API String ID: 0-1052062081
                                                • Opcode ID: 81fd5463c9d7954d2df89410d512dcd6982aa7662beba7bbe876c44d1f40e351
                                                • Instruction ID: 25c0405421e513cd6dd08bebbe6633e42bf34a7952ba58fa1df9fc31b47ad4b6
                                                • Opcode Fuzzy Hash: 81fd5463c9d7954d2df89410d512dcd6982aa7662beba7bbe876c44d1f40e351
                                                • Instruction Fuzzy Hash: 0831A174E10209DBDB15CFA9D54179EB7BAFF85308F60C529E402EB244EB75E846CB50
                                                Function 01366BA0 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LRkq
                                                • API String ID: 0-1052062081
                                                • Opcode ID: 6df41e634ba9d7ac64345cd71323cee44d5dc501e765eaeeb8d19344a30edc31
                                                • Instruction ID: 5c0d1d34eba8f75ad207b2db7c7be1ba817f667b4a5baf5d81790cbc18cf2277
                                                • Opcode Fuzzy Hash: 6df41e634ba9d7ac64345cd71323cee44d5dc501e765eaeeb8d19344a30edc31
                                                • Instruction Fuzzy Hash: DA213A317042514FC706EB3CD49069E7FB2EF87204B0484AAC085CB3AAEF399C06CB92
                                                Function 01367908 Relevance: .6, Instructions: 554COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b490ba8fb8ebb8ca65f984bc11705f7502b1ae1929d2c9d214809b5ea2875754
                                                • Instruction ID: 5d312c5d6764d2fe44e8a7ce70a97426f299d4e76c66c0e56e3e2898c1f1cbd0
                                                • Opcode Fuzzy Hash: b490ba8fb8ebb8ca65f984bc11705f7502b1ae1929d2c9d214809b5ea2875754
                                                • Instruction Fuzzy Hash: F71260307102068FCB19AB38D69462876A6FB8A258F54997DE405CB355CF79EC87CF81
                                                Function 01360CA9 Relevance: .5, Instructions: 547COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 54d1022a1d0748755cc2f1e7117b097d6a56a64fa4ea7bc1e6c68224dced110e
                                                • Instruction ID: 91a4cd8fd0c67064aacd52b72c69fac774278ed4b759e439f5cd6f4f768cf238
                                                • Opcode Fuzzy Hash: 54d1022a1d0748755cc2f1e7117b097d6a56a64fa4ea7bc1e6c68224dced110e
                                                • Instruction Fuzzy Hash: EA126F307102068FCB19AB38E69462C76A6FB8A258F54997DE405CB355CF79EC87CF81
                                                Function 01369364 Relevance: .4, Instructions: 391COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c39c270a88332b3c0feb8400ca2e266a0d6c7e3f21fe4764d7eccd3c44fcdfac
                                                • Instruction ID: b2e70d54a959ffd356c3464ac09256b4317a31815b7fd9cd68fcbcdb6fac8a0e
                                                • Opcode Fuzzy Hash: c39c270a88332b3c0feb8400ca2e266a0d6c7e3f21fe4764d7eccd3c44fcdfac
                                                • Instruction Fuzzy Hash: 5EE17034B002098FDB15DF68D594B6DBBB6EB88318F148469E506EB3A9DB35EC41CB50
                                                Function 013696E0 Relevance: .4, Instructions: 358COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d2b97195077800c60b0d895a3da1e5078553d27dbde1f66496bf059f85eb3f68
                                                • Instruction ID: a2416bad038470afe0455e6530d8b74facc283cedb78eca03b9010712bf91fb4
                                                • Opcode Fuzzy Hash: d2b97195077800c60b0d895a3da1e5078553d27dbde1f66496bf059f85eb3f68
                                                • Instruction Fuzzy Hash: 79C18F71A002058FDB14DF69D9807AEBBBAFF88318F10C569E509EB399DB74D845CB90
                                                Function 01364A8E Relevance: .3, Instructions: 260COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6e1b1deb3cb34a814eb1c5530794e282e0612f8f2cd992264a59dc5f40f21c9f
                                                • Instruction ID: 7bf95f965642f2b21e04bf86222b05370d72185af677e29f84f4db616d22baa1
                                                • Opcode Fuzzy Hash: 6e1b1deb3cb34a814eb1c5530794e282e0612f8f2cd992264a59dc5f40f21c9f
                                                • Instruction Fuzzy Hash: A7B13870E00219DFDB10CFA8D98579DBFF5AF48358F14C129E858AB368EB749885CB81
                                                Function 01363E74 Relevance: .2, Instructions: 238COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 261c19995e20ca63464258526eaae04eb3cdf2221119bad3c8c9b75f31ace31f
                                                • Instruction ID: d2f7b9d35b04c5f4660d23aa47ece8ca249948d0e2e53413275e3566f3fb679c
                                                • Opcode Fuzzy Hash: 261c19995e20ca63464258526eaae04eb3cdf2221119bad3c8c9b75f31ace31f
                                                • Instruction Fuzzy Hash: 1AA16B70E00219CFDB10CFA8C9857DEBBF6BF58318F14C129E419AB258EB749885CB91
                                                Function 01364810 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ae6679fad0c1015d659ab81f00f08ee5faba56724062eb61dd31bd33afd90732
                                                • Instruction ID: d7cfc0cea9dc11f52164ac56e72466187350cf9528c0460d69d5232b1fc2b238
                                                • Opcode Fuzzy Hash: ae6679fad0c1015d659ab81f00f08ee5faba56724062eb61dd31bd33afd90732
                                                • Instruction Fuzzy Hash: 02717BB0E00249DFEB14DFA9D88479EBFF6AF88318F14C129E415A7258EB749841CB95
                                                Function 01364804 Relevance: .2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 17b58f43de777dba660491d46ed275b7555075fa920c8eca473c9b5cae58cd08
                                                • Instruction ID: 651ea66961d81b7f1e05d790f4a216b788fe873598bbf6998d71e9edaaab73db
                                                • Opcode Fuzzy Hash: 17b58f43de777dba660491d46ed275b7555075fa920c8eca473c9b5cae58cd08
                                                • Instruction Fuzzy Hash: 4E7189B0E00249DFDB14DFA9C8847DEBFF6AF48318F14C129E414AB258EB349841CB91
                                                Function 01366CDC Relevance: .1, Instructions: 138COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 56fa8c06c7263bbeac86d9810d379dfd6c12ef01ad385d4b33179c4258c27507
                                                • Instruction ID: d6fe1abd663f17547d9bb3c8cf9a7e9f197b2c86c2d5d207f4af6e792e1c1724
                                                • Opcode Fuzzy Hash: 56fa8c06c7263bbeac86d9810d379dfd6c12ef01ad385d4b33179c4258c27507
                                                • Instruction Fuzzy Hash: B85124B0D102288FDB14CFA9C985B9DBBB5BF48314F14811DE819BB369D774A884CF95
                                                Function 01366CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b469ae545d4836c820aa4c9ccce9870914545415144b68ac2caedb03fe7fce91
                                                • Instruction ID: dcc3a314c6d39f37c8fcc61a46586489bb3894c17e033c70bfb3f4ae11070ee8
                                                • Opcode Fuzzy Hash: b469ae545d4836c820aa4c9ccce9870914545415144b68ac2caedb03fe7fce91
                                                • Instruction Fuzzy Hash: 165104B0D102188FDB18CFA9C985B9DBBF5BF48314F148119E819BB369D774A884CF95
                                                Function 01361128 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fdfd842911476602c1fbcd10de1795d2593edfa05d7732cf1aea7b8b8a85f05e
                                                • Instruction ID: 132efb2c7acfe10099752548380f2f8a79cf1ddb7c6150fc2f454de9b89004cc
                                                • Opcode Fuzzy Hash: fdfd842911476602c1fbcd10de1795d2593edfa05d7732cf1aea7b8b8a85f05e
                                                • Instruction Fuzzy Hash: 1851B6312412858FC715FF2CFBA49587BA1F7A231430482BDD4846B33ADA3C6D4ACB45
                                                Function 01361138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 61d28a2fc871547e736619286e7c730c9a56e0db4127f04bcf2c987815c446a7
                                                • Instruction ID: 76bac74dddd2039ba1154b27e5d8d74cdd535d17f01a33b7897da72a1835263b
                                                • Opcode Fuzzy Hash: 61d28a2fc871547e736619286e7c730c9a56e0db4127f04bcf2c987815c446a7
                                                • Instruction Fuzzy Hash: 8C51B6302412858FC715FF2CFBA49497BA1F7A230430082BDD4846B33ADA3C6D8ACB85
                                                Function 0136F1B0 Relevance: .1, Instructions: 99COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1c0cec1874b1714bb29bac40fa4251cba933af004ef9075acbe2420279eeecca
                                                • Instruction ID: 80e9948c6e9882e920681805b70865faf108746ca197642f68c06f40c4e6cc69
                                                • Opcode Fuzzy Hash: 1c0cec1874b1714bb29bac40fa4251cba933af004ef9075acbe2420279eeecca
                                                • Instruction Fuzzy Hash: CB315035A102199BCB15DFA4D995A9EB7BAFF89304F10C519E805E7758EB70EC42CF40
                                                Function 013626DC Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 82f91c07c72c2c7018e2af05ab1ad3397d5f2ddc3a84b5896ffc84adeb048d93
                                                • Instruction ID: 8824f9ea9a54d005b1a9cc58c82a26f66b0de5d36af3500c2d9ffa84875f55b4
                                                • Opcode Fuzzy Hash: 82f91c07c72c2c7018e2af05ab1ad3397d5f2ddc3a84b5896ffc84adeb048d93
                                                • Instruction Fuzzy Hash: CB41EEB1D00349DFDB10CFA9C884ADEBFF9AF48314F14802AE419AB264DB75A945CB90
                                                Function 0136F1C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: be8f9b68335326aea73128a187dfc7f8c2b9c0200cba368ed9c0503a23cb116a
                                                • Instruction ID: 8ee5d7433ebd1a150814115868306bed1e613aa156f8ed8ff85cb7549226e45f
                                                • Opcode Fuzzy Hash: be8f9b68335326aea73128a187dfc7f8c2b9c0200cba368ed9c0503a23cb116a
                                                • Instruction Fuzzy Hash: 0B315E35A102099BCB15DFA8D594A9EB7BAFF89304F10C929E806E7754DB70EC42CF40
                                                Function 013626E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b29e165fddfa1fcf7206f47726ac119a4f4a5608100abf2682cdc6865ffdc2c2
                                                • Instruction ID: 914ac302f85663e506e0054377dfdfec3a61951cb75684dba562db559d47d9d1
                                                • Opcode Fuzzy Hash: b29e165fddfa1fcf7206f47726ac119a4f4a5608100abf2682cdc6865ffdc2c2
                                                • Instruction Fuzzy Hash: E141E0B0D00349DFDB10DFA9C984A9EBFB9FF48314F108429E419AB264DB75A945CB90
                                                Function 013650A8 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fa2ac967cf201145f2be67b4b954a8fb4844064bb6e10fd121599f88f3db55f7
                                                • Instruction ID: a5e668253edd631cf4ab82fdcdcd0798b0901e0719ac5050b421d2968dda1309
                                                • Opcode Fuzzy Hash: fa2ac967cf201145f2be67b4b954a8fb4844064bb6e10fd121599f88f3db55f7
                                                • Instruction Fuzzy Hash: 67313A34700215CFDF15EB78C6646AD77BAAB89248B1044BCD501AB3A8DF3A9D41CBA1
                                                Function 01365099 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4b734782f5fd7865c0781260b19ed4d042e716599101fe131b234ce6ab99b9d
                                                • Instruction ID: 0ad8ddbd3108665ec99f293665a4b2ae16bf24b3149c84b7ff87632b91c017e6
                                                • Opcode Fuzzy Hash: f4b734782f5fd7865c0781260b19ed4d042e716599101fe131b234ce6ab99b9d
                                                • Instruction Fuzzy Hash: 26313A30700215CFDF15EF68CA646AD77BAAF89248F1085BCD501AB3A8DB3ADD41CB91
                                                Function 01369250 Relevance: .1, Instructions: 85COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a33f3aa372a8c0e96615e96a5caed9e860b6c037d09c38ffaf28047efee0b0e7
                                                • Instruction ID: 900fe3cd7ceeee1e4ae248162512e540776dd2641028457ac236ef07848bda1f
                                                • Opcode Fuzzy Hash: a33f3aa372a8c0e96615e96a5caed9e860b6c037d09c38ffaf28047efee0b0e7
                                                • Instruction Fuzzy Hash: DE316F31A1020A9FDB15CF68D99079EF7B6FF89308F14C529E405AB355DB719846CB50
                                                Function 01369260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 18dc9c465bec38157bf9e5eb664007b0001d0acc33997dec864859ab36b463fc
                                                • Instruction ID: ec1b20d8edccbb698235d11a5464fc32798e358a99ae658846918d76f7ddf4e2
                                                • Opcode Fuzzy Hash: 18dc9c465bec38157bf9e5eb664007b0001d0acc33997dec864859ab36b463fc
                                                • Instruction Fuzzy Hash: AE216F31A1020A9FDF05CFA8D59079EF7B6FF89308F24C529E805AB255DB71D886CB50
                                                Function 013616A0 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 09e840aba21a8465c6932483407634ad5e23f63d2dcc225a7dbf57ad1dd2d6f7
                                                • Instruction ID: 4c753f10a158484aee07a47982947e475ad2bd01d6e68859523988a04f8a416a
                                                • Opcode Fuzzy Hash: 09e840aba21a8465c6932483407634ad5e23f63d2dcc225a7dbf57ad1dd2d6f7
                                                • Instruction Fuzzy Hash: C021C1346401418FDF22EF2CFA84B597769EBC1718F108A79D846DB26ADB3DDC858B90
                                                Function 01369150 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 682f80a8f798720926aad4a8091e5bc944e661ead137bf3405e54eb2a284e23d
                                                • Instruction ID: 9d7b445b8fa098163f3c36d245c33973995ed62aae0c05cfc59945b039ce6135
                                                • Opcode Fuzzy Hash: 682f80a8f798720926aad4a8091e5bc944e661ead137bf3405e54eb2a284e23d
                                                • Instruction Fuzzy Hash: CD218331E0021ACFDB19CF64D454ADEB7B6AF49308F20C51AE812EB355DB70D946CB50
                                                Function 01361380 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59e92a26f061d5ad542806596e9d5aa834f198a3613055187bf67277446a11cc
                                                • Instruction ID: 0ff67ca4b9def6e3cd3957aef873407724fc2af181ccedccde1974d61f2b794d
                                                • Opcode Fuzzy Hash: 59e92a26f061d5ad542806596e9d5aa834f198a3613055187bf67277446a11cc
                                                • Instruction Fuzzy Hash: D621C370A812418FDB336A3DE59876D3B79E782319F50487AD447DB78ADA29CC82C741
                                                Function 01364F88 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 669efe912c81dffdd6ae5742bc9f89446f8e14c028c0c681809e6227173292bc
                                                • Instruction ID: bdf40a46882b95bf1a357a77f369ab6e3d7eceb3783a104bd4524079b7c7c3ed
                                                • Opcode Fuzzy Hash: 669efe912c81dffdd6ae5742bc9f89446f8e14c028c0c681809e6227173292bc
                                                • Instruction Fuzzy Hash: 9B211734B40215CFDB14DF78D958AAD7BF5AF4D204B1044A8E506EB3A9EB36DD00CBA1
                                                Function 0129D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2913976153.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_129d000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d50e205577e233c7326507e00fce6c9d46c9976f6e0a02e2ded02c8b2bff4c2a
                                                • Instruction ID: 4538e0dfb67f8a13f92fad563870e6cf02fcd1c391df4a4ff537338e170d0296
                                                • Opcode Fuzzy Hash: d50e205577e233c7326507e00fce6c9d46c9976f6e0a02e2ded02c8b2bff4c2a
                                                • Instruction Fuzzy Hash: 56213070614208DFCF15DF6CD984B26BBA1EB84354F20C56DD90A4B256C37AD406DA61
                                                Function 0136187A Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 712bb3269e084f99d587379271a04dbd8b6a423c07aad71034665a3ddca8fed1
                                                • Instruction ID: 6d1a529d3c13485c02719f9dac364d8befbe221fe3c7233a53565ed3c337dd0c
                                                • Opcode Fuzzy Hash: 712bb3269e084f99d587379271a04dbd8b6a423c07aad71034665a3ddca8fed1
                                                • Instruction Fuzzy Hash: A9216D30B00255CFDF15DB78C5557AD7BFAAB8A208F1044A8D502EB398DB3A8D01CBA1
                                                Function 01369160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4ad0a8f22f5bb7352ba5d4d7c6fc6dbf1a4540fc487a448d9adbdf7a18173cc
                                                • Instruction ID: c61f8e59f9d06e47f89317bc4755063f2048c99517315d6d12c4998a87f218dd
                                                • Opcode Fuzzy Hash: e4ad0a8f22f5bb7352ba5d4d7c6fc6dbf1a4540fc487a448d9adbdf7a18173cc
                                                • Instruction Fuzzy Hash: 44217130E0020ADFDB19CFA4D954A9EB7B6AF89308F20C52AE815BB354DB70D845CB50
                                                Function 01361888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b2626dc5cde7e3b528f8c358998a2e0411a02e07df8637496871be4bec75b54
                                                • Instruction ID: 3eb9ac9acc0e2f31fdcb80e5de043deee391eb6e7fcd3fdac593008527045301
                                                • Opcode Fuzzy Hash: 5b2626dc5cde7e3b528f8c358998a2e0411a02e07df8637496871be4bec75b54
                                                • Instruction Fuzzy Hash: 9821E970B00205CFDF54EB68C5546AE7BFAAB89249F104468D506EB368DF3A9D41CBA1
                                                Function 013616B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9ff4fdd36349f6ef403f2463f5d69f50f01485f1aca372ea408e7df201edf5b0
                                                • Instruction ID: 6ce9cb0832915c22fef809d82d872d35a897dea46280f177a9dfed85a9f07450
                                                • Opcode Fuzzy Hash: 9ff4fdd36349f6ef403f2463f5d69f50f01485f1aca372ea408e7df201edf5b0
                                                • Instruction Fuzzy Hash: 15215E346401018FDF21EF28FA84B5A7769EBC5718F108A39D846DB26ADB3DDC858B91
                                                Function 01364F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3a5b7fdab36048442386d06ea5495815057d7c531fcbf6e04e82a322d8e09b54
                                                • Instruction ID: ea77270acf52c83c38989c00e8ac424d827a445cccb487e9f56097cb88ee3428
                                                • Opcode Fuzzy Hash: 3a5b7fdab36048442386d06ea5495815057d7c531fcbf6e04e82a322d8e09b54
                                                • Instruction Fuzzy Hash: FE211934700205CFDB14DF78D558AAD77F5AB8C244B104468E506EB368EB36DD04CB95
                                                Function 013617C2 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 51205b4b433ddc88de5386b2e6d56ea6d1a01751d933c7ef4cdaa4295c94ac6f
                                                • Instruction ID: 73ecdcefb09f01c54586ade55d5de679edf8c99cce95ea8479efefd9c8fab518
                                                • Opcode Fuzzy Hash: 51205b4b433ddc88de5386b2e6d56ea6d1a01751d933c7ef4cdaa4295c94ac6f
                                                • Instruction Fuzzy Hash: AC11EF76F402129FCF20ABB9AD4866E3BF9EB88210B144569E505D3349EB38D811CB91
                                                Function 01360838 Relevance: .1, Instructions: 63COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9997f84471bb1cc8bf16c47fdc7b47c592ea05f3293e7cd458a24b975512b71c
                                                • Instruction ID: 8616bd86e4c36cd7cae5c61f74b95dec88282ae58803c9054eccc9dd69ba9abb
                                                • Opcode Fuzzy Hash: 9997f84471bb1cc8bf16c47fdc7b47c592ea05f3293e7cd458a24b975512b71c
                                                • Instruction Fuzzy Hash: 18112B31A012045FEF2A9A7CD55136D7B99EB42218F14C979F442DB28ADA75CC814BD1
                                                Function 013680F1 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2ff06bc27c06e4be0e14b072e6b7367381233b8859893f037b5aa8653c65cd92
                                                • Instruction ID: 3a01029cfe6913314cf9cad70e8b9aacfa2f9d75cddaf4efa3ff5234eff907bb
                                                • Opcode Fuzzy Hash: 2ff06bc27c06e4be0e14b072e6b7367381233b8859893f037b5aa8653c65cd92
                                                • Instruction Fuzzy Hash: D911BE30640209DFDF00EF68FA8079DBBB5EB85704F0085B9D404DB269EB39EE498B91
                                                Function 01360848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4b5b701934f28d87f4c5a8a321c2d36bdd5b341cbef9e0e6632230ddf3c902b
                                                • Instruction ID: 5babf534beaecd250bdb52a912741eaa65d78cf057381cc70e89c6513ec0343e
                                                • Opcode Fuzzy Hash: f4b5b701934f28d87f4c5a8a321c2d36bdd5b341cbef9e0e6632230ddf3c902b
                                                • Instruction Fuzzy Hash: CD11E730B012084FEF29DA7DD54176E7A99EB81218F20C979F406EB35ADA75CC814BC1
                                                Function 0136148A Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f5ca931557c596143055dc73d2b779641e14225b11a360a51dbb512fc98e096a
                                                • Instruction ID: 76c556edf578c9478962f51349223fb646a58fd09709112c3dc3a4e98a6e8c8c
                                                • Opcode Fuzzy Hash: f5ca931557c596143055dc73d2b779641e14225b11a360a51dbb512fc98e096a
                                                • Instruction Fuzzy Hash: 9E11A731A00215CFCB26EF7CD8916AEBBF9EF98218F148479D405EB309E735D8418B91
                                                Function 0129D017 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2913976153.000000000129D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0129D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_129d000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction ID: 6ed363da9efa6fedb85c8062fc3adca509800385d612df94d5441c1eeb35bafd
                                                • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                • Instruction Fuzzy Hash: 7F11BB75504284CFDB12CF68D5C4B16BFA2FB84314F24C6AAD9094B656C33AD40ADBA2
                                                Function 01361498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b89cc6e37a71fa3ed61f7fbeb32400f21de546cdffcdcd42a042bb0ab121385c
                                                • Instruction ID: efa4874a2f3c210d173eb743ebf4ac4c635bd41ea88a019c7756ec7c7f12401f
                                                • Opcode Fuzzy Hash: b89cc6e37a71fa3ed61f7fbeb32400f21de546cdffcdcd42a042bb0ab121385c
                                                • Instruction Fuzzy Hash: A8014431A012159FCB16EFBC84511AEBBF9EF98219F148479E905E7309E735D8418B91
                                                Function 01361524 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 77a626862e1756670f3b6a938fa8dd1d95d964b019eeb8e441ea70e7273b2623
                                                • Instruction ID: 406a35dadf72f3e7868a4de38c4572123b38431addcb40da52577dcaf2fa0b31
                                                • Opcode Fuzzy Hash: 77a626862e1756670f3b6a938fa8dd1d95d964b019eeb8e441ea70e7273b2623
                                                • Instruction Fuzzy Hash: 6FF0F637A04150CFD7228BA888911ACBF79EAE411971C80A7D906DB21AD721D442C711
                                                Function 01367090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f0f58705f5dc2bd27d9d723720ec12d12d1c097d493b0d8eb02cffc0577f15ec
                                                • Instruction ID: 9a20d8370cfc0c03a128755ee068ea75048f4dd01421ccc19bda3b7702ebb402
                                                • Opcode Fuzzy Hash: f0f58705f5dc2bd27d9d723720ec12d12d1c097d493b0d8eb02cffc0577f15ec
                                                • Instruction Fuzzy Hash: 7EF0EC39B40208CFCB14DB64DA98B6C77B2EF88715F5040A8E506DB3B5DB35AD42CB40
                                                Function 01368100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000D.00000002.2914837369.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_13_2_1360000_CkVzvA.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49405af1be0a6c02eddc84e710c934c8ff02619669b83261a71ff62e04cd847e
                                                • Instruction ID: c5ae4e75186cd7b381f0963685f8604615933dbad9ce4fb520fcc67e2de60b90
                                                • Opcode Fuzzy Hash: 49405af1be0a6c02eddc84e710c934c8ff02619669b83261a71ff62e04cd847e
                                                • Instruction Fuzzy Hash: F2F0E130950109EFCF04FFA4FA5159DBBB2EB80704F504678C445A7264EB39AE499B95