Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DSR0987678900000.exe

Overview

General Information

Sample name:DSR0987678900000.exe
Analysis ID:1519446
MD5:780e6f2c7b7d9742a94b9e2da18b58fd
SHA1:275324c7b0b61ddc600df5c690ea35f780114ed8
SHA256:8a5e154d88d238dc9a6970558ffd02bbd00dd786a0e7d51c3cea80badeb78e7e
Tags:exeuser-TeamDreier
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected UAC Bypass using CMSTP
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Disables UAC (registry)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file does not import any functions
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DSR0987678900000.exe (PID: 2756 cmdline: "C:\Users\user\Desktop\DSR0987678900000.exe" MD5: 780E6F2C7B7D9742A94B9E2DA18B58FD)
    • powershell.exe (PID: 5824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7652 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • AddInProcess32.exe (PID: 6048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" MD5: 9827FF3CDF4B83F9C86354606736CA9C)
    • WerFault.exe (PID: 7204 cmdline: C:\Windows\system32\WerFault.exe -u -p 2756 -s 1224 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 9 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.DSR0987678900000.exe.1eb90889740.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.DSR0987678900000.exe.1eb90889740.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.DSR0987678900000.exe.1eb90889740.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.DSR0987678900000.exe.1eb90889740.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x2fb6b:$s2: GetPrivateProfileString
                • 0x2f218:$s3: get_OSFullName
                • 0x30906:$s5: remove_Key
                • 0x30ab3:$s5: remove_Key
                • 0x31995:$s6: FtpWebRequest
                • 0x32917:$s7: logins
                • 0x32e89:$s7: logins
                • 0x35b8e:$s7: logins
                • 0x35c4c:$s7: logins
                • 0x375a1:$s7: logins
                • 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
                3.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  Click to see the 18 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DSR0987678900000.exe", ParentImage: C:\Users\user\Desktop\DSR0987678900000.exe, ParentProcessId: 2756, ParentProcessName: DSR0987678900000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, ProcessId: 5824, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DSR0987678900000.exe", ParentImage: C:\Users\user\Desktop\DSR0987678900000.exe, ParentProcessId: 2756, ParentProcessName: DSR0987678900000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, ProcessId: 5824, ProcessName: powershell.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\DSR0987678900000.exe", ParentImage: C:\Users\user\Desktop\DSR0987678900000.exe, ParentProcessId: 2756, ParentProcessName: DSR0987678900000.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force, ProcessId: 5824, ProcessName: powershell.exe

                  Suricata Signatures

                  No Suricata rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: http://ftp.antoniomayol.comAvira URL Cloud: Label: malware
                  Found malware configuration
                  Source: 3.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                  Multi AV Scanner detection for submitted file
                  Source: DSR0987678900000.exeReversingLabs: Detection: 26%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Machine Learning detection for sample
                  Source: DSR0987678900000.exeJoe Sandbox ML: detected

                  Exploits

                  barindex
                  Yara detected UAC Bypass using CMSTP
                  Source: Yara matchFile source: 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DSR0987678900000.exe PID: 2756, type: MEMORYSTR
                  Source: DSR0987678900000.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: pC:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32{"0 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbNM-R source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb$ source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb9 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: .pdbHJ source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DSR0987678900000.PDB_s source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb6 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF053E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \Registry\Machine\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32objr\x86\Microsoft.VisualBasic.pdbx source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbces source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb5619 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbL source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Management.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF055B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbO source: DSR0987678900000.exe, 00000000.00000002.1999258647.000001EBEDFD6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.pdbh source: WERA6F.tmp.dmp.6.dr

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPE
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewIP Address: 15.197.240.20 15.197.240.20
                  Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                  Source: Joe Sandbox ViewASN Name: TANDEMUS TANDEMUS
                  Source: unknownDNS query: name: ip-api.com
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficDNS traffic detected: DNS query: ip-api.com
                  Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                  Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                  Source: AddInProcess32.exe, 00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                  Source: AddInProcess32.exe, 00000003.00000002.4220462335.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4220462335.0000000003131000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: AddInProcess32.exe, 00000003.00000002.4220462335.0000000003131000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                  Source: DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, R1W.cs.Net Code: HAg81
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, R1W.cs.Net Code: HAg81

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B9033D00_2_00007FFD9B9033D0
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B908E600_2_00007FFD9B908E60
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B90BAA00_2_00007FFD9B90BAA0
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B9045F00_2_00007FFD9B9045F0
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B90EA090_2_00007FFD9B90EA09
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B914A2B0_2_00007FFD9B914A2B
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B9044A00_2_00007FFD9B9044A0
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B9D026B0_2_00007FFD9B9D026B
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_01714A883_2_01714A88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_0171AD883_2_0171AD88
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_01713E703_2_01713E70
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_017141B83_2_017141B8
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_0692C6003_2_0692C600
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_0692AD783_2_0692AD78
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A66C03_2_069A66C0
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A52703_2_069A5270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069AC2703_2_069AC270
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069AB3093_2_069AB309
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A31383_2_069A3138
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A7E503_2_069A7E50
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A77703_2_069A7770
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A24303_2_069A2430
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069AE4783_2_069AE478
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A00403_2_069A0040
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A59AB3_2_069A59AB
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A00063_2_069A0006
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_069A00383_2_069A0038
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2756 -s 1224
                  Source: DSR0987678900000.exeStatic PE information: No import functions for PE file found
                  Source: DSR0987678900000.exe, 00000000.00000000.1753112308.000001EBEDE12000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTransponer.exe6 vs DSR0987678900000.exe
                  Source: DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamee6c7e90e-20ff-4cd0-a277-0023958459c3.exe4 vs DSR0987678900000.exe
                  Source: DSR0987678900000.exeBinary or memory string: OriginalFilenameTransponer.exe6 vs DSR0987678900000.exe
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                  Source: DSR0987678900000.exe, --.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: DSR0987678900000.exe, 00000000.00000002.1999258647.000001EBEDFD6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbO
                  Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@8/10@5/2
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
                  Source: C:\Windows\System32\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2756
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljiicu1b.ymn.ps1Jump to behavior
                  Source: DSR0987678900000.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: DSR0987678900000.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: DSR0987678900000.exeReversingLabs: Detection: 26%
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile read: C:\Users\user\Desktop\DSR0987678900000.exeJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\DSR0987678900000.exe "C:\Users\user\Desktop\DSR0987678900000.exe"
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 2756 -s 1224
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: DSR0987678900000.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: DSR0987678900000.exeStatic file information: File size 3794463 > 1048576
                  Source: DSR0987678900000.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Source: Binary string: pC:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.pdbCLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32{"0 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbNM-R source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdb$ source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb9 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Drawing.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: .pdbHJ source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: DSR0987678900000.PDB_s source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.pdb6 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\Microsoft.VisualBasic.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF053E000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: Microsoft.VisualBasic.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \Registry\Machine\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32objr\x86\Microsoft.VisualBasic.pdbx source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\dll\Microsoft.VisualBasic.pdbces source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: System.Windows.Forms.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb5619 source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF05C3000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: mscorlib.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Management.ni.pdbRSDSJ< source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.VisualBasic.pdbL source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF0571000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Management.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: mscorlib.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Management.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: C:\Users\user\Desktop\DSR0987678900000.PDB source: DSR0987678900000.exe, 00000000.00000002.1994769675.00000015735F3000.00000004.00000010.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Windows\mscorlib.pdb source: DSR0987678900000.exe, 00000000.00000002.2002043543.000001EBF055B000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.Core.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: f:\binaries\Intermediate\vb\microsoft.visualbasic.build.vbproj_731629843\objr\x86\Microsoft.VisualBasic.pdbO source: DSR0987678900000.exe, 00000000.00000002.1999258647.000001EBEDFD6000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: System.ni.pdb source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Core.ni.pdbRSDS source: WERA6F.tmp.dmp.6.dr
                  Source: Binary string: System.Drawing.pdbh source: WERA6F.tmp.dmp.6.dr
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B907C2E pushad ; retf 0_2_00007FFD9B907C5D
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B907C5E push eax; retf 0_2_00007FFD9B907C6D
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeCode function: 0_2_00007FFD9B9D026B push esp; retf 4810h0_2_00007FFD9B9D0312

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Icon mismatch, binary includes an icon from a different legit application in order to fool users
                  Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (31).png
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\System32\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: DSR0987678900000.exe PID: 2756, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeWMI Queries: IWbemServices::ExecQuery - ROOT\cimv2 : SELECT * FROM Win32_VideoController
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmp, DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLLP
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEP
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory allocated: 1EBEE180000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory allocated: 1EBEFAF0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 1710000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeMemory allocated: 2F60000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: IdentifierJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmmouse.sysJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile opened / queried: C:\WINDOWS\system32\drivers\vmhgfs.sysJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeFile opened / queried: C:\WINDOWS\system32\drivers\VBoxMouse.sysJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599561Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598319Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598102Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597945Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596824Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595592Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595470Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595311Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594926Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594012Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593797Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5640Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4192Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 5470Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWindow / User API: threadDelayed 4364Jump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7400Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep count: 32 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599891s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7272Thread sleep count: 5470 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599781s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7272Thread sleep count: 4364 > 30Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599672s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599561s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599453s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -599016s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598891s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598766s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598656s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598546s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598437s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598319s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -598102s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597945s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597835s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597594s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597484s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597375s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597156s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -597047s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596936s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596824s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596719s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596608s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596500s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596391s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596266s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596141s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -596030s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595922s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595812s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595703s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595592s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595470s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595311s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -595045s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594926s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594687s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594578s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594469s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594344s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594234s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594125s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -594012s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -593906s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7268Thread sleep time: -593797s >= -30000sJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599781Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599672Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599561Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599453Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 599016Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598891Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598766Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598656Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598546Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598437Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598319Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 598102Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597945Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597835Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597594Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597484Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597375Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597156Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 597047Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596936Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596824Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596719Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596608Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596500Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596391Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596266Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596141Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 596030Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595922Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595812Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595703Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595592Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595470Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595311Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 595045Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594926Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594797Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594687Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594578Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594469Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594344Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594234Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594125Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 594012Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593906Jump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeThread delayed: delay time: 593797Jump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: VMware
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: QEMUP
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware ToolsP
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                  Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                  Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
                  Source: AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
                  Source: DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &C:\WINDOWS\system32\drivers\vmhgfs.sysP
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                  Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                  Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                  Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                  Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
                  Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                  Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWAREP
                  Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmwareP
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                  Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                  Source: AddInProcess32.exe, 00000003.00000002.4223608817.000000000644D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllHA_
                  Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: )C:\WINDOWS\system32\drivers\VBoxMouse.sysP
                  Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                  Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\P
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                  Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                  Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIP
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 'C:\WINDOWS\system32\drivers\vmmouse.sysP
                  Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                  Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                  Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                  Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                  Source: AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                  Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                  Source: DSR0987678900000.exe, 00000000.00000002.1994968952.000001EB80041000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "SOFTWARE\VMware, Inc.\VMware Tools
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeCode function: 3_2_01717070 CheckRemoteDebuggerPresent,3_2_01717070
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  .NET source code references suspicious native API functions
                  Source: DSR0987678900000.exe, --.csReference to suspicious API methods: LoadLibrary(_FD45_FDD5(_FBB5_FDE4_FDCA_FDD7._061D))
                  Source: DSR0987678900000.exe, --.csReference to suspicious API methods: GetProcAddress(intPtr, _FD45_FDD5(_FBB5_FDE4_FDCA_FDD7._FDD7_0609_FDEA_FDEB))
                  Source: DSR0987678900000.exe, --.csReference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _FBB6)
                  Source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, moEk.csReference to suspicious API methods: EYAPsVT.OpenProcess(CgGfQLvbm.DuplicateHandle, bInheritHandle: true, (uint)_2y5.ProcessID)
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -ForceJump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5AJump to behavior
                  Writes to foreign memory regions
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 43E000Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 440000Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: F1E008Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -ForceJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeQueries volume information: C:\Users\user\Desktop\DSR0987678900000.exe VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Disables UAC (registry)
                  Source: C:\Users\user\Desktop\DSR0987678900000.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUAJump to behavior
                  Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                  Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DSR0987678900000.exe PID: 2756, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DSR0987678900000.exe PID: 2756, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 3.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb90889740.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.DSR0987678900000.exe.1eb9084d8f8.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: DSR0987678900000.exe PID: 2756, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: AddInProcess32.exe PID: 6048, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		211
                  Process Injection                  		1
                  Masquerading                  		2
                  OS Credential Dumping                  		551
                  Security Software Discovery                  		Remote Services1
                  Email Collection                  		1
                  Encrypted Channel                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Native API                  		Boot or Logon Initialization Scripts1
                  DLL Side-Loading                  		21
                  Disable or Modify Tools                  		1
                  Input Capture                  		1
                  Process Discovery                  		Remote Desktop Protocol1
                  Input Capture                  		1
                  Ingress Tool Transfer                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)271
                  Virtualization/Sandbox Evasion                  		1
                  Credentials in Registry                  		271
                  Virtualization/Sandbox Evasion                  		SMB/Windows Admin Shares11
                  Archive Collected Data                  		2
                  Non-Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook211
                  Process Injection                  		NTDS1
                  Application Window Discovery                  		Distributed Component Object Model2
                  Data from Local System                  		2
                  Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  Deobfuscate/Decode Files or Information                  		LSA Secrets1
                  System Network Configuration Discovery                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Obfuscated Files or Information                  		Cached Domain Credentials1
                  File and Directory Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  DLL Side-Loading                  		DCSync34
                  System Information Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1519446 Sample: DSR0987678900000.exe Startdate: 26/09/2024 Architecture: WINDOWS Score: 100 23 ip-api.com 2->23 25 ftp.antoniomayol.com 2->25 27 241.42.69.40.in-addr.arpa 2->27 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus detection for URL or domain 2->37 39 12 other signatures 2->39 8 DSR0987678900000.exe 1 3 2->8         started        signatures3 process4 signatures5 41 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->41 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->43 45 Writes to foreign memory regions 8->45 47 3 other signatures 8->47 11 AddInProcess32.exe 15 2 8->11         started        15 powershell.exe 23 8->15         started        17 WerFault.exe 19 16 8->17         started        process6 dnsIp7 29 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 11->29 31 ftp.antoniomayol.com 15.197.240.20, 21, 49731 TANDEMUS United States 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->51 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->53 57 4 other signatures 11->57 55 Loading BitLocker PowerShell Module 15->55 19 WmiPrvSE.exe 15->19         started        21 conhost.exe 15->21         started        signatures8 process9

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  DSR0987678900000.exe26%ReversingLabs
                  DSR0987678900000.exe100%Joe Sandbox ML

                  Dropped Files

                  No Antivirus matches

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  http://upx.sf.net0%URL Reputationsafe
                  https://account.dyn.com/0%URL Reputationsafe
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                  http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                  http://ip-api.com0%Avira URL Cloudsafe
                  http://ftp.antoniomayol.com100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  ip-api.com
                  		208.95.112.1
                  		truetrue
                    		unknown
                    ftp.antoniomayol.com
                    		15.197.240.20
                    		truetrue
                      		unknown
                      241.42.69.40.in-addr.arpa
                      		unknown
                      		unknownfalse
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://upx.sf.netAmcache.hve.6.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://ftp.antoniomayol.comAddInProcess32.exe, 00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://account.dyn.com/DSR0987678900000.exe, 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAddInProcess32.exe, 00000003.00000002.4220462335.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ip-api.comAddInProcess32.exe, 00000003.00000002.4220462335.0000000003131000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        208.95.112.1
                        		ip-api.comUnited States
                        		53334TUT-ASUStrue
                        15.197.240.20
                        		ftp.antoniomayol.comUnited States
                        		7430TANDEMUStrue

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1519446
                        Start date and time:2024-09-26 15:08:09 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 8m 4s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:12
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:DSR0987678900000.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winEXE@8/10@5/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 86%
                        • Number of executed functions: 72
                        • Number of non-executed functions: 6
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded IPs from analysis (whitelisted): 20.42.73.29
                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtSetInformationFile calls found.
                        • VT rate limit hit for: DSR0987678900000.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        09:09:15API Interceptor10410389x Sleep call for process: AddInProcess32.exe modified
                        09:09:21API Interceptor44x Sleep call for process: powershell.exe modified
                        09:09:33API Interceptor1x Sleep call for process: WerFault.exe modified

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        208.95.112.1Proof Of Payment.jsGet hashmaliciousWSHRATBrowse
                        • ip-api.com/json/
                        450230549.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                        • ip-api.com/json/
                        nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        PO Invoice XJ210821Q.PDF.scr.exeGet hashmaliciousAgentTeslaBrowse
                        • ip-api.com/line/?fields=hosting
                        15.197.240.20OjKmJJm2YT.exeGet hashmaliciousSimda StealerBrowse
                        • qexyhuv.com/login.php
                        5AFlyarMds.exeGet hashmaliciousSimda StealerBrowse
                        • qexyhuv.com/login.php
                        uB31aJH4M0.exeGet hashmaliciousSimda StealerBrowse
                        • qexyhuv.com/login.php
                        0XLuA614VK.exeGet hashmaliciousFormBookBrowse
                        • www.marinamaquiagens.online/n4sv/
                        8htbxM8GPX.exeGet hashmaliciousFormBookBrowse
                        • www.donnavariedades.com/fo8o/
                        Bonelessness.exeGet hashmaliciousSimda StealerBrowse
                        • qexyhuv.com/login.php
                        roundwood.exeGet hashmaliciousSimda StealerBrowse
                        • qexyhuv.com/login.php
                        rPHOTO09AUG2024.exeGet hashmaliciousFormBookBrowse
                        • www.donnavariedades.com/fo8o/
                        QLLafoDdqv.exeGet hashmaliciousFormBookBrowse
                        • www.donnavariedades.com/fo8o/
                        LF2024022.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                        • www.johnasian.com/jn17/?AjFxkn=AUopA6EtHNKAXsGcnergFbbGiEMiDoIvdiVznSugjPZqqO5N3A9xjJjKmrW26oeiLAOH&Yxl0T=CPqtRfop

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        ip-api.comProof Of Payment.jsGet hashmaliciousWSHRATBrowse
                        • 208.95.112.1
                        450230549.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                        • 208.95.112.1
                        nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        http://getcloudapp.comGet hashmaliciousUnknownBrowse
                        • 208.95.112.2
                        PO Invoice XJ210821Q.PDF.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        TANDEMUShttps://telstra-104088.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://telstra-100710.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://sky-108991.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        https://telstra-100834.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://att-108495.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        https://netzero-webmail-106441.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://shaw-101354.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://connect-trezarhelp.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://consolbisezsproslogin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                        • 15.197.193.217
                        https://att-mail-109008.weeblysite.com/Get hashmaliciousUnknownBrowse
                        • 15.197.193.217
                        TUT-ASUSProof Of Payment.jsGet hashmaliciousWSHRATBrowse
                        • 208.95.112.1
                        450230549.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        SecuriteInfo.com.Win32.Malware-gen.27656.20815.exeGet hashmaliciousBlackshades, QuasarBrowse
                        • 208.95.112.1
                        nDHL_AWB_6078538091_scr.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        0umBa15TaN.exeGet hashmaliciousUnknownBrowse
                        • 208.95.112.1
                        0umBa15TaN.exeGet hashmaliciousUnknownBrowse
                        • 208.95.112.1
                        CCE_000110.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        QUOTE_467654.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1
                        COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                        • 208.95.112.1

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_DSR0987678900000_7e74b1b87155529a3ff0bd98fc2c8d3a6c378e49_a7480bc7_055a7e94-47cf-4121-8aa6-26f4dc22353a\Report.wer

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):65536
                        Entropy (8bit):1.2382927939992026
                        Encrypted:false
                        SSDEEP:192:UWpBN0bU3Ii0+F/8yaWBUUzeZY/zuiFaZ24lO8i:JFiU3++F/8yamUNCzuiFaY4lO8i
                        MD5:87B704044FDCCA5E8D47F708999AFF03
                        SHA1:1DF71B9F137F34FBA67F16660D98E15A6DD614EE
                        SHA-256:EF8425CEB9F20D9ADB958CFFB8D01FAB5C25FB41FD2F96CEE8CE00DEFE42257A
                        SHA-512:B4D7E0F5D1F40B8F29623A353215A9A0327DBC065F831D78DED052F67A5296DA63F1B4B0C8A6716F00A4EA762DAFF9C5899EBDF957D3CD294EC5579D0E3B47F1
                        Malicious:false
                        Reputation:low
                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.2.9.7.5.4.9.5.4.2.8.4.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.1.8.2.9.7.5.8.4.8.5.5.3.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.5.5.a.7.e.9.4.-.4.7.c.f.-.4.1.2.1.-.8.a.a.6.-.2.6.f.4.d.c.2.2.3.5.3.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.b.d.a.5.a.4.3.-.a.2.0.5.-.4.5.e.0.-.b.1.2.a.-.f.5.4.8.9.f.f.f.3.6.e.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.D.S.R.0.9.8.7.6.7.8.9.0.0.0.0.0...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.T.r.a.n.s.p.o.n.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.c.4.-.0.0.0.1.-.0.0.1.4.-.b.6.4.b.-.2.3.4.6.1.5.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.8.7.8.5.3.e.9.0.f.6.0.5.6.a.0.6.1.c.8.9.8.f.b.9.d.3.d.a.1.c.a.0.0.0.0.0.0.0.0.!.0.0.0.0.2.7.5.3.2.4.c.7.b.0.b.6.1.d.d.c.6.0.0.d.f.5.c.6.9.0.e.a.3.5.f.7.8.0.1.1.4.e.d.8.!.D.S.R.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1637.tmp.WERInternalMetadata.xml

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):8646
                        Entropy (8bit):3.703133109551088
                        Encrypted:false
                        SSDEEP:192:R6l7wVeJUIhb6Y9F2WVVgmfZFWMpr989bJQzf8jm:R6lXJDhb6Yf2WVVgmfbWTJkfF
                        MD5:0EB5537BCE44B680BA349A07B06B601E
                        SHA1:72D258EE20024D74E96B4EC5D6E4FFBC951D7EBD
                        SHA-256:2949A64C88BB47793DADCF304D1685840822FD7E4343301F102BD8C6D537FA0D
                        SHA-512:B9344E5C58EFA8A5CF881A256FACBD20CF2CA3E5CDB514FDA2FA4980AD82727DCA646C564787BE2317ABB8D000B4398C289532D657C9DE97092C2B07270A0B2D
                        Malicious:false
                        Reputation:low
                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.7.5.6.<./.P.i.

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER16A6.tmp.xml

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                        Category:dropped
                        Size (bytes):4848
                        Entropy (8bit):4.511934896955113
                        Encrypted:false
                        SSDEEP:48:cvIwWl8zszJg771I9k3WpW8VYj2cYm8M4JgmHE6FQFpyq8vSHE5zj1Bt9th/d:uIjfNI73G7VN5JuFFpWd5FPTh/d
                        MD5:F45044ABF668C333E533DA210F90C4A0
                        SHA1:00FEF6EED5BBE77377EB703B9EADA928D27CD668
                        SHA-256:13B659D677B612B57EA3FD97AC9F92716DBFCE5C594A8E648B864097995858E4
                        SHA-512:821A6077313BC1C4FA2BF9EF79D9E2BBE3DEBA392ADA698580536C3295773D8DB4E2FAEE4FBFC5CE6B89FF0445D983BF11286012E062728B504CEF5E728C01F2
                        Malicious:false
                        Reputation:low
                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517211" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA6F.tmp.dmp

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:Mini DuMP crash report, 16 streams, Thu Sep 26 13:09:17 2024, 0x1205a4 type
                        Category:dropped
                        Size (bytes):465732
                        Entropy (8bit):3.3356898858627932
                        Encrypted:false
                        SSDEEP:3072:VwUVSY1CCqjzB3+vBl0FeXrCVOj1nwWGROK4pcS7:V/FqjzB3QrfxnwSKS
                        MD5:2CCA5AEA3F5527A26368C89BEE6F2EDE
                        SHA1:07BF45FA8CA89213F840E8F72889C1D291A6DBEB
                        SHA-256:18BE235D5FD6B9EA032788741FF4920CA0E5978AB052EACD2003651E3C66BE59
                        SHA-512:9EC9657F943B63167A6EA36BCD374F3D20605EEBD9CB1278ED5FE3E39A40E8B59ED54C96174B7BA9DFD3AB78E086A8069835D123A64D4B72486D27402EAB546F
                        Malicious:false
                        Reputation:low
                        Preview:MDMP..a..... ........\.f............D...........<...d.......$....(....... ...(......DT..$...........l.......8...........T...........(=..............`I..........LK..............................................................................eJ.......K......Lw......................T............\.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):64
                        Entropy (8bit):1.1940658735648508
                        Encrypted:false
                        SSDEEP:3:Nlllul9oj/tz:NllUKj/
                        MD5:1558AA0899C27353A68431EE052EC3C4
                        SHA1:A2601A25140A3703C8553959F4BD0926B31AAFB5
                        SHA-256:3F7936DF95335336DFC5C6BAF55C2628A5AFF0116500ADEE9D40B7DB3941AC88
                        SHA-512:CD213BEB302E73101224C3D40E5593661817AB724AD9A6C5DA0B3E748AD85384676573DBC36AE84FD103958CF55BEB712D7BAA8338F071BC3B5C7A9D5ED08E8C
                        Malicious:false
                        Reputation:low
                        Preview:@...e...................................F............@..........

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i4ti4kez.vbv.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ka5pv3g1.2pp.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljiicu1b.ymn.ps1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rdt4hkkt.11g.psm1

                        Download File
                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        File Type:ASCII text, with no line terminators
                        Category:dropped
                        Size (bytes):60
                        Entropy (8bit):4.038920595031593
                        Encrypted:false
                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                        Malicious:false
                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                        C:\Windows\appcompat\Programs\Amcache.hve

                        Download File
                        Process:C:\Windows\System32\WerFault.exe
                        File Type:MS Windows registry file, NT/2000 or above
                        Category:dropped
                        Size (bytes):1835008
                        Entropy (8bit):4.465715154207638
                        Encrypted:false
                        SSDEEP:6144:1IXfpi67eLPU9skLmb0b4kWSPKaJG8nAgejZMMhA2gX4WABl0uNCdwBCswSbg:2XD94kWlLZMM6YFHs+g
                        MD5:7A97E93C05655782DA0A9E2B88E2C3B7
                        SHA1:86ABCA105CB454A6D84DFC9FBCD5228DF49EBA6A
                        SHA-256:C90D483577FE508E632EF7E3A9677243F777C3B5221DBEDAE93B65F94AAD301F
                        SHA-512:BB7689561C58DB3CDB062F311372A3E1EEA6E6A2FCFE46B0A42AF183CEB73DA60FF323944337C66A5A87DED0B5A9646544BFD5525329A145C9F737E4354BD832
                        Malicious:false
                        Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...H...................................................................................................................................................................................................................................................................................................................................................|........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        Static File Info

                        General

                        File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):4.483236337720919
                        TrID:
                        • Win64 Executable GUI Net Framework (217006/5) 49.88%
                        • Win64 Executable GUI (202006/5) 46.43%
                        • Win64 Executable (generic) (12005/4) 2.76%
                        • Generic Win/DOS Executable (2004/3) 0.46%
                        • DOS Executable Generic (2002/1) 0.46%
                        File name:DSR0987678900000.exe
                        File size:3'794'463 bytes
                        MD5:780e6f2c7b7d9742a94b9e2da18b58fd
                        SHA1:275324c7b0b61ddc600df5c690ea35f780114ed8
                        SHA256:8a5e154d88d238dc9a6970558ffd02bbd00dd786a0e7d51c3cea80badeb78e7e
                        SHA512:496f488ec5f619991b4ec8fd5bdde987315f1c2d18e5158e44d336569ab5c46cdf1d055d5e17c86afea669e1b6480b4bd73af5f5c403af67e415acecee7e8290
                        SSDEEP:24576:b1qb6oWgPEfagb8P1Wil/q4GEsYR+xtr8:Ib6/gP/1GEsnr8
                        TLSH:FA06D080B5475D93FC095630D9E2B8F051FE6DAB78F4542FDF893D262ABA2BE1021076
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...h..f.........."...0..8...Q........... ....@...... ................................:...`................................

                        File Icon

                        Icon Hash:c5a684988c94a0c5

                        Static PE Info

                        General

                        Entrypoint:0x400000
                        Entrypoint Section:
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x66F2A468 [Tue Sep 24 11:37:12 2024 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:

                        Entrypoint Preview

                        Instruction
                        dec ebp
                        pop edx
                        nop
                        add byte ptr [ebx], al
                        add byte ptr [eax], al
                        add byte ptr [eax+eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x3502a.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x38900x3a00b6d914b74f8a1164814f138ce4ef0226False0.6373248922413793data6.205273953636364IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x60000x3502a0x35200e92dcaf8b12995bcaeb2cd2be6ffa02fFalse0.20978860294117646data4.435807245040489IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_ICON0x64740x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.3225609756097561
                        RT_ICON0x6adc0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.43951612903225806
                        RT_ICON0x6dc40x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.4016393442622951
                        RT_ICON0x6fac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.4831081081081081
                        RT_ICON0x70d40x35e0PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9907192575406032
                        RT_ICON0xa6b40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.4584221748400853
                        RT_ICON0xb55c0x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.47382671480144406
                        RT_ICON0xbe040x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.45564516129032256
                        RT_ICON0xc4cc0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.3504335260115607
                        RT_ICON0xca340x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.07868508221933042
                        RT_ICON0x1d25c0x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.15114568005045195
                        RT_ICON0x267040x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.1543233082706767
                        RT_ICON0x2ceec0x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.175184842883549
                        RT_ICON0x323740x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.15948275862068967
                        RT_ICON0x3659c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.24107883817427386
                        RT_ICON0x38b440x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.2678236397748593
                        RT_ICON0x39bec0x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.37459016393442623
                        RT_ICON0x3a5740x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.42819148936170215
                        RT_GROUP_ICON0x3a9dc0x102data0.6046511627906976
                        RT_VERSION0x3aae00x360data0.41087962962962965
                        RT_MANIFEST0x3ae400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 26, 2024 15:09:13.499167919 CEST4973080192.168.2.4208.95.112.1
                        Sep 26, 2024 15:09:13.504267931 CEST8049730208.95.112.1192.168.2.4
                        Sep 26, 2024 15:09:13.504375935 CEST4973080192.168.2.4208.95.112.1
                        Sep 26, 2024 15:09:13.508593082 CEST4973080192.168.2.4208.95.112.1
                        Sep 26, 2024 15:09:13.513535023 CEST8049730208.95.112.1192.168.2.4
                        Sep 26, 2024 15:09:13.983155966 CEST8049730208.95.112.1192.168.2.4
                        Sep 26, 2024 15:09:14.030062914 CEST4973080192.168.2.4208.95.112.1
                        Sep 26, 2024 15:09:19.043636084 CEST4973121192.168.2.415.197.240.20
                        Sep 26, 2024 15:09:19.048504114 CEST214973115.197.240.20192.168.2.4
                        Sep 26, 2024 15:09:19.048583031 CEST4973121192.168.2.415.197.240.20
                        Sep 26, 2024 15:09:19.063138962 CEST4973121192.168.2.415.197.240.20
                        Sep 26, 2024 15:09:19.068216085 CEST214973115.197.240.20192.168.2.4
                        Sep 26, 2024 15:09:19.068284035 CEST4973121192.168.2.415.197.240.20
                        Sep 26, 2024 15:10:06.452294111 CEST4973080192.168.2.4208.95.112.1
                        Sep 26, 2024 15:10:06.457595110 CEST8049730208.95.112.1192.168.2.4
                        Sep 26, 2024 15:10:06.457653999 CEST4973080192.168.2.4208.95.112.1

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Sep 26, 2024 15:09:13.486848116 CEST5095153192.168.2.41.1.1.1
                        Sep 26, 2024 15:09:13.493735075 CEST53509511.1.1.1192.168.2.4
                        Sep 26, 2024 15:09:16.449098110 CEST6301953192.168.2.41.1.1.1
                        Sep 26, 2024 15:09:17.436608076 CEST6301953192.168.2.41.1.1.1
                        Sep 26, 2024 15:09:18.467809916 CEST6301953192.168.2.41.1.1.1
                        Sep 26, 2024 15:09:19.042453051 CEST53630191.1.1.1192.168.2.4
                        Sep 26, 2024 15:09:19.042469978 CEST53630191.1.1.1192.168.2.4
                        Sep 26, 2024 15:09:19.042481899 CEST53630191.1.1.1192.168.2.4
                        Sep 26, 2024 15:09:40.287296057 CEST5350785162.159.36.2192.168.2.4
                        Sep 26, 2024 15:09:40.765239000 CEST6477853192.168.2.41.1.1.1
                        Sep 26, 2024 15:09:40.779402018 CEST53647781.1.1.1192.168.2.4

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Sep 26, 2024 15:09:13.486848116 CEST192.168.2.41.1.1.10xe4c1Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:16.449098110 CEST192.168.2.41.1.1.10x7b8dStandard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:17.436608076 CEST192.168.2.41.1.1.10x7b8dStandard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:18.467809916 CEST192.168.2.41.1.1.10x7b8dStandard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:40.765239000 CEST192.168.2.41.1.1.10x5ee4Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Sep 26, 2024 15:09:13.493735075 CEST1.1.1.1192.168.2.40xe4c1No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:19.042453051 CEST1.1.1.1192.168.2.40x7b8dNo error (0)ftp.antoniomayol.com15.197.240.20A (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:19.042469978 CEST1.1.1.1192.168.2.40x7b8dNo error (0)ftp.antoniomayol.com15.197.240.20A (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:19.042481899 CEST1.1.1.1192.168.2.40x7b8dNo error (0)ftp.antoniomayol.com15.197.240.20A (IP address)IN (0x0001)false
                        Sep 26, 2024 15:09:40.779402018 CEST1.1.1.1192.168.2.40x5ee4Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                        HTTP Request Dependency Graph

                        • ip-api.com

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.449730208.95.112.1806048C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        TimestampBytes transferredDirectionData
                        Sep 26, 2024 15:09:13.508593082 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                        Host: ip-api.com
                        Connection: Keep-Alive
                        Sep 26, 2024 15:09:13.983155966 CEST175INHTTP/1.1 200 OK
                        Date: Thu, 26 Sep 2024 13:09:13 GMT
                        Content-Type: text/plain; charset=utf-8
                        Content-Length: 6
                        Access-Control-Allow-Origin: *
                        X-Ttl: 60
                        X-Rl: 44
                        Data Raw: 66 61 6c 73 65 0a
                        Data Ascii: false


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:09:09:09
                        Start date:26/09/2024
                        Path:C:\Users\user\Desktop\DSR0987678900000.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\DSR0987678900000.exe"
                        Imagebase:0x1ebede10000
                        File size:3'794'463 bytes
                        MD5 hash:780E6F2C7B7D9742A94B9E2DA18B58FD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1994968952.000001EB8034D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1995376701.000001EB90811000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:true

                        General

                        Target ID:1
                        Start time:09:09:12
                        Start date:26/09/2024
                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\DSR0987678900000.exe" -Force
                        Imagebase:0x7ff788560000
                        File size:452'608 bytes
                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:2
                        Start time:09:09:12
                        Start date:26/09/2024
                        Path:C:\Windows\System32\conhost.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Imagebase:0x7ff7699e0000
                        File size:862'208 bytes
                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:3
                        Start time:09:09:12
                        Start date:26/09/2024
                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
                        Imagebase:0xd80000
                        File size:43'008 bytes
                        MD5 hash:9827FF3CDF4B83F9C86354606736CA9C
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4220462335.000000000318E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4220462335.0000000003161000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.4217557146.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:moderate
                        Has exited:false

                        General

                        Target ID:6
                        Start time:09:09:13
                        Start date:26/09/2024
                        Path:C:\Windows\System32\WerFault.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\WerFault.exe -u -p 2756 -s 1224
                        Imagebase:0x7ff6aac90000
                        File size:570'736 bytes
                        MD5 hash:FD27D9F6D02763BDE32511B5DF7FF7A0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        General

                        Target ID:10
                        Start time:09:09:28
                        Start date:26/09/2024
                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                        Wow64 process (32bit):false
                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Imagebase:0x7ff693ab0000
                        File size:496'640 bytes
                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                        Has elevated privileges:true
                        Has administrator privileges:false
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:true

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:10.2%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 13894 7ffd9b9031b9 13895 7ffd9b9031c5 VirtualProtect 13894->13895 13897 7ffd9b903271 13895->13897

                          Executed Functions

                          Function 00007FFD9B90EA09 Relevance: 4.1, Strings: 2, Instructions: 1586COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 7ffd9b90ea09-7ffd9b90ea7e 5 7ffd9b90eaef-7ffd9b90eb05 call 7ffd9b90af60 0->5 6 7ffd9b90ea80-7ffd9b90ea85 0->6 19 7ffd9b90eb1f-7ffd9b90eb2a 5->19 20 7ffd9b90eb07-7ffd9b90eb1a 5->20 8 7ffd9b90eb06-7ffd9b90eb1a 6->8 9 7ffd9b90ea87-7ffd9b90eaa1 call 7ffd9b9077c0 6->9 10 7ffd9b90ebb8-7ffd9b90ebba 8->10 13 7ffd9b90ec2b-7ffd9b90ec30 10->13 14 7ffd9b90ebbc-7ffd9b90ebc1 10->14 17 7ffd9b90ec42 13->17 14->17 18 7ffd9b90ebc3-7ffd9b90ebdf 14->18 21 7ffd9b90ec44-7ffd9b90ec45 17->21 22 7ffd9b90ec48-7ffd9b90ec96 call 7ffd9b90af60 * 2 call 7ffd9b907420 17->22 23 7ffd9b90eb41-7ffd9b90eb4c 19->23 24 7ffd9b90eb2c-7ffd9b90eb3f 19->24 20->10 21->22 39 7ffd9b90ee19-7ffd9b90ee73 22->39 40 7ffd9b90ec9c-7ffd9b90ecba 22->40 27 7ffd9b90eb4e-7ffd9b90eb60 23->27 28 7ffd9b90eb62-7ffd9b90eb81 23->28 24->10 27->10 28->10 32 7ffd9b90eb83-7ffd9b90ebb4 28->32 32->10 52 7ffd9b90efa6-7ffd9b90f003 39->52 53 7ffd9b90ee79-7ffd9b90eed4 call 7ffd9b90af60 * 2 call 7ffd9b907420 39->53 40->39 41 7ffd9b90ecc0-7ffd9b90ecdf 40->41 45 7ffd9b90ed60-7ffd9b90ed6a 41->45 46 7ffd9b90ece1-7ffd9b90ed00 41->46 50 7ffd9b90ed9e-7ffd9b90edef call 7ffd9b90b930 45->50 51 7ffd9b90ed6c-7ffd9b90ed6f 45->51 48 7ffd9b90ed71-7ffd9b90ed86 46->48 49 7ffd9b90ed02-7ffd9b90ed07 46->49 54 7ffd9b90ed88-7ffd9b90ed99 48->54 49->54 55 7ffd9b90ed09-7ffd9b90ed58 call 7ffd9b9077c0 49->55 50->39 64 7ffd9b90edf1-7ffd9b90ee18 50->64 51->50 69 7ffd9b90f0be-7ffd9b90f0c9 52->69 70 7ffd9b90f009-7ffd9b90f05e call 7ffd9b90af60 * 2 call 7ffd9b907420 52->70 53->52 79 7ffd9b90eeda-7ffd9b90ef30 53->79 54->50 60 7ffd9b90ed9b-7ffd9b90ed9c 54->60 55->48 67 7ffd9b90ed5a-7ffd9b90ed5f 55->67 60->50 67->45 77 7ffd9b90f0ce-7ffd9b90f0ea 69->77 78 7ffd9b90f0cb-7ffd9b90f0cd 69->78 70->69 92 7ffd9b90f060-7ffd9b90f084 70->92 84 7ffd9b90f134-7ffd9b90f176 call 7ffd9b90af60 * 2 call 7ffd9b907420 77->84 85 7ffd9b90f0ec-7ffd9b90f117 77->85 78->77 79->52 82 7ffd9b90ef32-7ffd9b90ef7d call 7ffd9b90b930 79->82 82->52 94 7ffd9b90ef7f-7ffd9b90efa5 82->94 89 7ffd9b90f2ab-7ffd9b90f2da 84->89 110 7ffd9b90f17c-7ffd9b90f19a 84->110 88 7ffd9b90f11d-7ffd9b90f133 85->88 85->89 88->84 102 7ffd9b90f324-7ffd9b90f363 call 7ffd9b90af60 * 2 call 7ffd9b907420 89->102 103 7ffd9b90f2dc-7ffd9b90f307 89->103 96 7ffd9b90f0b2-7ffd9b90f0bd 92->96 97 7ffd9b90f086-7ffd9b90f096 92->97 97->69 100 7ffd9b90f098-7ffd9b90f0af 97->100 100->96 106 7ffd9b90f467-7ffd9b90f499 102->106 136 7ffd9b90f369-7ffd9b90f384 102->136 105 7ffd9b90f30d-7ffd9b90f323 103->105 103->106 105->102 126 7ffd9b90f4e3-7ffd9b90f4fb call 7ffd9b90af60 106->126 127 7ffd9b90f49b-7ffd9b90f4c6 106->127 110->89 113 7ffd9b90f1a0-7ffd9b90f1ba 110->113 114 7ffd9b90f213-7ffd9b90f217 113->114 115 7ffd9b90f1bc-7ffd9b90f1bf 113->115 121 7ffd9b90f298-7ffd9b90f2aa 114->121 122 7ffd9b90f219-7ffd9b90f23f call 7ffd9b9077c0 114->122 118 7ffd9b90f240-7ffd9b90f27f call 7ffd9b90b930 115->118 119 7ffd9b90f1c1-7ffd9b90f1da 115->119 139 7ffd9b90f281 118->139 124 7ffd9b90f1f3-7ffd9b90f204 119->124 125 7ffd9b90f1dc-7ffd9b90f1f1 119->125 122->118 130 7ffd9b90f208-7ffd9b90f210 124->130 125->130 131 7ffd9b90f595-7ffd9b90f5a7 126->131 127->131 132 7ffd9b90f4cc-7ffd9b90f4df 127->132 130->139 140 7ffd9b90f212 130->140 152 7ffd9b90f5e9-7ffd9b90f5f7 131->152 153 7ffd9b90f5a9-7ffd9b90f5ca 131->153 132->126 137 7ffd9b90f3dd-7ffd9b90f3e4 136->137 138 7ffd9b90f386-7ffd9b90f389 136->138 137->106 146 7ffd9b90f3ea-7ffd9b90f407 137->146 144 7ffd9b90f40a-7ffd9b90f419 138->144 145 7ffd9b90f38b-7ffd9b90f3a9 138->145 139->89 143 7ffd9b90f283-7ffd9b90f296 139->143 140->114 143->121 150 7ffd9b90f41a-7ffd9b90f42e call 7ffd9b90b930 144->150 145->150 151 7ffd9b90f3ab-7ffd9b90f3b0 145->151 146->144 156 7ffd9b90f431-7ffd9b90f43d 150->156 151->156 157 7ffd9b90f3b2-7ffd9b90f3d6 call 7ffd9b9077c0 151->157 154 7ffd9b90f5fd-7ffd9b90f611 152->154 155 7ffd9b90f753-7ffd9b90f769 152->155 160 7ffd9b90f614-7ffd9b90f64f call 7ffd9b90af60 * 2 call 7ffd9b90cbe0 153->160 164 7ffd9b90f5cc-7ffd9b90f5e6 153->164 154->160 169 7ffd9b90f76a 155->169 170 7ffd9b90f76b-7ffd9b90f780 155->170 156->106 163 7ffd9b90f43f-7ffd9b90f466 156->163 157->137 181 7ffd9b90f651-7ffd9b90f667 160->181 182 7ffd9b90f669-7ffd9b90f674 160->182 164->152 169->170 174 7ffd9b90f781-7ffd9b90f7b9 170->174 176 7ffd9b90f7cf 174->176 177 7ffd9b90f7bb-7ffd9b90f7cd call 7ffd9b900238 174->177 179 7ffd9b90f7d4-7ffd9b90f7d6 176->179 177->179 184 7ffd9b90f7d8-7ffd9b90f7e9 179->184 185 7ffd9b90f7ea-7ffd9b90f861 179->185 181->182 191 7ffd9b90f686 182->191 192 7ffd9b90f676-7ffd9b90f684 182->192 184->185 213 7ffd9b90f867-7ffd9b90f8df 185->213 214 7ffd9b90f948-7ffd9b90f94f 185->214 194 7ffd9b90f688-7ffd9b90f68d 191->194 192->194 195 7ffd9b90f68f-7ffd9b90f6ae call 7ffd9b903428 194->195 196 7ffd9b90f6b0-7ffd9b90f6c6 194->196 202 7ffd9b90f6f3-7ffd9b90f6f9 195->202 203 7ffd9b90f6c8-7ffd9b90f6d7 196->203 204 7ffd9b90f6da-7ffd9b90f6ef call 7ffd9b90d5d0 196->204 202->169 208 7ffd9b90f6fb-7ffd9b90f700 202->208 203->204 204->202 208->174 210 7ffd9b90f702-7ffd9b90f730 call 7ffd9b9077c0 call 7ffd9b907420 208->210 210->155 222 7ffd9b90f732-7ffd9b90f752 210->222 232 7ffd9b90f93f-7ffd9b90f947 call 7ffd9b90f994 213->232 233 7ffd9b90f8e1-7ffd9b90f8e7 call 7ffd9b909520 213->233 217 7ffd9b90f951-7ffd9b90f95e 214->217 218 7ffd9b90f96c-7ffd9b90f97c 214->218 217->218 223 7ffd9b90f960-7ffd9b90f96a 217->223 224 7ffd9b90f982-7ffd9b90f993 218->224 223->218 232->214 237 7ffd9b90f8ec-7ffd9b90f93e 233->237 237->232
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID: FO_H$RO_H
                          • API String ID: 0-3859653396
                          • Opcode ID: ee3acecffc0b8d6c1c211348b4519640d0ee2c7b9297c48fa162d96980ea6969
                          • Instruction ID: 74794c78c1d0f76ab82c0581c2424e2c16e3725daa3d56187f70d2f2d5ef8314
                          • Opcode Fuzzy Hash: ee3acecffc0b8d6c1c211348b4519640d0ee2c7b9297c48fa162d96980ea6969
                          • Instruction Fuzzy Hash: 2CB29A34A2DB494FD329DB28C4A05B577E2FF96300B1545BEE4CAC32A6DE34E946C781
                          Function 00007FFD9B9D026B Relevance: 3.2, Strings: 1, Instructions: 1958COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002995155.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b9d0000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID: A
                          • API String ID: 0-3554254475
                          • Opcode ID: f9d400638c5e04e4641be026757b1a4c83f01deed3527a004302b3513cae3c45
                          • Instruction ID: 2106072e73e98546f6702fd56acb0082df65f497c5ee7a7c22bc1b672ab6e9bf
                          • Opcode Fuzzy Hash: f9d400638c5e04e4641be026757b1a4c83f01deed3527a004302b3513cae3c45
                          • Instruction Fuzzy Hash: 6BD27B72A1F68D5FE765DB6888755A47BE0FF96700F0603FEE08DCB1A2DA246906C341
                          Function 00007FFD9B9033D0 Relevance: 2.0, Strings: 1, Instructions: 739COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 894 7ffd9b9033d0-7ffd9b904ae1 call 7ffd9b9049a0 901 7ffd9b904b04-7ffd9b904b13 894->901 902 7ffd9b904b15-7ffd9b904b2f call 7ffd9b9049a0 call 7ffd9b9049f0 901->902 903 7ffd9b904ae3-7ffd9b904af9 call 7ffd9b9049a0 call 7ffd9b9049f0 901->903 912 7ffd9b904afb-7ffd9b904b02 903->912 913 7ffd9b904b30-7ffd9b904b80 903->913 912->901 918 7ffd9b904b8c-7ffd9b904bc3 913->918 919 7ffd9b904b82-7ffd9b904b87 call 7ffd9b9035c0 913->919 922 7ffd9b904bc9-7ffd9b904bd4 918->922 923 7ffd9b904dbf-7ffd9b904e29 918->923 919->918 924 7ffd9b904c48-7ffd9b904c4d 922->924 925 7ffd9b904bd6-7ffd9b904be4 922->925 953 7ffd9b904e2b-7ffd9b904e31 923->953 954 7ffd9b904e46-7ffd9b904e53 923->954 927 7ffd9b904cc0-7ffd9b904cca 924->927 928 7ffd9b904c4f-7ffd9b904c5b 924->928 925->923 926 7ffd9b904bea-7ffd9b904bf9 925->926 931 7ffd9b904bfb-7ffd9b904c2b 926->931 932 7ffd9b904c2d-7ffd9b904c38 926->932 933 7ffd9b904cec-7ffd9b904cf4 927->933 934 7ffd9b904ccc-7ffd9b904cd9 call 7ffd9b9035e0 927->934 928->923 935 7ffd9b904c61-7ffd9b904c74 928->935 931->932 940 7ffd9b904c79-7ffd9b904c7c 931->940 932->923 937 7ffd9b904c3e-7ffd9b904c46 932->937 938 7ffd9b904cf7-7ffd9b904d02 933->938 948 7ffd9b904cde-7ffd9b904cea 934->948 935->938 937->924 937->925 938->923 942 7ffd9b904d08-7ffd9b904d18 938->942 945 7ffd9b904c92-7ffd9b904c9a 940->945 946 7ffd9b904c7e-7ffd9b904c8e 940->946 942->923 947 7ffd9b904d1e-7ffd9b904d2b 942->947 945->923 950 7ffd9b904ca0-7ffd9b904cbf 945->950 946->945 947->923 949 7ffd9b904d31-7ffd9b904d4e 947->949 948->933 960 7ffd9b904d4f 949->960 957 7ffd9b904e33-7ffd9b904e44 953->957 958 7ffd9b904e71-7ffd9b904e88 953->958 961 7ffd9b904e54-7ffd9b904e70 954->961 957->953 957->954 958->961 970 7ffd9b904e8a-7ffd9b904ec5 958->970 962 7ffd9b904d59-7ffd9b904d62 960->962 963 7ffd9b904d51 960->963 964 7ffd9b904d64-7ffd9b904d6f 962->964 965 7ffd9b904dad-7ffd9b904dbe 962->965 963->923 967 7ffd9b904d53-7ffd9b904d57 963->967 964->965 973 7ffd9b904d71-7ffd9b904d88 964->973 967->962 975 7ffd9b904ed9-7ffd9b904f11 970->975 976 7ffd9b904ec7-7ffd9b904ed7 970->976 973->960 980 7ffd9b904d8a-7ffd9b904da8 call 7ffd9b9035e0 973->980 982 7ffd9b904f68-7ffd9b904f6f 975->982 983 7ffd9b904f13-7ffd9b904f19 975->983 976->975 976->976 980->965 985 7ffd9b904fb2-7ffd9b904fdb 982->985 986 7ffd9b904f71-7ffd9b904f72 982->986 983->982 987 7ffd9b904f1b-7ffd9b904f1c 983->987 989 7ffd9b904f75-7ffd9b904f78 986->989 990 7ffd9b904f1f-7ffd9b904f22 987->990 991 7ffd9b904fdc-7ffd9b904ff1 989->991 992 7ffd9b904f7a-7ffd9b904f8b 989->992 990->991 994 7ffd9b904f28-7ffd9b904f35 990->994 1003 7ffd9b904ffb-7ffd9b905081 991->1003 1004 7ffd9b904ff3-7ffd9b904ffa 991->1004 995 7ffd9b904fa9-7ffd9b904fb0 992->995 996 7ffd9b904f8d-7ffd9b904f93 992->996 997 7ffd9b904f37-7ffd9b904f5e 994->997 998 7ffd9b904f61-7ffd9b904f66 994->998 995->985 995->989 996->991 999 7ffd9b904f95-7ffd9b904fa5 996->999 997->998 998->982 998->990 999->995 1004->1003
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID: d
                          • API String ID: 0-2564639436
                          • Opcode ID: c512a0036e3add365fb62723ea899ba96cb48ec43418530b1040f68d786e06b9
                          • Instruction ID: fae58c1933621f1c4a2a4b22775be7f438c8138f6b30ff0d87fc51cacfa35552
                          • Opcode Fuzzy Hash: c512a0036e3add365fb62723ea899ba96cb48ec43418530b1040f68d786e06b9
                          • Instruction Fuzzy Hash: 0C229A31B2EA4A5FE728DB6894A16B177E1FF51310B1542BDD49EC72A7DD28F8438380
                          Function 00007FFD9B9045F0 Relevance: 1.7, Strings: 1, Instructions: 454COMMON
                          Download Yara Rule

                          Control-flow Graph

                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID: fish
                          • API String ID: 0-1064584243
                          • Opcode ID: 6c48f9aba62f7cf4321c597ab856f9544acf70474b4c845a9a3a573ea385166f
                          • Instruction ID: 7d7a4067cd48f438110dcfa94df8fb1b8f8cbc5d67286fd272577fe04377a1e6
                          • Opcode Fuzzy Hash: 6c48f9aba62f7cf4321c597ab856f9544acf70474b4c845a9a3a573ea385166f
                          • Instruction Fuzzy Hash: 63C14935B2DA4E1FE76CAB7898656B573E1EF96310B05417ED4CBC32E3DD18A8428341
                          Function 00007FFD9B9044A0 Relevance: 1.1, Instructions: 1146COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e0d94ab281a8e4ebbf6550b4beabb4d18cc9fa61923cdfa2a877db68f94827ed
                          • Instruction ID: fc12f65009a687e2edd4f3e7515eb9e86f64ce28e6374b0d03201f7954db9c49
                          • Opcode Fuzzy Hash: e0d94ab281a8e4ebbf6550b4beabb4d18cc9fa61923cdfa2a877db68f94827ed
                          • Instruction Fuzzy Hash: 8782CB31F2E68A5FE7798B1484616B57BE1FF52310F0541BEC48E8B5E3DE28A946C780
                          Function 00007FFD9B908E60 Relevance: .8, Instructions: 756COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c4f0bee9bc9283927e7d92786c011e3c9c25dfee515d60dddae9cac89894b4fe
                          • Instruction ID: c65ff1b0c38caca6c175fdce21ff65d490d3bcf92861918370eab32d3c74d023
                          • Opcode Fuzzy Hash: c4f0bee9bc9283927e7d92786c011e3c9c25dfee515d60dddae9cac89894b4fe
                          • Instruction Fuzzy Hash: 2C32F734B1DA0D5FDB78EB6C8465A7977E1EF55300F1501BEE48EC32A2DE24AD428781
                          Function 00007FFD9B90BAA0 Relevance: .4, Instructions: 389COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7cef2421689b6084b7c2b6e94a9cb1d853bcc0f248087a3be6763bc5011712da
                          • Instruction ID: 474f2e021553e8837181090e3259c9ac142019ec7abfe00735941265866a5db7
                          • Opcode Fuzzy Hash: 7cef2421689b6084b7c2b6e94a9cb1d853bcc0f248087a3be6763bc5011712da
                          • Instruction Fuzzy Hash: CFC19E3562EB894FE32DCB2984611B5B7E2FF91301B15467ED4CBC32B5DE24A542C781
                          Function 00007FFD9B914A2B Relevance: .2, Instructions: 212COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 8d69898233c9754343bfe83af01f2d55def962c1cf51f99141cec852fe514327
                          • Instruction ID: 0488c319b87ee0faaa6704e4ed879d2b289cbf1dd9b4bd1a92d954dad5e9728c
                          • Opcode Fuzzy Hash: 8d69898233c9754343bfe83af01f2d55def962c1cf51f99141cec852fe514327
                          • Instruction Fuzzy Hash: F3516B31B1D74D1FD32D9A7888652A57BE1EB46310B16C2BFD48BC72E7CC24A8078781
                          Function 00007FFD9B9031B9 Relevance: 1.6, APIs: 1, Instructions: 121memoryCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1505 7ffd9b9031b9-7ffd9b9031c3 1506 7ffd9b903205-7ffd9b90326f VirtualProtect 1505->1506 1507 7ffd9b9031c5-7ffd9b903202 1505->1507 1509 7ffd9b903277-7ffd9b90329f 1506->1509 1510 7ffd9b903271 1506->1510 1507->1506 1510->1509
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002739501.00007FFD9B900000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B900000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b900000_DSR0987678900000.jbxd
                          Similarity
                          • API ID: ProtectVirtual
                          • String ID:
                          • API String ID: 544645111-0
                          • Opcode ID: c0cc88cf0c72954811d7431a6a478792d9264c2b5beb63d52d242bbb11f44b3d
                          • Instruction ID: fec7f559dcc024bf4436ed144ea8ab010ad725dfe6925733bf326e1b36464c27
                          • Opcode Fuzzy Hash: c0cc88cf0c72954811d7431a6a478792d9264c2b5beb63d52d242bbb11f44b3d
                          • Instruction Fuzzy Hash: 8C31C731A0CA5C5FDB18DB9CD845AF97BE1EF55321F04426FD049D3192CB646846CB91
                          Function 00007FFD9B9D10FC Relevance: .2, Instructions: 231COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.2002995155.00007FFD9B9D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B9D0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b9d0000_DSR0987678900000.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ee691123b31fefeddfe621905fab375d5de3abffc5fe022660e045ee4597c112
                          • Instruction ID: d8ae97ae22b644c8912087b2ca9169c46e86a128dc9b8bf609b97c9fa91c36bc
                          • Opcode Fuzzy Hash: ee691123b31fefeddfe621905fab375d5de3abffc5fe022660e045ee4597c112
                          • Instruction Fuzzy Hash: 31613B32A1DB8E5FDB65DB6888655A87BF0EF55304B0602BFE44EC71A2DE29A905C340

                          Execution Graph

                          Execution Coverage:10.7%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:4.3%
                          Total number of Nodes:69
                          Total number of Limit Nodes:8
                          execution_graph 39312 1717070 39313 1717071 CheckRemoteDebuggerPresent 39312->39313 39315 17170f6 39313->39315 39316 692e110 39317 692e178 CreateWindowExW 39316->39317 39319 692e234 39317->39319 39330 6923c60 DuplicateHandle 39331 6923cf6 39330->39331 39332 1710848 39333 171084e 39332->39333 39334 171091b 39333->39334 39337 6922910 39333->39337 39341 6922900 39333->39341 39338 6922911 39337->39338 39345 69220a4 39338->39345 39342 6922910 39341->39342 39343 69220a4 GetModuleHandleW 39342->39343 39344 6922940 39343->39344 39344->39333 39346 69220af 39345->39346 39349 6923804 39346->39349 39348 69242c6 39348->39348 39350 692380f 39349->39350 39351 69249ec 39350->39351 39353 6926668 39350->39353 39351->39348 39354 6926689 39353->39354 39355 69266ad 39354->39355 39357 6926818 39354->39357 39355->39351 39358 6926825 39357->39358 39359 692685e 39358->39359 39361 69259c8 39358->39361 39359->39355 39362 69259d3 39361->39362 39364 69268d0 39362->39364 39365 69259fc 39362->39365 39366 6925a07 39365->39366 39372 6925a0c 39366->39372 39368 692693f 39376 692bc48 39368->39376 39381 692bc60 39368->39381 39369 6926979 39369->39364 39375 6925a17 39372->39375 39373 6927ae0 39373->39368 39374 6926668 GetModuleHandleW 39374->39373 39375->39373 39375->39374 39377 692bc60 39376->39377 39378 692bc9d 39377->39378 39387 692bed8 39377->39387 39390 692bec8 39377->39390 39378->39369 39383 692bc91 39381->39383 39384 692bcdd 39381->39384 39382 692bc9d 39382->39369 39383->39382 39385 692bed8 GetModuleHandleW 39383->39385 39386 692bec8 GetModuleHandleW 39383->39386 39384->39369 39385->39384 39386->39384 39394 692bf18 39387->39394 39388 692bee2 39388->39378 39391 692bed8 39390->39391 39393 692bf18 GetModuleHandleW 39391->39393 39392 692bee2 39392->39378 39393->39392 39397 692bf1d 39394->39397 39395 692bf5c 39395->39388 39396 692c160 GetModuleHandleW 39398 692c18d 39396->39398 39397->39395 39397->39396 39398->39388 39320 6923a18 39321 6923a5e GetCurrentProcess 39320->39321 39323 6923ab0 GetCurrentThread 39321->39323 39324 6923aa9 39321->39324 39325 6923ae6 39323->39325 39326 6923aed GetCurrentProcess 39323->39326 39324->39323 39325->39326 39329 6923b23 39326->39329 39327 6923b4b GetCurrentThreadId 39328 6923b7c 39327->39328 39329->39327

                          Executed Functions

                          Function 069A3138 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 659 69a3138-69a3159 660 69a315b-69a315e 659->660 661 69a38ff-69a3902 660->661 662 69a3164-69a3183 660->662 663 69a3928-69a392a 661->663 664 69a3904-69a3923 661->664 671 69a319c-69a31a6 662->671 672 69a3185-69a3188 662->672 666 69a392c 663->666 667 69a3931-69a3934 663->667 664->663 666->667 667->660 668 69a393a-69a3943 667->668 676 69a31ac-69a31bb 671->676 672->671 674 69a318a-69a319a 672->674 674->676 785 69a31bd call 69a3958 676->785 786 69a31bd call 69a3950 676->786 678 69a31c2-69a31c7 679 69a31c9-69a31cf 678->679 680 69a31d4-69a34b1 678->680 679->668 701 69a38f1-69a38fe 680->701 702 69a34b7-69a3566 680->702 711 69a3568-69a358d 702->711 712 69a358f 702->712 714 69a3598-69a35ab 711->714 712->714 716 69a38d8-69a38e4 714->716 717 69a35b1-69a35d3 714->717 716->702 718 69a38ea 716->718 717->716 720 69a35d9-69a35e3 717->720 718->701 720->716 721 69a35e9-69a35f4 720->721 721->716 722 69a35fa-69a36d0 721->722 734 69a36de-69a370e 722->734 735 69a36d2-69a36d4 722->735 739 69a371c-69a3728 734->739 740 69a3710-69a3712 734->740 735->734 741 69a372a-69a372e 739->741 742 69a3788-69a378c 739->742 740->739 741->742 743 69a3730-69a375a 741->743 744 69a38c9-69a38d2 742->744 745 69a3792-69a37ce 742->745 752 69a3768-69a3785 743->752 753 69a375c-69a375e 743->753 744->716 744->722 755 69a37dc-69a37ea 745->755 756 69a37d0-69a37d2 745->756 752->742 753->752 759 69a37ec-69a37f7 755->759 760 69a3801-69a380c 755->760 756->755 759->760 765 69a37f9 759->765 763 69a380e-69a3814 760->763 764 69a3824-69a3835 760->764 766 69a3818-69a381a 763->766 767 69a3816 763->767 769 69a384d-69a3859 764->769 770 69a3837-69a383d 764->770 765->760 766->764 767->764 774 69a385b-69a3861 769->774 775 69a3871-69a38c2 769->775 771 69a383f 770->771 772 69a3841-69a3843 770->772 771->769 772->769 776 69a3863 774->776 777 69a3865-69a3867 774->777 775->744 776->775 777->775 785->678 786->678
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1342094364
                          • Opcode ID: efb588e70b0f5764b0dea93c6dc84eca190d2ff152d3156729b436ac424b2761
                          • Instruction ID: 6a882b9ce9587bfbcc7d29b0d6864d287fc315a96fcc68e2c8faa412cf612ffe
                          • Opcode Fuzzy Hash: efb588e70b0f5764b0dea93c6dc84eca190d2ff152d3156729b436ac424b2761
                          • Instruction Fuzzy Hash: 83321E30E1075A8FCB14DF69C99459DB7B6FF99300F2086AAD409A7264EF34AD85CB90
                          Function 069A7E50 Relevance: 3.0, Strings: 2, Instructions: 478COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1375 69a7e50-69a7e6e 1376 69a7e70-69a7e73 1375->1376 1377 69a7e8a-69a7e8d 1376->1377 1378 69a7e75-69a7e83 1376->1378 1379 69a7e8f-69a7eab 1377->1379 1380 69a7eb0-69a7eb3 1377->1380 1384 69a7ef6-69a7f0c 1378->1384 1385 69a7e85 1378->1385 1379->1380 1382 69a7ec0-69a7ec3 1380->1382 1383 69a7eb5-69a7ebf 1380->1383 1387 69a7ee4-69a7ee6 1382->1387 1388 69a7ec5-69a7edf 1382->1388 1394 69a7f12-69a7f1b 1384->1394 1395 69a8127-69a8131 1384->1395 1385->1377 1389 69a7ee8 1387->1389 1390 69a7eed-69a7ef0 1387->1390 1388->1387 1389->1390 1390->1376 1390->1384 1397 69a8132-69a8167 1394->1397 1398 69a7f21-69a7f3e 1394->1398 1401 69a8169-69a816c 1397->1401 1407 69a8114-69a8121 1398->1407 1408 69a7f44-69a7f6c 1398->1408 1402 69a816e-69a818a 1401->1402 1403 69a818f-69a8192 1401->1403 1402->1403 1405 69a8198-69a81a4 1403->1405 1406 69a823f-69a8242 1403->1406 1412 69a81af-69a81b1 1405->1412 1410 69a8248-69a8257 1406->1410 1411 69a8477-69a8479 1406->1411 1407->1394 1407->1395 1408->1407 1429 69a7f72-69a7f7b 1408->1429 1421 69a8259-69a8274 1410->1421 1422 69a8276-69a82ba 1410->1422 1413 69a847b 1411->1413 1414 69a8480-69a8483 1411->1414 1417 69a81c9-69a81cd 1412->1417 1418 69a81b3-69a81b9 1412->1418 1413->1414 1414->1401 1419 69a8489-69a8492 1414->1419 1426 69a81db 1417->1426 1427 69a81cf-69a81d9 1417->1427 1424 69a81bb 1418->1424 1425 69a81bd-69a81bf 1418->1425 1421->1422 1435 69a844b-69a8461 1422->1435 1436 69a82c0-69a82d1 1422->1436 1424->1417 1425->1417 1428 69a81e0-69a81e2 1426->1428 1427->1428 1430 69a81f9-69a8232 1428->1430 1431 69a81e4-69a81e7 1428->1431 1429->1397 1433 69a7f81-69a7f9d 1429->1433 1430->1410 1456 69a8234-69a823e 1430->1456 1431->1419 1441 69a8102-69a810e 1433->1441 1442 69a7fa3-69a7fcd 1433->1442 1435->1411 1446 69a8436-69a8445 1436->1446 1447 69a82d7-69a82f4 1436->1447 1441->1407 1441->1429 1458 69a80f8-69a80fd 1442->1458 1459 69a7fd3-69a7ffb 1442->1459 1446->1435 1446->1436 1447->1446 1455 69a82fa-69a83f0 call 69a6670 1447->1455 1508 69a83fe 1455->1508 1509 69a83f2-69a83fc 1455->1509 1458->1441 1459->1458 1465 69a8001-69a802f 1459->1465 1465->1458 1471 69a8035-69a803e 1465->1471 1471->1458 1472 69a8044-69a8076 1471->1472 1480 69a8078-69a807c 1472->1480 1481 69a8081-69a809d 1472->1481 1480->1458 1482 69a807e 1480->1482 1481->1441 1483 69a809f-69a80f6 call 69a6670 1481->1483 1482->1481 1483->1441 1510 69a8403-69a8405 1508->1510 1509->1510 1510->1446 1511 69a8407-69a840c 1510->1511 1512 69a841a 1511->1512 1513 69a840e-69a8418 1511->1513 1514 69a841f-69a8421 1512->1514 1513->1514 1514->1446 1515 69a8423-69a842f 1514->1515 1515->1446
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq
                          • API String ID: 0-3550614674
                          • Opcode ID: 0f28e16dd7a2be6bdc9b246e9bcd857eafd631649f6d7ac1d94ffa8c2c811c39
                          • Instruction ID: 0cebc5b50a54195c6b98722379dbac3f70324156bdb754f9cdf839f8129b0a04
                          • Opcode Fuzzy Hash: 0f28e16dd7a2be6bdc9b246e9bcd857eafd631649f6d7ac1d94ffa8c2c811c39
                          • Instruction Fuzzy Hash: C1028A30B002168FDB54DB69DA846AEB7EAFF84340F248529D4159B7A4DB35EC86CBD0
                          Function 069A5270 Relevance: 1.9, Strings: 1, Instructions: 602COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $
                          • API String ID: 0-3993045852
                          • Opcode ID: 212cfc022bda60cef08288cc3055c4e923145e7a4b3a8e71f33e1d410c85cd40
                          • Instruction ID: 347f9d25e4d4aee5ef46bb2460a9eebb788bdd82e207ef4d6711f4efb2a9fd02
                          • Opcode Fuzzy Hash: 212cfc022bda60cef08288cc3055c4e923145e7a4b3a8e71f33e1d410c85cd40
                          • Instruction Fuzzy Hash: 9E22AD71F003158FDF64DBA9C5806AEBBFAEF84320F268469D406EB694DA35DC45CB90
                          Function 01717070 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                          Download Yara Rule
                          APIs
                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 017170E7
                          Memory Dump Source
                          • Source File: 00000003.00000002.4220080021.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1710000_AddInProcess32.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID:
                          • API String ID: 3662101638-0
                          • Opcode ID: bcf7fffa4e9787328e46e5c776d73e1bffbb27c2e956c5ef7319a52839eadc83
                          • Instruction ID: f46b63c90ebf9b4fd963db69407234e5f2c40f6f0ebf69f49ce2b749f22223d8
                          • Opcode Fuzzy Hash: bcf7fffa4e9787328e46e5c776d73e1bffbb27c2e956c5ef7319a52839eadc83
                          • Instruction Fuzzy Hash: 092137B1900259CFCB14CF9AD484BEEFBF4AF49320F14846AE459B7250D778A944CF65
                          Function 069A2430 Relevance: 1.0, Instructions: 1010COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 73249f8312147fb32c48dac63fe62c2facefe1b997f147ec95367ddacc830ad6
                          • Instruction ID: 9e101c4f875d5c962ac353f16480ca7216971287cd8474628f737e833ace2a73
                          • Opcode Fuzzy Hash: 73249f8312147fb32c48dac63fe62c2facefe1b997f147ec95367ddacc830ad6
                          • Instruction Fuzzy Hash: 13924434E003048FDB64DF68C584A9DBBF6EB45314F6884AAD409EB765DB35EE85CB80
                          Function 069A66C0 Relevance: .8, Instructions: 818COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c66214821bc5ebd2bf975bec1a49cb3d256011bc54a941263a3585a0abd03c1d
                          • Instruction ID: c09a4567ebb9bb572b753485d735bd32d29130312d725f278bc4929e81902a44
                          • Opcode Fuzzy Hash: c66214821bc5ebd2bf975bec1a49cb3d256011bc54a941263a3585a0abd03c1d
                          • Instruction Fuzzy Hash: 18628C34B002058FDF54DB68D994AADB7F6EF88314F288469E406DB794DB35ED86CB80
                          Function 069AC270 Relevance: .6, Instructions: 640COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c1278d3ab4ea6826ac4854245f788395d3716c4f02bbeaa0ca770021ec5055cd
                          • Instruction ID: 4952dbe267e307201be2561d2d284538c5a816d3ad64341aa40898bd93b88147
                          • Opcode Fuzzy Hash: c1278d3ab4ea6826ac4854245f788395d3716c4f02bbeaa0ca770021ec5055cd
                          • Instruction Fuzzy Hash: BF326D70B10209CFDB54DB69D990AADBBF6FB88310F208529E405EB755DB35EC86CB90
                          Function 069AB309 Relevance: .6, Instructions: 572COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 27b80b22a7a2e97a074b21bec27d276a8a7cecaa383a96a054aca976a6ca9e7b
                          • Instruction ID: 5f8ce37147106f75f9385688f9a609474b7c20e2046cdbd22c2161a13f70f47a
                          • Opcode Fuzzy Hash: 27b80b22a7a2e97a074b21bec27d276a8a7cecaa383a96a054aca976a6ca9e7b
                          • Instruction Fuzzy Hash: 13226070E002098FDF64CA69C5907AEB7FAFB45310F20852AE409EB799DA35DC85CBD1
                          Function 069AADB0 Relevance: 10.4, Strings: 8, Instructions: 402COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 527 69aadb0-69aadce 528 69aadd0-69aadd3 527->528 529 69aade7-69aadea 528->529 530 69aadd5-69aade2 528->530 531 69aadec-69aae08 529->531 532 69aae0d-69aae10 529->532 530->529 531->532 533 69aae12-69aae1b 532->533 534 69aae20-69aae23 532->534 533->534 536 69aae3d-69aae40 534->536 537 69aae25-69aae38 534->537 539 69aae5a-69aae5d 536->539 540 69aae42-69aae4b 536->540 537->536 544 69aafcd-69aafd6 539->544 545 69aae63-69aae66 539->545 542 69aae51-69aae55 540->542 543 69aafe7-69aaff1 540->543 542->539 555 69aaf88 543->555 556 69aaff3-69aaff5 543->556 544->540 547 69aafdc-69aafe6 544->547 548 69aae68-69aae6d 545->548 549 69aae70-69aae73 545->549 548->549 551 69aae84-69aae86 549->551 552 69aae75-69aae79 549->552 553 69aae88 551->553 554 69aae8d-69aae90 551->554 552->547 557 69aae7f 552->557 553->554 554->528 558 69aae96-69aaeba 554->558 559 69aaf8c 555->559 556->559 560 69aaff7-69aaff9 556->560 557->551 578 69aafca 558->578 579 69aaec0-69aaecf 558->579 563 69aaf8d-69aaf8f 559->563 564 69aaf76-69aaf7a 559->564 561 69aaffb-69ab01e 560->561 562 69aaf90-69aaf91 560->562 567 69ab020-69ab023 561->567 565 69aaf92-69aafc3 562->565 563->562 564->565 568 69aaf7c-69aaf82 564->568 565->578 570 69ab030-69ab033 567->570 571 69ab025-69ab02f 567->571 572 69aaf86 568->572 573 69aaf84 568->573 576 69ab040-69ab043 570->576 577 69ab035-69ab039 570->577 572->555 573->565 581 69ab049-69ab084 576->581 582 69ab2ac-69ab2af 576->582 580 69ab03b 577->580 577->581 578->544 592 69aaed1-69aaed7 579->592 593 69aaee7-69aaf22 call 69a6670 579->593 580->576 596 69ab08a-69ab096 581->596 597 69ab277-69ab28a 581->597 583 69ab2be-69ab2c1 582->583 584 69ab2b1 call 69ab309 582->584 586 69ab2c3-69ab2df 583->586 587 69ab2e4-69ab2e6 583->587 590 69ab2b7-69ab2b9 584->590 586->587 594 69ab2e8 587->594 595 69ab2ed-69ab2f0 587->595 590->583 601 69aaedb-69aaedd 592->601 602 69aaed9 592->602 618 69aaf3a-69aaf51 593->618 619 69aaf24-69aaf2a 593->619 594->595 595->567 598 69ab2f6-69ab300 595->598 606 69ab098-69ab0b1 596->606 607 69ab0b6-69ab0fa 596->607 599 69ab28c 597->599 599->582 601->593 602->593 606->599 625 69ab0fc-69ab10e 607->625 626 69ab116-69ab155 607->626 628 69aaf69-69aaf71 618->628 629 69aaf53-69aaf59 618->629 621 69aaf2e-69aaf30 619->621 622 69aaf2c 619->622 621->618 622->618 625->626 634 69ab15b-69ab236 call 69a6670 626->634 635 69ab23c-69ab251 626->635 628->564 632 69aaf5b 629->632 633 69aaf5d-69aaf5f 629->633 632->628 633->628 634->635 635->597
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1078448309
                          • Opcode ID: ee2984a91d2bfdae9c9aed370e1c7fdc5ed73d78786c992c1053b661a84aa8e0
                          • Instruction ID: 354aeb7dc4ff4226cd2e4b097f63cb005b6ea8ce684266cf27eadb16e509e599
                          • Opcode Fuzzy Hash: ee2984a91d2bfdae9c9aed370e1c7fdc5ed73d78786c992c1053b661a84aa8e0
                          • Instruction Fuzzy Hash: DBE16D30E1034A8FCB69DF69D5806AEB7F6FF84304F20852AD4199B758DB359C86CB91
                          Function 069AB730 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 787 69ab730-69ab752 788 69ab754-69ab757 787->788 789 69ab759-69ab75d 788->789 790 69ab77e-69ab781 788->790 791 69abad3-69abb0e 789->791 792 69ab763-69ab773 789->792 793 69ab783-69ab79f 790->793 794 69ab7a4-69ab7a7 790->794 808 69abb10-69abb13 791->808 806 69ab779 792->806 807 69ab9cd-69ab9d1 792->807 793->794 795 69ab7a9-69ab7ad 794->795 796 69ab7be-69ab7c1 794->796 795->791 797 69ab7b3-69ab7b9 795->797 798 69ab8b3-69ab8b4 796->798 799 69ab7c7-69ab7ca 796->799 797->796 805 69ab8b9-69ab8bc 798->805 803 69ab7ec-69ab7ef 799->803 804 69ab7cc-69ab7e7 799->804 811 69ab80c-69ab80f 803->811 812 69ab7f1-69ab7fa 803->812 804->803 809 69ab8c9-69ab8cc 805->809 810 69ab8be-69ab8c4 805->810 806->790 807->791 813 69ab9d7-69ab9e7 807->813 815 69abb19-69abb41 808->815 816 69abd7f-69abd82 808->816 818 69ab90a-69ab90d 809->818 819 69ab8ce-69ab8e3 809->819 810->809 821 69ab81f-69ab822 811->821 822 69ab811-69ab81a 811->822 812->791 820 69ab800-69ab807 812->820 839 69ab9e9 813->839 840 69ab9a3-69ab9a7 813->840 873 69abb4b-69abb8f 815->873 874 69abb43-69abb46 815->874 823 69abd84-69abda0 816->823 824 69abda5-69abda7 816->824 831 69ab90f-69ab914 818->831 832 69ab917-69ab91a 818->832 819->791 850 69ab8e9-69ab905 819->850 820->811 829 69ab886-69ab889 821->829 830 69ab824-69ab881 call 69a6670 821->830 822->821 823->824 826 69abda9 824->826 827 69abdae-69abdb1 824->827 826->827 827->808 836 69abdb7-69abdc0 827->836 841 69ab88b-69ab894 829->841 842 69ab89f-69ab8a2 829->842 830->829 831->832 834 69ab959-69ab95c 832->834 835 69ab91c-69ab931 832->835 848 69ab95e-69ab961 834->848 849 69ab966-69ab969 834->849 835->791 864 69ab937-69ab954 835->864 851 69ab9ee-69ab9f1 839->851 840->791 847 69ab9ad-69ab9bd 840->847 841->812 852 69ab89a 841->852 844 69ab8a9-69ab8ac 842->844 845 69ab8a4-69ab8a6 842->845 844->798 855 69ab8ae-69ab8b1 844->855 845->844 847->798 875 69ab9c3 847->875 848->849 857 69ab97b-69ab97e 849->857 858 69ab96b 849->858 850->818 859 69ab9f3-69ab9fc 851->859 860 69aba01-69aba04 851->860 852->842 855->798 855->805 868 69aba19-69aba1c 857->868 869 69ab984-69ab987 857->869 876 69ab973-69ab976 858->876 859->860 861 69aba06-69aba0f 860->861 862 69aba14-69aba17 860->862 861->862 862->868 870 69aba27-69aba2a 862->870 864->834 871 69ab989-69ab98c 868->871 872 69aba22 868->872 869->871 877 69ab99e-69ab9a1 869->877 870->798 881 69aba30-69aba33 870->881 871->791 878 69ab992-69ab999 871->878 872->870 902 69abd74-69abd7e 873->902 903 69abb95-69abb9e 873->903 874->836 879 69ab9c8-69ab9cb 875->879 876->857 877->840 877->879 878->877 879->807 879->851 883 69aba46-69aba49 881->883 884 69aba35-69aba41 881->884 887 69aba4b-69aba4f 883->887 888 69aba60-69aba63 883->888 884->883 887->791 890 69aba55-69aba5b 887->890 892 69aba73-69aba76 888->892 893 69aba65-69aba6e 888->893 890->888 895 69aba78-69aba7b 892->895 896 69aba80-69aba83 892->896 893->892 895->896 896->841 897 69aba89-69aba8c 896->897 899 69aba8e-69aba92 897->899 900 69aba9f-69abaa2 897->900 899->791 904 69aba94-69aba9a 899->904 905 69abab6-69abab8 900->905 906 69abaa4-69abaab 900->906 907 69abd6a-69abd6f 903->907 908 69abba4-69abc10 call 69a6670 903->908 904->900 910 69ababa 905->910 911 69ababf-69abac2 905->911 906->822 909 69abab1 906->909 907->902 921 69abd0a-69abd1f 908->921 922 69abc16-69abc1b 908->922 909->905 910->911 911->788 914 69abac8-69abad2 911->914 921->907 924 69abc1d-69abc23 922->924 925 69abc37 922->925 927 69abc29-69abc2b 924->927 928 69abc25-69abc27 924->928 926 69abc39-69abc3f 925->926 929 69abc41-69abc47 926->929 930 69abc54-69abc61 926->930 931 69abc35 927->931 928->931 932 69abc4d 929->932 933 69abcf5-69abd04 929->933 938 69abc79-69abc86 930->938 939 69abc63-69abc69 930->939 931->926 932->930 934 69abc88-69abc95 932->934 935 69abcbc-69abcc9 932->935 933->921 933->922 944 69abcad-69abcba 934->944 945 69abc97-69abc9d 934->945 946 69abccb-69abcd1 935->946 947 69abce1-69abcee 935->947 938->933 941 69abc6b 939->941 942 69abc6d-69abc6f 939->942 941->938 942->938 944->933 949 69abc9f 945->949 950 69abca1-69abca3 945->950 951 69abcd3 946->951 952 69abcd5-69abcd7 946->952 947->933 949->944 950->944 951->947 952->947
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1342094364
                          • Opcode ID: df0dd8cb8b8c9ed905d67c19d1c3e57fff9e9eda9ee7ad4c513be32fbe0947bc
                          • Instruction ID: 4a6f574d916a2dd275f365865a921f703f65aa4d438017ec99c48f3ccfd311b2
                          • Opcode Fuzzy Hash: df0dd8cb8b8c9ed905d67c19d1c3e57fff9e9eda9ee7ad4c513be32fbe0947bc
                          • Instruction Fuzzy Hash: E0024A70E0020A8FDB64CF68D5807AEB7F6FB85310F20892AD419DBA59DB75DC85CB81
                          Function 06923A12 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 955 6923a12-6923aa7 GetCurrentProcess 960 6923ab0-6923ae4 GetCurrentThread 955->960 961 6923aa9-6923aaf 955->961 962 6923ae6-6923aec 960->962 963 6923aed-6923b21 GetCurrentProcess 960->963 961->960 962->963 965 6923b23-6923b29 963->965 966 6923b2a-6923b45 call 6923be8 963->966 965->966 969 6923b4b-6923b7a GetCurrentThreadId 966->969 970 6923b83-6923be5 969->970 971 6923b7c-6923b82 969->971 971->970
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 06923A96
                          • GetCurrentThread.KERNEL32 ref: 06923AD3
                          • GetCurrentProcess.KERNEL32 ref: 06923B10
                          • GetCurrentThreadId.KERNEL32 ref: 06923B69
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 67287cad6b3cb8c667fa98ba74a853eb81b03b1ecc25e31e92cecbf5618b53bc
                          • Instruction ID: 4c3dd3a89c29a65372b45a1ac480865c2c507d5d69b7cec90a004b20e8c34d21
                          • Opcode Fuzzy Hash: 67287cad6b3cb8c667fa98ba74a853eb81b03b1ecc25e31e92cecbf5618b53bc
                          • Instruction Fuzzy Hash: 615166B09013098FDB54DFAAD948BEEBBF1FB48314F208069E41AA7660D7349984CF65
                          Function 06923A18 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 978 6923a18-6923aa7 GetCurrentProcess 982 6923ab0-6923ae4 GetCurrentThread 978->982 983 6923aa9-6923aaf 978->983 984 6923ae6-6923aec 982->984 985 6923aed-6923b21 GetCurrentProcess 982->985 983->982 984->985 987 6923b23-6923b29 985->987 988 6923b2a-6923b45 call 6923be8 985->988 987->988 991 6923b4b-6923b7a GetCurrentThreadId 988->991 992 6923b83-6923be5 991->992 993 6923b7c-6923b82 991->993 993->992
                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 06923A96
                          • GetCurrentThread.KERNEL32 ref: 06923AD3
                          • GetCurrentProcess.KERNEL32 ref: 06923B10
                          • GetCurrentThreadId.KERNEL32 ref: 06923B69
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 9f5bdb55681c264b02f9aa22ef80cbde55f1821e8cf7c83b17f05a50d17b933f
                          • Instruction ID: f3b0d0a5faf4bc7583e84ed54c3919211dbec3d09ebe186925c5d663512e7261
                          • Opcode Fuzzy Hash: 9f5bdb55681c264b02f9aa22ef80cbde55f1821e8cf7c83b17f05a50d17b933f
                          • Instruction Fuzzy Hash: B85155B09013098FDB54DFAAD948BEEBBF1FB48314F208069E41AA7660D7349984CF65
                          Function 069A9220 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1000 69a9220-69a9245 1002 69a9247-69a924a 1000->1002 1003 69a924c-69a926b 1002->1003 1004 69a9270-69a9273 1002->1004 1003->1004 1005 69a9279-69a928e 1004->1005 1006 69a9b33-69a9b35 1004->1006 1012 69a9290-69a9296 1005->1012 1013 69a92a6-69a92bc 1005->1013 1007 69a9b3c-69a9b3f 1006->1007 1008 69a9b37 1006->1008 1007->1002 1011 69a9b45-69a9b4f 1007->1011 1008->1007 1015 69a929a-69a929c 1012->1015 1016 69a9298 1012->1016 1018 69a92c7-69a92c9 1013->1018 1015->1013 1016->1013 1019 69a92cb-69a92d1 1018->1019 1020 69a92e1-69a9352 1018->1020 1021 69a92d3 1019->1021 1022 69a92d5-69a92d7 1019->1022 1031 69a937e-69a939a 1020->1031 1032 69a9354-69a9377 1020->1032 1021->1020 1022->1020 1037 69a939c-69a93bf 1031->1037 1038 69a93c6-69a93e1 1031->1038 1032->1031 1037->1038 1043 69a940c-69a9427 1038->1043 1044 69a93e3-69a9405 1038->1044 1049 69a9429-69a944b 1043->1049 1050 69a9452-69a945c 1043->1050 1044->1043 1049->1050 1051 69a945e-69a9467 1050->1051 1052 69a946c-69a94e6 1050->1052 1051->1011 1058 69a94e8-69a9506 1052->1058 1059 69a9533-69a9548 1052->1059 1063 69a9508-69a9517 1058->1063 1064 69a9522-69a9531 1058->1064 1059->1006 1063->1064 1064->1058 1064->1059
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq
                          • API String ID: 0-2881790790
                          • Opcode ID: 92a45f9c7e78e622d0b667d43da524bc2a3a911776f45109b306031b9b526336
                          • Instruction ID: 2d97ae4ec6feb69591acca82092045f596dae258fd516b0a102679f1a99c1ba2
                          • Opcode Fuzzy Hash: 92a45f9c7e78e622d0b667d43da524bc2a3a911776f45109b306031b9b526336
                          • Instruction Fuzzy Hash: 3F914E30B1021A8FDB64DF65D9507AEB3FAFF84640F208569C809AB758EF74DC858B90
                          Function 069AD018 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1067 69ad018-69ad033 1069 69ad035-69ad038 1067->1069 1070 69ad03a-69ad07c 1069->1070 1071 69ad081-69ad084 1069->1071 1070->1071 1072 69ad0cd-69ad0d0 1071->1072 1073 69ad086-69ad0c8 1071->1073 1075 69ad0da-69ad0dd 1072->1075 1076 69ad0d2-69ad0d7 1072->1076 1073->1072 1078 69ad0df-69ad0fb 1075->1078 1079 69ad100-69ad103 1075->1079 1076->1075 1078->1079 1080 69ad14c-69ad14f 1079->1080 1081 69ad105-69ad147 1079->1081 1084 69ad198-69ad19b 1080->1084 1085 69ad151-69ad193 1080->1085 1081->1080 1089 69ad1aa-69ad1ad 1084->1089 1090 69ad19d-69ad19f 1084->1090 1085->1084 1096 69ad1af-69ad1f1 1089->1096 1097 69ad1f6-69ad1f9 1089->1097 1094 69ad3bf-69ad3c8 1090->1094 1095 69ad1a5 1090->1095 1102 69ad3ca-69ad3cf 1094->1102 1103 69ad3d7-69ad3e3 1094->1103 1095->1089 1096->1097 1099 69ad1fb-69ad1fd 1097->1099 1100 69ad208-69ad20b 1097->1100 1107 69ad203 1099->1107 1108 69ad501 1099->1108 1109 69ad20d-69ad24f 1100->1109 1110 69ad254-69ad257 1100->1110 1102->1103 1111 69ad3e9-69ad3fd 1103->1111 1112 69ad4f4-69ad4f9 1103->1112 1107->1100 1117 69ad504-69ad510 1108->1117 1109->1110 1114 69ad259-69ad268 1110->1114 1115 69ad2a0-69ad2a3 1110->1115 1111->1108 1129 69ad403-69ad415 1111->1129 1112->1108 1124 69ad26a-69ad26f 1114->1124 1125 69ad277-69ad283 1114->1125 1119 69ad2ec-69ad2ef 1115->1119 1120 69ad2a5-69ad2b4 1115->1120 1117->1120 1127 69ad516-69ad803 1117->1127 1119->1117 1132 69ad2f5-69ad2f8 1119->1132 1130 69ad2c3-69ad2cf 1120->1130 1131 69ad2b6-69ad2bb 1120->1131 1124->1125 1134 69ad289-69ad29b 1125->1134 1135 69ada35-69ada6e 1125->1135 1280 69ada2a-69ada34 1127->1280 1281 69ad809-69ad80f 1127->1281 1156 69ad439-69ad43b 1129->1156 1157 69ad417-69ad41d 1129->1157 1130->1135 1138 69ad2d5-69ad2e7 1130->1138 1131->1130 1139 69ad2fa-69ad33c 1132->1139 1140 69ad341-69ad344 1132->1140 1134->1115 1159 69ada70-69ada73 1135->1159 1138->1119 1139->1140 1144 69ad38d-69ad390 1140->1144 1145 69ad346-69ad388 1140->1145 1149 69ad3ad-69ad3af 1144->1149 1150 69ad392-69ad3a8 1144->1150 1145->1144 1164 69ad3b1 1149->1164 1165 69ad3b6-69ad3b9 1149->1165 1150->1149 1175 69ad445-69ad451 1156->1175 1162 69ad41f 1157->1162 1163 69ad421-69ad42d 1157->1163 1160 69ada96-69ada99 1159->1160 1161 69ada75-69ada91 1159->1161 1169 69ada9b call 69adb8d 1160->1169 1170 69adaa8-69adaab 1160->1170 1161->1160 1174 69ad42f-69ad437 1162->1174 1163->1174 1164->1165 1165->1069 1165->1094 1184 69adaa1-69adaa3 1169->1184 1178 69adade-69adae0 1170->1178 1179 69adaad-69adad9 1170->1179 1174->1175 1190 69ad45f 1175->1190 1191 69ad453-69ad45d 1175->1191 1185 69adae2 1178->1185 1186 69adae7-69adaea 1178->1186 1179->1178 1184->1170 1185->1186 1186->1159 1194 69adaec-69adafb 1186->1194 1195 69ad464-69ad466 1190->1195 1191->1195 1202 69adafd-69adb60 call 69a6670 1194->1202 1203 69adb62-69adb77 1194->1203 1195->1108 1199 69ad46c-69ad488 call 69a6670 1195->1199 1213 69ad48a-69ad48f 1199->1213 1214 69ad497-69ad4a3 1199->1214 1202->1203 1213->1214 1214->1112 1217 69ad4a5-69ad4f2 1214->1217 1217->1108 1282 69ad81e-69ad827 1281->1282 1283 69ad811-69ad816 1281->1283 1282->1135 1284 69ad82d-69ad840 1282->1284 1283->1282 1286 69ada1a-69ada24 1284->1286 1287 69ad846-69ad84c 1284->1287 1286->1280 1286->1281 1288 69ad85b-69ad864 1287->1288 1289 69ad84e-69ad853 1287->1289 1288->1135 1290 69ad86a-69ad88b 1288->1290 1289->1288 1293 69ad89a-69ad8a3 1290->1293 1294 69ad88d-69ad892 1290->1294 1293->1135 1295 69ad8a9-69ad8c6 1293->1295 1294->1293 1295->1286 1298 69ad8cc-69ad8d2 1295->1298 1298->1135 1299 69ad8d8-69ad8f1 1298->1299 1301 69ada0d-69ada14 1299->1301 1302 69ad8f7-69ad91e 1299->1302 1301->1286 1301->1298 1302->1135 1305 69ad924-69ad92e 1302->1305 1305->1135 1306 69ad934-69ad94b 1305->1306 1308 69ad95a-69ad975 1306->1308 1309 69ad94d-69ad958 1306->1309 1308->1301 1314 69ad97b-69ad994 call 69a6670 1308->1314 1309->1308 1318 69ad9a3-69ad9ac 1314->1318 1319 69ad996-69ad99b 1314->1319 1318->1135 1320 69ad9b2-69ada06 1318->1320 1319->1318 1320->1301
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq
                          • API String ID: 0-2086306503
                          • Opcode ID: 8bfdf2b6a8ae8041351f68c9829cda3ffed33e534fe74b9de275e125a1d151b9
                          • Instruction ID: 151075f112e09e66113f3b8395fe39d94a8a54a358141fa1be8150b756a27175
                          • Opcode Fuzzy Hash: 8bfdf2b6a8ae8041351f68c9829cda3ffed33e534fe74b9de275e125a1d151b9
                          • Instruction Fuzzy Hash: 88625E70A102068FCB55DF69D680A5EB7F6FF84314B208A69D0059F768DB75ED8ACBC0
                          Function 069A4840 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 1328 69a4840-69a4864 1329 69a4866-69a4869 1328->1329 1330 69a488a-69a488d 1329->1330 1331 69a486b-69a4885 1329->1331 1332 69a4f6c-69a4f6e 1330->1332 1333 69a4893-69a498b 1330->1333 1331->1330 1335 69a4f70 1332->1335 1336 69a4f75-69a4f78 1332->1336 1351 69a4a0e-69a4a15 1333->1351 1352 69a4991-69a49de call 69a50e8 1333->1352 1335->1336 1336->1329 1337 69a4f7e-69a4f8b 1336->1337 1353 69a4a1b-69a4a8b 1351->1353 1354 69a4a99-69a4aa2 1351->1354 1365 69a49e4-69a4a00 1352->1365 1371 69a4a8d 1353->1371 1372 69a4a96 1353->1372 1354->1337 1369 69a4a0b-69a4a0c 1365->1369 1370 69a4a02 1365->1370 1369->1351 1370->1369 1371->1372 1372->1354
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: fpq$XPpq$\Opq
                          • API String ID: 0-2571271785
                          • Opcode ID: d1a5ad9b4ef03efb8b1feba43db577ca4686c5745b68aad991cf01c92bd92821
                          • Instruction ID: d62d1987c7f7e4caa741038fdd29bb5a4cddec0295d06a0293a7276f06927b3c
                          • Opcode Fuzzy Hash: d1a5ad9b4ef03efb8b1feba43db577ca4686c5745b68aad991cf01c92bd92821
                          • Instruction Fuzzy Hash: 29617270F003199FEF549FA5C8147AEBAF6FF88700F20842AD506AB794DBB58C458B91
                          Function 069A9211 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2051 69a9211-69a921c 2052 69a921e-69a922c 2051->2052 2053 69a922d-69a9245 2051->2053 2052->2053 2055 69a9247-69a924a 2053->2055 2056 69a924c-69a926b 2055->2056 2057 69a9270-69a9273 2055->2057 2056->2057 2058 69a9279-69a928e 2057->2058 2059 69a9b33-69a9b35 2057->2059 2065 69a9290-69a9296 2058->2065 2066 69a92a6-69a92bc 2058->2066 2060 69a9b3c-69a9b3f 2059->2060 2061 69a9b37 2059->2061 2060->2055 2064 69a9b45-69a9b4f 2060->2064 2061->2060 2068 69a929a-69a929c 2065->2068 2069 69a9298 2065->2069 2071 69a92c7-69a92c9 2066->2071 2068->2066 2069->2066 2072 69a92cb-69a92d1 2071->2072 2073 69a92e1-69a9352 2071->2073 2074 69a92d3 2072->2074 2075 69a92d5-69a92d7 2072->2075 2084 69a937e-69a939a 2073->2084 2085 69a9354-69a9377 2073->2085 2074->2073 2075->2073 2090 69a939c-69a93bf 2084->2090 2091 69a93c6-69a93e1 2084->2091 2085->2084 2090->2091 2096 69a940c-69a9427 2091->2096 2097 69a93e3-69a9405 2091->2097 2102 69a9429-69a944b 2096->2102 2103 69a9452-69a945c 2096->2103 2097->2096 2102->2103 2104 69a945e-69a9467 2103->2104 2105 69a946c-69a94e6 2103->2105 2104->2064 2111 69a94e8-69a9506 2105->2111 2112 69a9533-69a9548 2105->2112 2116 69a9508-69a9517 2111->2116 2117 69a9522-69a9531 2111->2117 2112->2059 2116->2117 2117->2111 2117->2112
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq
                          • API String ID: 0-3550614674
                          • Opcode ID: 82957447d3f42a56e7adf21c70fe3f5b8fef910f754d7f43c250f4336b3e44ed
                          • Instruction ID: 6e9ca9e2767035d0f778c8cbc2965d09b604921cc99790c1e3dc17e600d9f583
                          • Opcode Fuzzy Hash: 82957447d3f42a56e7adf21c70fe3f5b8fef910f754d7f43c250f4336b3e44ed
                          • Instruction Fuzzy Hash: CD514F30B102168FDB54DF69D950B6E77FAFF84690F108469C809DB798EE35DC468B90
                          Function 069A4831 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 2120 69a4831-69a4864 2122 69a4866-69a4869 2120->2122 2123 69a488a-69a488d 2122->2123 2124 69a486b-69a4885 2122->2124 2125 69a4f6c-69a4f6e 2123->2125 2126 69a4893-69a498b 2123->2126 2124->2123 2128 69a4f70 2125->2128 2129 69a4f75-69a4f78 2125->2129 2144 69a4a0e-69a4a15 2126->2144 2145 69a4991-69a49de call 69a50e8 2126->2145 2128->2129 2129->2122 2130 69a4f7e-69a4f8b 2129->2130 2146 69a4a1b-69a4a8b 2144->2146 2147 69a4a99-69a4aa2 2144->2147 2158 69a49e4-69a4a00 2145->2158 2164 69a4a8d 2146->2164 2165 69a4a96 2146->2165 2147->2130 2162 69a4a0b-69a4a0c 2158->2162 2163 69a4a02 2158->2163 2162->2144 2163->2162 2164->2165 2165->2147
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: fpq$XPpq
                          • API String ID: 0-1280283
                          • Opcode ID: dd9e759874dfe9a72eb12001dbceda4ea41e8777aea28963adb5b554a72a64c9
                          • Instruction ID: f75d5194c652ed27887e7148abc51fb04e1011c0e21a0f1f6ba13341c459edc3
                          • Opcode Fuzzy Hash: dd9e759874dfe9a72eb12001dbceda4ea41e8777aea28963adb5b554a72a64c9
                          • Instruction Fuzzy Hash: 94518270F003199FDB549FA5C814BAEBAFAFF88700F208529D105AB7A5DAB58C45CB91
                          Function 0692BF18 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0692C17E
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: f0a3d603319fa6f9db2bec762684439dc557a58879271e88a4d6da9ed5b20dd3
                          • Instruction ID: 377285b036c61ceb2b0009207e1058589c3f5b6a74891a59771a8e4428b08803
                          • Opcode Fuzzy Hash: f0a3d603319fa6f9db2bec762684439dc557a58879271e88a4d6da9ed5b20dd3
                          • Instruction Fuzzy Hash: 038178B0A00B168FDBA4DF29D44079ABBF5FF88304F108A2ED44AD7A54D775E845CB90
                          Function 0171F160 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4220080021.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1710000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a40c276da2631ccede38265592389876c9a22af3526132836f8d4b96a10201b8
                          • Instruction ID: 6ea0d4f173063e21b5adc1015f517712f75741de0e075eed6d04541bd9c0dd0a
                          • Opcode Fuzzy Hash: a40c276da2631ccede38265592389876c9a22af3526132836f8d4b96a10201b8
                          • Instruction Fuzzy Hash: B6412272E0439A8FC714CF79D8146EEBFF5AF89210F1485AAD414E7291DB349845CBE1
                          Function 0692E104 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0692E222
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 68a482361065859ccfe8215c0c065b7f83c7edd58eace6ddf23c2bf3b66aa02e
                          • Instruction ID: a825005ae5efdf03128497da1693aa554249120fb25a231c2cb839b72cfc36d6
                          • Opcode Fuzzy Hash: 68a482361065859ccfe8215c0c065b7f83c7edd58eace6ddf23c2bf3b66aa02e
                          • Instruction Fuzzy Hash: 1851B0B1D0035A9FDB14CF99C984ADEBBF5BF48310F24862AE819AB214D7719985CF90
                          Function 0692E110 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                          Download Yara Rule
                          APIs
                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0692E222
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: CreateWindow
                          • String ID:
                          • API String ID: 716092398-0
                          • Opcode ID: 6376342568ea1fede01908819cc2ca19063d20e2cf02e92c3ac3774e3ef00401
                          • Instruction ID: 98ff7446635c18d38144487999631aa6126920cecbff7f4fc6986d7bfeb11feb
                          • Opcode Fuzzy Hash: 6376342568ea1fede01908819cc2ca19063d20e2cf02e92c3ac3774e3ef00401
                          • Instruction Fuzzy Hash: CF41B0B1D00319DFDB14CF99C984ADEBBF5BF48310F24862AE819AB214D7719985CF90
                          Function 0171706B Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                          Download Yara Rule
                          APIs
                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 017170E7
                          Memory Dump Source
                          • Source File: 00000003.00000002.4220080021.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1710000_AddInProcess32.jbxd
                          Similarity
                          • API ID: CheckDebuggerPresentRemote
                          • String ID:
                          • API String ID: 3662101638-0
                          • Opcode ID: dc64dfc801c60a163c399ba53e3e4f1655367b34008b42c8850f6b097c7a6302
                          • Instruction ID: 7f92800c0ac3598e4ef3ed4994882d7c033099d3fd60e00081b2f9a90592fe46
                          • Opcode Fuzzy Hash: dc64dfc801c60a163c399ba53e3e4f1655367b34008b42c8850f6b097c7a6302
                          • Instruction Fuzzy Hash: 272148B5900259CFCB14CF9AD484BEEFBF4AF48320F14846AE459B7250D738A944CFA1
                          Function 06923C58 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06923CE7
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: b10a6d290fb7cba7ca28c3877275b0fdee95c1ca1a5b6b9abec25a6ef92599dc
                          • Instruction ID: 69c5705d7c3f67c0bb28ee7f7abe58116322773bb605e1997a84038759f09e2a
                          • Opcode Fuzzy Hash: b10a6d290fb7cba7ca28c3877275b0fdee95c1ca1a5b6b9abec25a6ef92599dc
                          • Instruction Fuzzy Hash: B22107B5D002199FDB10CF9AD985ADEBFF8EB48310F14801AE915A7350D375A940CFA1
                          Function 06923C60 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06923CE7
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 0bd742977506142ef6c5e6590aa3c268efe3c83f2d367d8da4661c917b5f6c48
                          • Instruction ID: 9a39b17501c0ce61acd72be01c438c27e66944c44b359d7972460d98b3bbdaf7
                          • Opcode Fuzzy Hash: 0bd742977506142ef6c5e6590aa3c268efe3c83f2d367d8da4661c917b5f6c48
                          • Instruction Fuzzy Hash: 4B21E4B5D002199FDB10CF9AD984ADEBBF8FB48310F14801AE958A3310D379A940CFA4
                          Function 0171F248 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                          Download Yara Rule
                          APIs
                          • GlobalMemoryStatusEx.KERNELBASE ref: 0171F2AF
                          Memory Dump Source
                          • Source File: 00000003.00000002.4220080021.0000000001710000.00000040.00000800.00020000.00000000.sdmp, Offset: 01710000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_1710000_AddInProcess32.jbxd
                          Similarity
                          • API ID: GlobalMemoryStatus
                          • String ID:
                          • API String ID: 1890195054-0
                          • Opcode ID: 3b0b5c1491f2c95dffd53bc5c9cf19ecb8d14b610f688820d005bb1a8c257c00
                          • Instruction ID: f539b2074b1404947cef1241e40d7aa024bd4dd23fc6719804483b32e797ce90
                          • Opcode Fuzzy Hash: 3b0b5c1491f2c95dffd53bc5c9cf19ecb8d14b610f688820d005bb1a8c257c00
                          • Instruction Fuzzy Hash: 9311F3B1C0465A9BCB10DF9AC544BDEFBF4AF48320F14816AD818B7254D378A944CFA5
                          Function 0692C118 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                          Download Yara Rule
                          APIs
                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0692C17E
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224151347.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_6920000_AddInProcess32.jbxd
                          Similarity
                          • API ID: HandleModule
                          • String ID:
                          • API String ID: 4139908857-0
                          • Opcode ID: aeadeb1eec4c58395c0e1ca6e7a5a0d4404579458eaa39c75457aa8308299095
                          • Instruction ID: 75755dbe02a5432601885d6dbf0d73870a715a6cd99838b42aafda094774d6a7
                          • Opcode Fuzzy Hash: aeadeb1eec4c58395c0e1ca6e7a5a0d4404579458eaa39c75457aa8308299095
                          • Instruction Fuzzy Hash: AC1102B5C00359CFCB10CF9AC844ADEFBF4AB48314F10852AD459A7610C375A585CFA5
                          Function 069ADB8D Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: PHkq
                          • API String ID: 0-902561536
                          • Opcode ID: e2be0dcef5f6c83cb88b9c277e49c2f86fd70747072073ea94784eca1e10c6c7
                          • Instruction ID: d9b2981d95c29872e1e98020aa7942db4e84fa7469bcf6681e1672baf9989f9c
                          • Opcode Fuzzy Hash: e2be0dcef5f6c83cb88b9c277e49c2f86fd70747072073ea94784eca1e10c6c7
                          • Instruction Fuzzy Hash: EC418170E103499FDF64DF65D54469EBBB6FF85300F20492AE401EBA54DB71984ACB81
                          Function 069A22A5 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: PHkq
                          • API String ID: 0-902561536
                          • Opcode ID: 66e7d95df9431ebcad5fb6ed89cfc11c1dcc063471e66f8c3efe8ae371fb7798
                          • Instruction ID: 5fa1367739d4ec537b15f8aa47f2515e2e04c0e2eb611723dd2d7ba00f91a5fb
                          • Opcode Fuzzy Hash: 66e7d95df9431ebcad5fb6ed89cfc11c1dcc063471e66f8c3efe8ae371fb7798
                          • Instruction Fuzzy Hash: 3D411130B003418FDB599B34D55466F7BE6EB8A600B28446CD806EB795EF39CD46C7D0
                          Function 069A22B8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: PHkq
                          • API String ID: 0-902561536
                          • Opcode ID: 93d875aa0151ffc8b5cd9422f13069ce4f77e07d8da28e3990db248766b4d476
                          • Instruction ID: 6db68a2d5efdd522a6a362ed80896ce7ed387a5f8b69f31ff02deec606446007
                          • Opcode Fuzzy Hash: 93d875aa0151ffc8b5cd9422f13069ce4f77e07d8da28e3990db248766b4d476
                          • Instruction Fuzzy Hash: 10319070B002058FDB589B74D55466F77EBEB8A600B24442CD406DB399EE35DD4687D1
                          Function 069AFED8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: |
                          • API String ID: 0-2343686810
                          • Opcode ID: 945f47c4a42bb74be17d1e179ed4fb1208010e98ba5e59c33d169cac0e070654
                          • Instruction ID: a92d87cc641060359c12572047155e1526984a2ed3f62ce3c2896012a116f8e9
                          • Opcode Fuzzy Hash: 945f47c4a42bb74be17d1e179ed4fb1208010e98ba5e59c33d169cac0e070654
                          • Instruction Fuzzy Hash: 9E21AC30B042259FDB40DB788808BAE7BF5AF48600F10846DE50ADB3A4EB399D01CB90
                          Function 069AFEE8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: |
                          • API String ID: 0-2343686810
                          • Opcode ID: 3c367b1986d1091357c599693aac16d481857fb80c000ca293472bf7dae0e26e
                          • Instruction ID: bbbc15170182e20d102e174260020cddb862efc5ea302235132b0060bd44c084
                          • Opcode Fuzzy Hash: 3c367b1986d1091357c599693aac16d481857fb80c000ca293472bf7dae0e26e
                          • Instruction Fuzzy Hash: 7D118B70F002109FDB40DB789804B6EBBF6AF4C700F10846AE90AEB3A4EA359D00CB80
                          Function 069A4729 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: \Opq
                          • API String ID: 0-3546586535
                          • Opcode ID: 7e908fd65f06479672eaac145710e415326ad6388878ec4eec35db68d8924b1b
                          • Instruction ID: 16adb30c12d53e1bf5255b2130ea3454eba8fc266028a2b2d6a33d9cd999227f
                          • Opcode Fuzzy Hash: 7e908fd65f06479672eaac145710e415326ad6388878ec4eec35db68d8924b1b
                          • Instruction Fuzzy Hash: 79F0DA70A20269EFDB54DF94E859BAEBBF6BF84A05F200119E402A7694CBB41D45CBC0
                          Function 069A5EB8 Relevance: .2, Instructions: 229COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f4a5ae69c7b80bfa4b36ab3eb700853567f62291abf44c634c94aed7075b6d18
                          • Instruction ID: 6831e2cf91c24e614efb38bb0709b6291073bce4e8100bde4fead453486213b2
                          • Opcode Fuzzy Hash: f4a5ae69c7b80bfa4b36ab3eb700853567f62291abf44c634c94aed7075b6d18
                          • Instruction Fuzzy Hash: 4161D4B1F002214FCF519A7EC88066EBAEBAFD4610B654439E80ADB379DE75DC4287C1
                          Function 069A4290 Relevance: .2, Instructions: 224COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db0aaaef8c4329ceebe1753e9c46aa2d947ca5911b1b65cc63099143a6dad714
                          • Instruction ID: 557cf05f3f7eeafb2d9a1de8b7ce28a1cdd4121f802842be1098471daf31acfd
                          • Opcode Fuzzy Hash: db0aaaef8c4329ceebe1753e9c46aa2d947ca5911b1b65cc63099143a6dad714
                          • Instruction Fuzzy Hash: 8E913C30E1021A8FDF60DF68C840B9DB7B5FF89300F2085A9D449AB295DB70AA85CF91
                          Function 069A3F70 Relevance: .2, Instructions: 222COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2047beaf2b5286b3afeadd396111628542a185cb8d5af6f25215269b8e97b6fc
                          • Instruction ID: be3b7679959cc039ea179476748bf41fd981e773159262e6b74c1d9a57b0383f
                          • Opcode Fuzzy Hash: 2047beaf2b5286b3afeadd396111628542a185cb8d5af6f25215269b8e97b6fc
                          • Instruction Fuzzy Hash: 79815F30B0020A8FDF54DFA9D55466EB7F6EF89700F208429D40ADB398EB75DC868B81
                          Function 069A42A8 Relevance: .2, Instructions: 210COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3f5d261d2d6680485c1660b6e2ab0507807a0da3c2c2eb21f50502bb6254d5b4
                          • Instruction ID: fa85e867c4185477c16e0e8167daf5d52f1b16243ed00fe46c09472cceebaeb4
                          • Opcode Fuzzy Hash: 3f5d261d2d6680485c1660b6e2ab0507807a0da3c2c2eb21f50502bb6254d5b4
                          • Instruction Fuzzy Hash: 36912C30E1061A8FDF60DF68C980B9DB7B1FF89300F208599D549AB355EB70AA85CF90
                          Function 069AEBE0 Relevance: .2, Instructions: 207COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65abb83aecc0c45ea5edc544487553e0d5b69a82433ce0f063678ac468a53f76
                          • Instruction ID: 93da12d802ef3eb13ed72a4db0d33cebe84fe77e3ca1586d5d9b202e0da9dcfe
                          • Opcode Fuzzy Hash: 65abb83aecc0c45ea5edc544487553e0d5b69a82433ce0f063678ac468a53f76
                          • Instruction Fuzzy Hash: 0D711C70A002499FDB54DFA9D980AADBBF6FF88304F248529D419EB755DB30EC46CB90
                          Function 069AEBF0 Relevance: .2, Instructions: 201COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d401a3316125d0521c13ba3b76ebc1aa0afc507ec1c9307a830e35ed05fbb1a6
                          • Instruction ID: 0bb9725dc315105b52711fb88a79519ab95d0d0c35326cfb15bae15b998ecc5c
                          • Opcode Fuzzy Hash: d401a3316125d0521c13ba3b76ebc1aa0afc507ec1c9307a830e35ed05fbb1a6
                          • Instruction Fuzzy Hash: 21711D70A002499FDB54DFA9D980AADBBF6FF88304F248529D419EB755DB30EC45CB90
                          Function 069AFC78 Relevance: .2, Instructions: 180COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c66ab601cbd26ecd51d54d826ac6df2c12d567dee5bfd0b9bb0992f817a39dcc
                          • Instruction ID: 36d209654f4874075e737ace94e3a3ac6cf1f59f2f851997a855cfa00a05d272
                          • Opcode Fuzzy Hash: c66ab601cbd26ecd51d54d826ac6df2c12d567dee5bfd0b9bb0992f817a39dcc
                          • Instruction Fuzzy Hash: 5F51C071E01205DFCF24AB78E4446ADBBF6EF84311F20886AE106DB665DB359C55CBC1
                          Function 069AF622 Relevance: .2, Instructions: 176COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a09288519009db129de8b342388f27a0f762eb98d76ad5c5425bd8caadeaff82
                          • Instruction ID: c6bf3c455f9403952feb52401e068bbc5b5c91cd50911e01115cf88fe11ff314
                          • Opcode Fuzzy Hash: a09288519009db129de8b342388f27a0f762eb98d76ad5c5425bd8caadeaff82
                          • Instruction Fuzzy Hash: 7E51F8B0B203149FEF65566DD95472F369ED789340F30482AE40AD77A5C979CC8583E2
                          Function 069A45C8 Relevance: .2, Instructions: 167COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d2d29e0c8ee8d800578250de107efacd15fe8a7051b63fd6098b817f0f4a848b
                          • Instruction ID: 01dfb2892131b35986a10885e4f7eb28a080bd17da2c935e3dadadb6e2ffb8dd
                          • Opcode Fuzzy Hash: d2d29e0c8ee8d800578250de107efacd15fe8a7051b63fd6098b817f0f4a848b
                          • Instruction Fuzzy Hash: 9251C430B002049FDB64DB69D984B6EBBEAFB85704F24843AE409DB790CA75DC45CBC1
                          Function 069AF630 Relevance: .2, Instructions: 163COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 864f89506532de91c92002dc06c3c0f96d3b07135e0fd84d9ba5c42f45482e7a
                          • Instruction ID: 5491de803a9fd96e901ce518dc5e1a90d9ebaeb6ce16864ff72046f91fcf979f
                          • Opcode Fuzzy Hash: 864f89506532de91c92002dc06c3c0f96d3b07135e0fd84d9ba5c42f45482e7a
                          • Instruction Fuzzy Hash: A551D5B0B203148FEFA4566DD95472F369EE789311F30482AE40AD7BA8D97DCC8583D2
                          Function 069A50E8 Relevance: .1, Instructions: 132COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 22f09da53ef34cfab26fe95e19d113446f1ca1e973fe4338b75ba15e1917c46c
                          • Instruction ID: b22682ffe004215b30c551090308f64c5dc9cf1f4c8568e50899b0ae274645e0
                          • Opcode Fuzzy Hash: 22f09da53ef34cfab26fe95e19d113446f1ca1e973fe4338b75ba15e1917c46c
                          • Instruction Fuzzy Hash: 9A414871F007099FDB60CEA9D880ABFFBF6EB94310F21492AE156D6A54D330E8458BD1
                          Function 069A45B8 Relevance: .1, Instructions: 117COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d558661c0affdce16ebc28155f7dacb799a99abd75163c11dadb8f7092fc7482
                          • Instruction ID: 07a09b7e4c91a419d87c2117b32f28dac6e4c50a123c1c80f861d102e8831f00
                          • Opcode Fuzzy Hash: d558661c0affdce16ebc28155f7dacb799a99abd75163c11dadb8f7092fc7482
                          • Instruction Fuzzy Hash: 29419D70F102059FDB54DB69D594B6EBBF6EB89704F24842AE00AEB3A0CA75DC45CB81
                          Function 069A2168 Relevance: .1, Instructions: 98COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: db6c9fdefacce446f3bf6b17594dd3d4637d7fe90b935d83202fdd594d63baf8
                          • Instruction ID: ef794807688e8cc08017d7771b5abfd2c0c0a21865b90f73363b6a6b95df7d00
                          • Opcode Fuzzy Hash: db6c9fdefacce446f3bf6b17594dd3d4637d7fe90b935d83202fdd594d63baf8
                          • Instruction Fuzzy Hash: 70316F30E103059FCB58CF64C4946AEB7F6BF89300F248929E916EBB50DB71AD42CB90
                          Function 069A2178 Relevance: .1, Instructions: 91COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7308c3c9c659dfe20821567c041ed283f2f0d956a811626dae8b49587b008979
                          • Instruction ID: b21f092b1bd94dbb258400134cd7c27d6a654538182f9cc1bfe579639ceebd8b
                          • Opcode Fuzzy Hash: 7308c3c9c659dfe20821567c041ed283f2f0d956a811626dae8b49587b008979
                          • Instruction Fuzzy Hash: 9A313C30E143099BCB18CFA5D4546AEB7F6BF89300F248929E816EB754DB71ED42CB90
                          Function 069A3B79 Relevance: .1, Instructions: 84COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a485b7ad82125fdd73475b2285547c76a8ff9556596ee5c8117add87bfce01c8
                          • Instruction ID: 0c71806879350f3a911ba1e87a45c928d1e9ca3e74adfbe7e76826b34bd67961
                          • Opcode Fuzzy Hash: a485b7ad82125fdd73475b2285547c76a8ff9556596ee5c8117add87bfce01c8
                          • Instruction Fuzzy Hash: 5221D931F002169FDB00CF6AD981AAEBBF1EB48650F108029E901EB390EB35DC858BD0
                          Function 069A6DD8 Relevance: .1, Instructions: 81COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 022de515d95d60b2180407891c6893f5e38ee9616cdb6991a78a59c3cd8879b7
                          • Instruction ID: 2c3ea3ea32fdb478b39dee78f0496210e567ee7f9432e8467fb05191cdb39ba8
                          • Opcode Fuzzy Hash: 022de515d95d60b2180407891c6893f5e38ee9616cdb6991a78a59c3cd8879b7
                          • Instruction Fuzzy Hash: 9121D131B0021A9FCF94DA69ED546AEBBFAEB85354F248039E405DB380DB31DC468BC0
                          Function 069AA3E0 Relevance: .1, Instructions: 79COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: fe57482deee200f429d6830f9a45e7ea4f082a0d7838e3e1bc7071be56e9c407
                          • Instruction ID: 6934c6f60f22e2166e4c212a1247f5c13c0a4a3285ab47f0da478d4e9d4bb62c
                          • Opcode Fuzzy Hash: fe57482deee200f429d6830f9a45e7ea4f082a0d7838e3e1bc7071be56e9c407
                          • Instruction Fuzzy Hash: D0210330B052149FCB55DAB8D8546AE73EAEB8A714B20847AE10AC7750EE36DC42CBD1
                          Function 069A3B88 Relevance: .1, Instructions: 78COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4c83de9f48ac20666e9323ccb9c6b71b038b61d84406f6e18b03ab053e892fc6
                          • Instruction ID: f98088efb080557dff6064b8797d9ae62735f1f9216743f9f7f4dac95c894118
                          • Opcode Fuzzy Hash: 4c83de9f48ac20666e9323ccb9c6b71b038b61d84406f6e18b03ab053e892fc6
                          • Instruction Fuzzy Hash: 09219875F107158FDB44CFAAD981AAEBBF5EB88650F208029E901E7350EB35DC808B90
                          Function 0147D01C Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4219431680.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_147d000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                          • Instruction ID: 305fad05e8d2f510605d004ce62b7cc197801c666c653d48cb3e873a3b3983c0
                          • Opcode Fuzzy Hash: aacb61806b1f1a46ad4312b4198dec8e521bf6c7ce9860aca8f36eb4a3573d49
                          • Instruction Fuzzy Hash: 852125B1904280DFCB16DF58D984B56BFA5EF84318F20C56ED90A4B366C336D447CA61
                          Function 069A6500 Relevance: .1, Instructions: 69COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 65baa9ff68cb0a6c0df19249b4fd6d933383906250fc8921f7d59820ab2b163f
                          • Instruction ID: fa08140e8afdf4c8be6bfe3cdf0be94bc538408613e3492a0b3a92fd212ed99a
                          • Opcode Fuzzy Hash: 65baa9ff68cb0a6c0df19249b4fd6d933383906250fc8921f7d59820ab2b163f
                          • Instruction Fuzzy Hash: E8114C3194E3E56FD713AA3C8C2559A3FB88F03104B1A01EBE080CF5A3D559CA4AC3E6
                          Function 0147D006 Relevance: .1, Instructions: 62COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4219431680.000000000147D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0147D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_147d000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                          • Instruction ID: 5bdf06acd6d7ee79e886642930ae8d0e3cd07070ecdd6f493181d98ef05e3b62
                          • Opcode Fuzzy Hash: b96c3d8d28fe2b6f5c3fafba7cec694e4447a0cab58f64c060e179e99aec9a10
                          • Instruction Fuzzy Hash: C3216D755093C08FDB03CF24D994756BF71EF46218F28C5DAD8498B6A7C33A980ACB62
                          Function 069A3ED0 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: d000a9b84cde04ca4710a0746e54d8ddb23d8b10b9225d97f21e55bb5bcf061d
                          • Instruction ID: 4def82462c6aa76265c1431c120e4fc8d34683c678fd1a73daf019621e6ce4c2
                          • Opcode Fuzzy Hash: d000a9b84cde04ca4710a0746e54d8ddb23d8b10b9225d97f21e55bb5bcf061d
                          • Instruction Fuzzy Hash: 0101D6307142521FDB21997D980072BB7DACB86624F21843EE109CB795DA21CC0743D1
                          Function 069A3C98 Relevance: .1, Instructions: 59COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 089d768e0ec4a033006cbf22f909f73c79c408d0739f52fda7dc4904c0692ff1
                          • Instruction ID: 3c23f13292449e2bfc953d0384c466935889223211767b3a55037ee337037d3b
                          • Opcode Fuzzy Hash: 089d768e0ec4a033006cbf22f909f73c79c408d0739f52fda7dc4904c0692ff1
                          • Instruction Fuzzy Hash: D411A131B102249FCF549A69DC146AE73FAEBC8650F108539D506EB358EE35DC068BD0
                          Function 069A3950 Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e7b674820b7a22a093ef2bdccec2af6578acdd89acbef0bb1d4436a17f9c518
                          • Instruction ID: 45d89a05794eeecd83896aaf88df82daa3af23cdb341c7a644856ca8b922f750
                          • Opcode Fuzzy Hash: 3e7b674820b7a22a093ef2bdccec2af6578acdd89acbef0bb1d4436a17f9c518
                          • Instruction Fuzzy Hash: 2D21C0B5D01219AFCB00DF9AD985ADEFBF8FB48314F10812AE918A7640D374A944CBE5
                          Function 069AEE5F Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a41afb86a29349bed8c33e0f1dcdee652d4a64dc69cdda597aa55b63672b4680
                          • Instruction ID: 000a94fccc7ef2b85717edb9d2f75ad9796746be72d1f8bcf58c0b3384bfc5de
                          • Opcode Fuzzy Hash: a41afb86a29349bed8c33e0f1dcdee652d4a64dc69cdda597aa55b63672b4680
                          • Instruction Fuzzy Hash: 32018F31B042111BCB619A7CA46073EBBDBDBCAA24F34883AF40AC7795DA26CC4643C1
                          Function 069A3C89 Relevance: .1, Instructions: 54COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3e1ef5322a7a6acd9f5b4390c1b73f2ca21ba7972bdf3a99e4c0e466a304da67
                          • Instruction ID: 07cb99171610b8636eac957293af2fb6cee685467961bad21b1d41a2fb56a4f6
                          • Opcode Fuzzy Hash: 3e1ef5322a7a6acd9f5b4390c1b73f2ca21ba7972bdf3a99e4c0e466a304da67
                          • Instruction Fuzzy Hash: B401DF32B142254BDF688A79DC146EF77EBEBC8740F24453AD446DB694EE25CC0687D0
                          Function 069A3958 Relevance: .1, Instructions: 52COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 38afd38bfc9b143df13c6742b3ed82540de2ced08af12066cedc710e9079131a
                          • Instruction ID: 2a6c1c4b825483fae562fda8f5ba2471eed6839e46545eca1bbba17735860a51
                          • Opcode Fuzzy Hash: 38afd38bfc9b143df13c6742b3ed82540de2ced08af12066cedc710e9079131a
                          • Instruction Fuzzy Hash: EB11D3B1D01219DFCB00CF9AD985ADEFBF4FB48314F10812AE918A7200C374A944CFA5
                          Function 069A3EE0 Relevance: .1, Instructions: 51COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 889cbe933c1c1e4ea87b66f90e82830e49c2d37cea20a5c2ccd9dfd6a2864b75
                          • Instruction ID: dfc4186b48052f443782eb7e4ee428799766dc6a73e2598e671aea5b78781818
                          • Opcode Fuzzy Hash: 889cbe933c1c1e4ea87b66f90e82830e49c2d37cea20a5c2ccd9dfd6a2864b75
                          • Instruction Fuzzy Hash: 09016D31B102121BEB64997D985072BA2DEDBC9A24F30883DE20EC7B58EA66DC4243D1
                          Function 069AEE70 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 032fb41537ba2af5b8c8a3e53014aad3db89b2169ac0cdef7ffc6a4062ae6902
                          • Instruction ID: 9bef42d27731be0a4e9ea8845422f8594098b5d6514cfc1218f1746e1b1e75d5
                          • Opcode Fuzzy Hash: 032fb41537ba2af5b8c8a3e53014aad3db89b2169ac0cdef7ffc6a4062ae6902
                          • Instruction Fuzzy Hash: 17018C31B002115BCB649A7D945073EB7DBDBC9A24F308839E10AC7354EA26DC0643C1
                          Function 069AA3F0 Relevance: .0, Instructions: 46COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 254189fc631aaefa5d264348a5baa806bc0647101dd4c5822e23985f86a91aba
                          • Instruction ID: ff01517f2598c04b23c18ab0eeecc7e56a2e89c79d2891ba86ff7c941d9163da
                          • Opcode Fuzzy Hash: 254189fc631aaefa5d264348a5baa806bc0647101dd4c5822e23985f86a91aba
                          • Instruction Fuzzy Hash: CF01DC30B002101FCB649A7CE854B2AB3DAEB89B54F20C839E10ACBB54EE21DC4187C1

                          Non-executed Functions

                          Function 069A7770 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1324371161
                          • Opcode ID: 86ba40f07c2b5e4a18303b223294bffb926c6b7bcdbb1e0dba2fc23a6079714b
                          • Instruction ID: 8c42b221bff1b1e77d937ab2c2ea96ab934b6dee5c616482d15835371c5b8c0a
                          • Opcode Fuzzy Hash: 86ba40f07c2b5e4a18303b223294bffb926c6b7bcdbb1e0dba2fc23a6079714b
                          • Instruction Fuzzy Hash: F2123C34A003198FDB64DFA9C955AAEB7F6FF84300F20856AD409AB764DB359D85CF80
                          Function 069AAA18 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1078448309
                          • Opcode ID: a2e21539e2abe688e283a0efce605c3af75e633f8ec502ef556053436ebec706
                          • Instruction ID: b84813e273ca72762ea7605e01c5af666c509fc48921be5d1f836de9c62845f6
                          • Opcode Fuzzy Hash: a2e21539e2abe688e283a0efce605c3af75e633f8ec502ef556053436ebec706
                          • Instruction Fuzzy Hash: C8915D30A11309DFEB68DF65D9547AEB7F6BF84301F208529E401976A8DB789C85CBD0
                          Function 069A7170 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                          • API String ID: 0-1342094364
                          • Opcode ID: 73be9a5d6d084613edbd2cd80fccd6aa76146c7c386a2b0ba3ad85bc8ad97fb7
                          • Instruction ID: cd01b4c751b683899fcfd5b27af6089d12a8c7e49e3bf88f678faab0f7269ca3
                          • Opcode Fuzzy Hash: 73be9a5d6d084613edbd2cd80fccd6aa76146c7c386a2b0ba3ad85bc8ad97fb7
                          • Instruction Fuzzy Hash: 54F14D34A00209CFDB58DFA9D554A6EBBF6FF84301F248568D4059B768DB39EC86CB81
                          Function 069A84A8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq
                          • API String ID: 0-2881790790
                          • Opcode ID: e05be78d1a0fbda54937a8a8611775889efb1156660e55affa7385fcda3810de
                          • Instruction ID: 2797086497e61c75d8eba176461cd93675db70ed3febcfcbdd1c0df23facf974
                          • Opcode Fuzzy Hash: e05be78d1a0fbda54937a8a8611775889efb1156660e55affa7385fcda3810de
                          • Instruction Fuzzy Hash: B2B10930E102098FDB64EF69D65469EB7F6FF84300F248929D4169B7A8DB75DC86CB80
                          Function 069A88C0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: LRkq$LRkq$$kq$$kq
                          • API String ID: 0-2392252538
                          • Opcode ID: 31b517c044cdf04bb4acc6b5b5b1fbcc687b1397b8457f68edef38d14f31be98
                          • Instruction ID: ac54e5d42baea4911936a4fe0634aac09651b2e3a260cc2ccac6c3335790d6f7
                          • Opcode Fuzzy Hash: 31b517c044cdf04bb4acc6b5b5b1fbcc687b1397b8457f68edef38d14f31be98
                          • Instruction Fuzzy Hash: A651C230B003069FDB58DF69DA40A6AB7EAFF88310F248569D4059B7A5DB34EC85CBD1
                          Function 069AADAA Relevance: 5.2, Strings: 4, Instructions: 161COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000003.00000002.4224622767.00000000069A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 069A0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_3_2_69a0000_AddInProcess32.jbxd
                          Similarity
                          • API ID:
                          • String ID: $kq$$kq$$kq$$kq
                          • API String ID: 0-2881790790
                          • Opcode ID: 466df0d597ca24c9faaddd816684c671ccfceeb5f0c56ea9412fc68ac348b12a
                          • Instruction ID: ccb2738457d363919dc3f87676280c50f481916bc7bf31891b606881964fda4d
                          • Opcode Fuzzy Hash: 466df0d597ca24c9faaddd816684c671ccfceeb5f0c56ea9412fc68ac348b12a
                          • Instruction Fuzzy Hash: E9518F70A102059FDF69DA69D5806AEB3F6EB84310F30892AE406D7B54DB39EC85CBD0