Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z71htmivzKAUpOkr2J.exe

Overview

General Information

Sample name:z71htmivzKAUpOkr2J.exe
Analysis ID:1528267
MD5:4cc4300ca47f721736cf09e113d5d911
SHA1:2c4cdbd5ecd86653e18945a320cd021001ca03f8
SHA256:60b3f4ef12794600833b77583624d77d037885f3bbc6361b013eb4ecf2017b99
Tags:AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z71htmivzKAUpOkr2J.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe" MD5: 4CC4300CA47F721736CF09E113D5D911)
    • powershell.exe (PID: 7828 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8072 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • z71htmivzKAUpOkr2J.exe (PID: 7844 cmdline: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe" MD5: 4CC4300CA47F721736CF09E113D5D911)
    • z71htmivzKAUpOkr2J.exe (PID: 7860 cmdline: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe" MD5: 4CC4300CA47F721736CF09E113D5D911)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2673856097.00000000034D1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32363:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x323d5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3245f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x324f1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3255b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x325cd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32663:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x326f3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ParentImage: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe, ParentProcessId: 7600, ParentProcessName: z71htmivzKAUpOkr2J.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ProcessId: 7828, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ParentImage: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe, ParentProcessId: 7600, ParentProcessName: z71htmivzKAUpOkr2J.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ProcessId: 7828, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DesusertionIp: 185.196.9.150, DesusertionIsIpv6: false, DesusertionPort: 587, EventID: 3, Image: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe, Initiated: true, ProcessId: 7860, Protocol: tcp, SourceIp: 192.168.2.9, SourceIsIpv6: false, SourcePort: 49755
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ParentImage: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe, ParentProcessId: 7600, ParentProcessName: z71htmivzKAUpOkr2J.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe", ProcessId: 7828, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}
                    Multi AV Scanner detection for submitted file
                    Source: z71htmivzKAUpOkr2J.exeReversingLabs: Detection: 47%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Machine Learning detection for sample
                    Source: z71htmivzKAUpOkr2J.exeJoe Sandbox ML: detected
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: TQuY.pdbSHA256F5 source: z71htmivzKAUpOkr2J.exe
                    Source: Binary string: TQuY.pdb source: z71htmivzKAUpOkr2J.exe
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 4x nop then jmp 07248265h0_2_0724798E

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.9:49755 -> 185.196.9.150:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 185.196.9.150 185.196.9.150
                    Source: Joe Sandbox ViewASN Name: TUT-ASUS TUT-ASUS
                    Source: Joe Sandbox ViewASN Name: SIMPLECARRIERCH SIMPLECARRIERCH
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.9:49755 -> 185.196.9.150:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
                    Source: global trafficDNS traffic detected: DNS query: 212.20.149.52.in-addr.arpa
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003451000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001218000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.apexrnun.com
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/02
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1443924099.0000000002B15000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003451000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, SKTzxzsJw.cs.Net Code: _17HhIAJY
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, SKTzxzsJw.cs.Net Code: _17HhIAJY

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_0117D55C0_2_0117D55C
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_05036A480_2_05036A48
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_0503001A0_2_0503001A
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_050300400_2_05030040
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_05036A380_2_05036A38
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07248C700_2_07248C70
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_072400400_2_07240040
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07242FCB0_2_07242FCB
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07242FD00_2_07242FD0
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_072434080_2_07243408
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_072453880_2_07245388
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07242B980_2_07242B98
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_072433F80_2_072433F8
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_072400060_2_07240006
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016DA8A86_2_016DA8A8
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016D4AC06_2_016D4AC0
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016DEC186_2_016DEC18
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016DACEF6_2_016DACEF
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016D3EA86_2_016D3EA8
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016D41F06_2_016D41F0
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7A8546_2_06C7A854
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA65C06_2_06CA65C0
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA55686_2_06CA5568
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA30286_2_06CA3028
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CAB1F86_2_06CAB1F8
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CAC1486_2_06CAC148
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA7D506_2_06CA7D50
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA76706_2_06CA7670
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA23406_2_06CA2340
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CAE3786_2_06CAE378
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA00406_2_06CA0040
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA5CB36_2_06CA5CB3
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06CA00216_2_06CA0021
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1454429373.000000000A0B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000000.1413818720.00000000007B2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameTQuY.exe8 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1450202074.0000000007180000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1438394385.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1443924099.0000000002B15000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671322518.0000000000FB8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001218000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exeBinary or memory string: OriginalFilenameTQuY.exe8 vs z71htmivzKAUpOkr2J.exe
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, fRDCl06P4uQ83wPlbB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, fRDCl06P4uQ83wPlbB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, fRDCl06P4uQ83wPlbB.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, yaTqgarycudbWP6jBl.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@4/2
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z71htmivzKAUpOkr2J.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ksw4tic.4jw.ps1Jump to behavior
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: z71htmivzKAUpOkr2J.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: z71htmivzKAUpOkr2J.exeReversingLabs: Detection: 47%
                    Source: unknownProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: TQuY.pdbSHA256F5 source: z71htmivzKAUpOkr2J.exe
                    Source: Binary string: TQuY.pdb source: z71htmivzKAUpOkr2J.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: z71htmivzKAUpOkr2J.exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.2af4904.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7860000.6.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, yaTqgarycudbWP6jBl.cs.Net Code: NGeFHFFoRWsbL2PIj85 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, yaTqgarycudbWP6jBl.cs.Net Code: NGeFHFFoRWsbL2PIj85 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, yaTqgarycudbWP6jBl.cs.Net Code: NGeFHFFoRWsbL2PIj85 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_05039F40 push eax; mov dword ptr [esp], edx0_2_05039F54
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07248591 push 0000000Ah; retf 0_2_0724859C
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 0_2_07245270 pushfd ; retf 0_2_0724527D
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7EFC0 push ecx; iretd 6_2_06C7EFCE
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7AC03 push ecx; iretd 6_2_06C7AC12
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7ABE0 push ecx; iretd 6_2_06C7ABF2
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7ABF3 push ecx; iretd 6_2_06C7AC02
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_06C7DB30 push ds; iretd 6_2_06C7DB3E
                    Source: z71htmivzKAUpOkr2J.exeStatic PE information: section name: .text entropy: 7.984679239513805
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, crwMCyRZVUppHvIWn5.csHigh entropy of concatenated method names: 'wS59SA5Byc', 'kuS9sPT8dU', 'bQK9RZD4Vu', 'BTr901qvXx', 'o8Z9Pn3ZJL', 'FTQ9g6DHRN', 'RZi9Kct1ET', 'h2o9GGbpnB', 'hvO9k9K3IE', 'foO9307Kra'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, yaTqgarycudbWP6jBl.csHigh entropy of concatenated method names: 'MBkdyAf43e', 'p9Sdt9kRIj', 'HXOdX1xZHa', 'nQYdHqgui2', 'CsQd4uYLDE', 'Vtwdxnm5r6', 'FOddcsgJe5', 'RpndrXRq2r', 'hQEdbNBZNq', 'w0yd81ppPg'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, MYqpkcz0vSeQPRSoMr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbEp252r8m', 'Bb1p9vmsXa', 'uq1pvf52Qx', 'PC1pAvCuCD', 'AgupO4xumg', 'Bpopprh8rS', 'LHOpa9l84T'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, AJCoB4DNqDlGZ2QRrH.csHigh entropy of concatenated method names: 'ToString', 'dvTvofr91p', 'F73vPDjsdA', 'g49vgfpkcs', 'ClSvKmE7UW', 'RKLvGn8euJ', 'wYyvk852QQ', 'KqYv36QboD', 't4pvNcMFMo', 'g6nvTQCi6x'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, K77F1FErGj7mN8HJfi.csHigh entropy of concatenated method names: 'fFglWExnN', 'g2cuqg5oU', 'uxNivj4Zp', 'S2ZJb8jSE', 'cPfIJAnRS', 'AdRYYbIJO', 'erjdYsAfJMwQUMdoMk', 'veJpVYl6UClT3NBgvs', 'lwwOZiKCl', 'RoqaDJpTh'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, KRoxQeQVx4pUrIrslbS.csHigh entropy of concatenated method names: 'rAfpjNJbL0', 'T1Xp7xW7bC', 'mtFplS3q8M', 'CSCpuECdvX', 'KSSp52tpP8', 'IgjpiNski9', 'g9fpJYfarc', 'lMGp6G4289', 'KQnpIOT8en', 'MWHpY4NSlV'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, Yy4yQHXwomB2PAPv6o.csHigh entropy of concatenated method names: 'Dispose', 'iJsQMiV7ay', 'k1DEPmkPAj', 'xunRRA1s2b', 'aDdQBrpRhn', 'qYuQzxGYjD', 'ProcessDialogKey', 'YB4EVEsmn6', 'cRPEQ5uaoE', 'tdbEEwkO3B'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, kcZFUFTjtmbwwXiokf.csHigh entropy of concatenated method names: 'I62cjkY96Q', 'jmIc7Pad1E', 'euGcllrAcT', 'KWycurBKK6', 'kgxc5IMj4V', 'yKjciKGKvQ', 'u1IcJCVrHi', 'O9cc6Qr8gv', 'QCZcIZsRHJ', 'fKrcYAZjE7'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, SdrpRhFnOYuxGYjDBB.csHigh entropy of concatenated method names: 'uGsOt1Tfg0', 'tQqOXWJ2qM', 'wXdOHNQub5', 'etHO45TB3l', 'ttAOxWbcJJ', 'kkEOcJtTl0', 'LyAOr5p7aR', 'o4GObg63Ew', 'QFoO8T41qO', 'QVROnOkyjo'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, mOsdUS3FtKfO3BQfKC.csHigh entropy of concatenated method names: 'cjhctkCVAq', 'zHycHNgpCw', 'YSDcxZUk1a', 'LM3xB5CW9y', 'qAixzf7fMU', 'HpDcVlbIBl', 'MoFcQ0GXBT', 'TbxcEE4Nil', 'MJHcdCUXhe', 'TvUcZ2g0RM'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, grb8eNwhs2ti70cLLr.csHigh entropy of concatenated method names: 'IxjAFdxUgU', 'XrAABDq6NF', 'gOqOVyvvEJ', 'sG4OQZXmdB', 'KLjAoLxXZx', 'P11AsouQPP', 'qJXACjhxF7', 'GpxARSAkuZ', 'LueA0JNyZV', 'h7aADfwwSj'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, VkO3BhByfp3nV8M7O6.csHigh entropy of concatenated method names: 'KgRpQA256D', 'bChpdTP5wg', 'ge0pZvy1Mv', 'HOnptPjTPm', 'rTgpX1PAGv', 'VIJp4IpKnc', 'MiUpxpemI0', 'r87Oq2tRLZ', 'xgEOFOMkR4', 'VhyOMeeMMv'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, Vsjf3vQd1dHxVK8odMh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nWVaRtSS8n', 'imla0EnQOR', 'vW7aDwETfK', 'hdla1gew1J', 'RxAaLqoEvN', 't2RaweHf6c', 'LRMaqNhNrr'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, fFCiRvITk7LZE0QT6t.csHigh entropy of concatenated method names: 'TpqHuHHyZo', 'SuPHi5vuCE', 'I6SH6ZHwug', 'rARHIgSL3B', 'lmdH9GRjiq', 'utqHvdqGhS', 'xfsHAYV5uX', 'KKFHOt47vx', 'IkyHpu7uDv', 'EuEHanhVAm'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, hEsmn6MERP5uaoEadb.csHigh entropy of concatenated method names: 'TPjOh9Jgqw', 'mnwOPhHcFH', 'iuwOgZaJHr', 'bNDOKV40J4', 'AwlORTxUKa', 'DeaOGTSoAa', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, jLS5y8h9wofsHHF5A8.csHigh entropy of concatenated method names: 'lhJxytxVRF', 'dC7xX9nCM5', 'yb7x42tQoq', 'XSDxcuBJyH', 'Bo8xr0UVer', 'MCq4LU69LH', 'tQH4wO16He', 'P5k4qMueMl', 'eIc4FxDBBY', 't1m4MEiOMd'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, OT13E2ZVqgdZyCSC0O.csHigh entropy of concatenated method names: 'XhtQcRDCl0', 'G4uQrQ83wP', 'pTkQ87LZE0', 'bT6QntA4TO', 'NcjQ9qtxLS', 'Ay8Qv9wofs', 'VUdsu3rEW2fAFQAF17', 'SaRNOhx8KSdLgqjVxL', 'xOtQQyWBrJ', 'cc2QdogAGO'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, fRDCl06P4uQ83wPlbB.csHigh entropy of concatenated method names: 'yeGXRuVHwZ', 'HWwX0CtoMo', 'MpKXDB5AII', 'pLeX1FCtpi', 'rejXLAjdif', 'ww3XwjmJnl', 'ynRXqrhoiD', 'OARXFnV7Sj', 'mEnXMJLhAO', 'WegXBPFpge'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3bc3840.2.raw.unpack, eKRxfjCL0nROHZWvwX.csHigh entropy of concatenated method names: 'N6526cma8K', 'P7e2IH3wJ5', 'rSx2hQ9Eqf', 'uLi2PCAKcS', 'GFC2KhFlSu', 'ccx2GdwInH', 'pK3239drJ4', 'Ttf2Nf6jc5', 'GGV2SEhcvy', 'Cqf2otYPsX'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, crwMCyRZVUppHvIWn5.csHigh entropy of concatenated method names: 'wS59SA5Byc', 'kuS9sPT8dU', 'bQK9RZD4Vu', 'BTr901qvXx', 'o8Z9Pn3ZJL', 'FTQ9g6DHRN', 'RZi9Kct1ET', 'h2o9GGbpnB', 'hvO9k9K3IE', 'foO9307Kra'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, yaTqgarycudbWP6jBl.csHigh entropy of concatenated method names: 'MBkdyAf43e', 'p9Sdt9kRIj', 'HXOdX1xZHa', 'nQYdHqgui2', 'CsQd4uYLDE', 'Vtwdxnm5r6', 'FOddcsgJe5', 'RpndrXRq2r', 'hQEdbNBZNq', 'w0yd81ppPg'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, MYqpkcz0vSeQPRSoMr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbEp252r8m', 'Bb1p9vmsXa', 'uq1pvf52Qx', 'PC1pAvCuCD', 'AgupO4xumg', 'Bpopprh8rS', 'LHOpa9l84T'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, AJCoB4DNqDlGZ2QRrH.csHigh entropy of concatenated method names: 'ToString', 'dvTvofr91p', 'F73vPDjsdA', 'g49vgfpkcs', 'ClSvKmE7UW', 'RKLvGn8euJ', 'wYyvk852QQ', 'KqYv36QboD', 't4pvNcMFMo', 'g6nvTQCi6x'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, K77F1FErGj7mN8HJfi.csHigh entropy of concatenated method names: 'fFglWExnN', 'g2cuqg5oU', 'uxNivj4Zp', 'S2ZJb8jSE', 'cPfIJAnRS', 'AdRYYbIJO', 'erjdYsAfJMwQUMdoMk', 'veJpVYl6UClT3NBgvs', 'lwwOZiKCl', 'RoqaDJpTh'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, KRoxQeQVx4pUrIrslbS.csHigh entropy of concatenated method names: 'rAfpjNJbL0', 'T1Xp7xW7bC', 'mtFplS3q8M', 'CSCpuECdvX', 'KSSp52tpP8', 'IgjpiNski9', 'g9fpJYfarc', 'lMGp6G4289', 'KQnpIOT8en', 'MWHpY4NSlV'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, Yy4yQHXwomB2PAPv6o.csHigh entropy of concatenated method names: 'Dispose', 'iJsQMiV7ay', 'k1DEPmkPAj', 'xunRRA1s2b', 'aDdQBrpRhn', 'qYuQzxGYjD', 'ProcessDialogKey', 'YB4EVEsmn6', 'cRPEQ5uaoE', 'tdbEEwkO3B'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, kcZFUFTjtmbwwXiokf.csHigh entropy of concatenated method names: 'I62cjkY96Q', 'jmIc7Pad1E', 'euGcllrAcT', 'KWycurBKK6', 'kgxc5IMj4V', 'yKjciKGKvQ', 'u1IcJCVrHi', 'O9cc6Qr8gv', 'QCZcIZsRHJ', 'fKrcYAZjE7'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, SdrpRhFnOYuxGYjDBB.csHigh entropy of concatenated method names: 'uGsOt1Tfg0', 'tQqOXWJ2qM', 'wXdOHNQub5', 'etHO45TB3l', 'ttAOxWbcJJ', 'kkEOcJtTl0', 'LyAOr5p7aR', 'o4GObg63Ew', 'QFoO8T41qO', 'QVROnOkyjo'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, mOsdUS3FtKfO3BQfKC.csHigh entropy of concatenated method names: 'cjhctkCVAq', 'zHycHNgpCw', 'YSDcxZUk1a', 'LM3xB5CW9y', 'qAixzf7fMU', 'HpDcVlbIBl', 'MoFcQ0GXBT', 'TbxcEE4Nil', 'MJHcdCUXhe', 'TvUcZ2g0RM'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, grb8eNwhs2ti70cLLr.csHigh entropy of concatenated method names: 'IxjAFdxUgU', 'XrAABDq6NF', 'gOqOVyvvEJ', 'sG4OQZXmdB', 'KLjAoLxXZx', 'P11AsouQPP', 'qJXACjhxF7', 'GpxARSAkuZ', 'LueA0JNyZV', 'h7aADfwwSj'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, VkO3BhByfp3nV8M7O6.csHigh entropy of concatenated method names: 'KgRpQA256D', 'bChpdTP5wg', 'ge0pZvy1Mv', 'HOnptPjTPm', 'rTgpX1PAGv', 'VIJp4IpKnc', 'MiUpxpemI0', 'r87Oq2tRLZ', 'xgEOFOMkR4', 'VhyOMeeMMv'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, Vsjf3vQd1dHxVK8odMh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nWVaRtSS8n', 'imla0EnQOR', 'vW7aDwETfK', 'hdla1gew1J', 'RxAaLqoEvN', 't2RaweHf6c', 'LRMaqNhNrr'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, fFCiRvITk7LZE0QT6t.csHigh entropy of concatenated method names: 'TpqHuHHyZo', 'SuPHi5vuCE', 'I6SH6ZHwug', 'rARHIgSL3B', 'lmdH9GRjiq', 'utqHvdqGhS', 'xfsHAYV5uX', 'KKFHOt47vx', 'IkyHpu7uDv', 'EuEHanhVAm'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, hEsmn6MERP5uaoEadb.csHigh entropy of concatenated method names: 'TPjOh9Jgqw', 'mnwOPhHcFH', 'iuwOgZaJHr', 'bNDOKV40J4', 'AwlORTxUKa', 'DeaOGTSoAa', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, jLS5y8h9wofsHHF5A8.csHigh entropy of concatenated method names: 'lhJxytxVRF', 'dC7xX9nCM5', 'yb7x42tQoq', 'XSDxcuBJyH', 'Bo8xr0UVer', 'MCq4LU69LH', 'tQH4wO16He', 'P5k4qMueMl', 'eIc4FxDBBY', 't1m4MEiOMd'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, OT13E2ZVqgdZyCSC0O.csHigh entropy of concatenated method names: 'XhtQcRDCl0', 'G4uQrQ83wP', 'pTkQ87LZE0', 'bT6QntA4TO', 'NcjQ9qtxLS', 'Ay8Qv9wofs', 'VUdsu3rEW2fAFQAF17', 'SaRNOhx8KSdLgqjVxL', 'xOtQQyWBrJ', 'cc2QdogAGO'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, fRDCl06P4uQ83wPlbB.csHigh entropy of concatenated method names: 'yeGXRuVHwZ', 'HWwX0CtoMo', 'MpKXDB5AII', 'pLeX1FCtpi', 'rejXLAjdif', 'ww3XwjmJnl', 'ynRXqrhoiD', 'OARXFnV7Sj', 'mEnXMJLhAO', 'WegXBPFpge'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.7180000.5.raw.unpack, eKRxfjCL0nROHZWvwX.csHigh entropy of concatenated method names: 'N6526cma8K', 'P7e2IH3wJ5', 'rSx2hQ9Eqf', 'uLi2PCAKcS', 'GFC2KhFlSu', 'ccx2GdwInH', 'pK3239drJ4', 'Ttf2Nf6jc5', 'GGV2SEhcvy', 'Cqf2otYPsX'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, crwMCyRZVUppHvIWn5.csHigh entropy of concatenated method names: 'wS59SA5Byc', 'kuS9sPT8dU', 'bQK9RZD4Vu', 'BTr901qvXx', 'o8Z9Pn3ZJL', 'FTQ9g6DHRN', 'RZi9Kct1ET', 'h2o9GGbpnB', 'hvO9k9K3IE', 'foO9307Kra'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, yaTqgarycudbWP6jBl.csHigh entropy of concatenated method names: 'MBkdyAf43e', 'p9Sdt9kRIj', 'HXOdX1xZHa', 'nQYdHqgui2', 'CsQd4uYLDE', 'Vtwdxnm5r6', 'FOddcsgJe5', 'RpndrXRq2r', 'hQEdbNBZNq', 'w0yd81ppPg'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, MYqpkcz0vSeQPRSoMr.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'EbEp252r8m', 'Bb1p9vmsXa', 'uq1pvf52Qx', 'PC1pAvCuCD', 'AgupO4xumg', 'Bpopprh8rS', 'LHOpa9l84T'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, AJCoB4DNqDlGZ2QRrH.csHigh entropy of concatenated method names: 'ToString', 'dvTvofr91p', 'F73vPDjsdA', 'g49vgfpkcs', 'ClSvKmE7UW', 'RKLvGn8euJ', 'wYyvk852QQ', 'KqYv36QboD', 't4pvNcMFMo', 'g6nvTQCi6x'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, K77F1FErGj7mN8HJfi.csHigh entropy of concatenated method names: 'fFglWExnN', 'g2cuqg5oU', 'uxNivj4Zp', 'S2ZJb8jSE', 'cPfIJAnRS', 'AdRYYbIJO', 'erjdYsAfJMwQUMdoMk', 'veJpVYl6UClT3NBgvs', 'lwwOZiKCl', 'RoqaDJpTh'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, KRoxQeQVx4pUrIrslbS.csHigh entropy of concatenated method names: 'rAfpjNJbL0', 'T1Xp7xW7bC', 'mtFplS3q8M', 'CSCpuECdvX', 'KSSp52tpP8', 'IgjpiNski9', 'g9fpJYfarc', 'lMGp6G4289', 'KQnpIOT8en', 'MWHpY4NSlV'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, Yy4yQHXwomB2PAPv6o.csHigh entropy of concatenated method names: 'Dispose', 'iJsQMiV7ay', 'k1DEPmkPAj', 'xunRRA1s2b', 'aDdQBrpRhn', 'qYuQzxGYjD', 'ProcessDialogKey', 'YB4EVEsmn6', 'cRPEQ5uaoE', 'tdbEEwkO3B'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, kcZFUFTjtmbwwXiokf.csHigh entropy of concatenated method names: 'I62cjkY96Q', 'jmIc7Pad1E', 'euGcllrAcT', 'KWycurBKK6', 'kgxc5IMj4V', 'yKjciKGKvQ', 'u1IcJCVrHi', 'O9cc6Qr8gv', 'QCZcIZsRHJ', 'fKrcYAZjE7'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, SdrpRhFnOYuxGYjDBB.csHigh entropy of concatenated method names: 'uGsOt1Tfg0', 'tQqOXWJ2qM', 'wXdOHNQub5', 'etHO45TB3l', 'ttAOxWbcJJ', 'kkEOcJtTl0', 'LyAOr5p7aR', 'o4GObg63Ew', 'QFoO8T41qO', 'QVROnOkyjo'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, mOsdUS3FtKfO3BQfKC.csHigh entropy of concatenated method names: 'cjhctkCVAq', 'zHycHNgpCw', 'YSDcxZUk1a', 'LM3xB5CW9y', 'qAixzf7fMU', 'HpDcVlbIBl', 'MoFcQ0GXBT', 'TbxcEE4Nil', 'MJHcdCUXhe', 'TvUcZ2g0RM'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, grb8eNwhs2ti70cLLr.csHigh entropy of concatenated method names: 'IxjAFdxUgU', 'XrAABDq6NF', 'gOqOVyvvEJ', 'sG4OQZXmdB', 'KLjAoLxXZx', 'P11AsouQPP', 'qJXACjhxF7', 'GpxARSAkuZ', 'LueA0JNyZV', 'h7aADfwwSj'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, VkO3BhByfp3nV8M7O6.csHigh entropy of concatenated method names: 'KgRpQA256D', 'bChpdTP5wg', 'ge0pZvy1Mv', 'HOnptPjTPm', 'rTgpX1PAGv', 'VIJp4IpKnc', 'MiUpxpemI0', 'r87Oq2tRLZ', 'xgEOFOMkR4', 'VhyOMeeMMv'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, Vsjf3vQd1dHxVK8odMh.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nWVaRtSS8n', 'imla0EnQOR', 'vW7aDwETfK', 'hdla1gew1J', 'RxAaLqoEvN', 't2RaweHf6c', 'LRMaqNhNrr'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, fFCiRvITk7LZE0QT6t.csHigh entropy of concatenated method names: 'TpqHuHHyZo', 'SuPHi5vuCE', 'I6SH6ZHwug', 'rARHIgSL3B', 'lmdH9GRjiq', 'utqHvdqGhS', 'xfsHAYV5uX', 'KKFHOt47vx', 'IkyHpu7uDv', 'EuEHanhVAm'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, hEsmn6MERP5uaoEadb.csHigh entropy of concatenated method names: 'TPjOh9Jgqw', 'mnwOPhHcFH', 'iuwOgZaJHr', 'bNDOKV40J4', 'AwlORTxUKa', 'DeaOGTSoAa', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, jLS5y8h9wofsHHF5A8.csHigh entropy of concatenated method names: 'lhJxytxVRF', 'dC7xX9nCM5', 'yb7x42tQoq', 'XSDxcuBJyH', 'Bo8xr0UVer', 'MCq4LU69LH', 'tQH4wO16He', 'P5k4qMueMl', 'eIc4FxDBBY', 't1m4MEiOMd'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, OT13E2ZVqgdZyCSC0O.csHigh entropy of concatenated method names: 'XhtQcRDCl0', 'G4uQrQ83wP', 'pTkQ87LZE0', 'bT6QntA4TO', 'NcjQ9qtxLS', 'Ay8Qv9wofs', 'VUdsu3rEW2fAFQAF17', 'SaRNOhx8KSdLgqjVxL', 'xOtQQyWBrJ', 'cc2QdogAGO'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, fRDCl06P4uQ83wPlbB.csHigh entropy of concatenated method names: 'yeGXRuVHwZ', 'HWwX0CtoMo', 'MpKXDB5AII', 'pLeX1FCtpi', 'rejXLAjdif', 'ww3XwjmJnl', 'ynRXqrhoiD', 'OARXFnV7Sj', 'mEnXMJLhAO', 'WegXBPFpge'
                    Source: 0.2.z71htmivzKAUpOkr2J.exe.3d747e0.3.raw.unpack, eKRxfjCL0nROHZWvwX.csHigh entropy of concatenated method names: 'N6526cma8K', 'P7e2IH3wJ5', 'rSx2hQ9Eqf', 'uLi2PCAKcS', 'GFC2KhFlSu', 'ccx2GdwInH', 'pK3239drJ4', 'Ttf2Nf6jc5', 'GGV2SEhcvy', 'Cqf2otYPsX'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7600, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 1130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 4AC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 7890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 7390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 8890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 9890000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 3450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: 1C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7644Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2062Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWindow / User API: threadDelayed 2008Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWindow / User API: threadDelayed 7844Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 7620Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8036Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8112Thread sleep count: 2008 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8112Thread sleep count: 7844 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99572s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99391s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99146s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -99003s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -98000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97671s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -97013s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96906s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96796s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96687s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96578s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96358s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96140s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -96031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95921s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -95047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -94937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -94828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -94718s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -94608s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -94500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe TID: 8068Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99734Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99572Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99391Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99265Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99146Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 99003Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98765Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98656Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98547Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98437Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98218Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98109Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 98000Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97890Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97671Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97562Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97453Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97343Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97234Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97125Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 97013Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96906Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96796Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96687Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96578Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96468Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96358Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96250Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96140Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 96031Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95921Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95812Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95703Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95593Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95484Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95375Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95265Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95156Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 95047Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 94937Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 94828Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 94718Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 94608Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 94500Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1438467207.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: z71htmivzKAUpOkr2J.exe, 00000000.00000002.1438467207.0000000000CC3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\`
                    Source: z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeCode function: 6_2_016D70A0 CheckRemoteDebuggerPresent,6_2_016D70A0
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeMemory written: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeProcess created: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2673856097.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7860, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7860, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 6.2.z71htmivzKAUpOkr2J.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3ced9e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z71htmivzKAUpOkr2J.exe.3d29000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000006.00000002.2673856097.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7600, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z71htmivzKAUpOkr2J.exe PID: 7860, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		531
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets261
                    Virtualization/Sandbox Evasion                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528267 Sample: z71htmivzKAUpOkr2J.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 26 mail.apexrnun.com 2->26 28 ip-api.com 2->28 30 2 other IPs or domains 2->30 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 9 other signatures 2->42 8 z71htmivzKAUpOkr2J.exe 4 2->8         started        signatures3 process4 file5 24 C:\Users\user\...\z71htmivzKAUpOkr2J.exe.log, ASCII 8->24 dropped 44 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->48 50 3 other signatures 8->50 12 z71htmivzKAUpOkr2J.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        18 z71htmivzKAUpOkr2J.exe 8->18         started        signatures6 process7 dnsIp8 32 ip-api.com 208.95.112.1, 49745, 80 TUT-ASUS United States 12->32 34 mail.apexrnun.com 185.196.9.150, 49755, 587 SIMPLECARRIERCH Switzerland 12->34 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->52 54 Tries to steal Mail credentials (via file / registry access) 12->54 56 Tries to harvest and steal ftp login credentials 12->56 58 Tries to harvest and steal browser information (history, passwords, etc) 12->58 60 Loading BitLocker PowerShell Module 16->60 20 conhost.exe 16->20         started        22 WmiPrvSE.exe 16->22         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z71htmivzKAUpOkr2J.exe47%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    z71htmivzKAUpOkr2J.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://x1.c.lencr.org/00%URL Reputationsafe
                    http://x1.i.lencr.org/00%URL Reputationsafe
                    http://ip-api.com/line/?fields=hosting0%URL Reputationsafe
                    http://ip-api.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    s-part-0017.t-0009.t-msedge.net
                    		13.107.246.45
                    		truefalse
                      		unknown
                      ip-api.com
                      		208.95.112.1
                      		truetrue
                        		unknown
                        mail.apexrnun.com
                        		185.196.9.150
                        		truetrue
                          		unknown
                          241.42.69.40.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		unknown
                            212.20.149.52.in-addr.arpa
                            		unknown
                            		unknownfalse
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://ip-api.com/line/?fields=hostingfalse
                              • URL Reputation: safe
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              https://account.dyn.com/z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://mail.apexrnun.comz71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                http://r11.o.lencr.org0#z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez71htmivzKAUpOkr2J.exe, 00000000.00000002.1443924099.0000000002B15000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.c.lencr.org/0z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://x1.i.lencr.org/0z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012D2000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  http://r11.i.lencr.org/02z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012E7000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.0000000001247000.00000004.00000020.00020000.00000000.sdmp, z71htmivzKAUpOkr2J.exe, 00000006.00000002.2671377659.00000000012A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://ip-api.comz71htmivzKAUpOkr2J.exe, 00000006.00000002.2673856097.0000000003451000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUStrue
                                    185.196.9.150
                                    		mail.apexrnun.comSwitzerland
                                    		42624SIMPLECARRIERCHtrue

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1528267
                                    Start date and time:2024-10-07 18:01:08 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 35s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:13
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:z71htmivzKAUpOkr2J.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@9/6@4/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 99%
                                    • Number of executed functions: 97
                                    • Number of non-executed functions: 10
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • VT rate limit hit for: z71htmivzKAUpOkr2J.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    12:02:06API Interceptor50x Sleep call for process: z71htmivzKAUpOkr2J.exe modified
                                    12:02:08API Interceptor17x Sleep call for process: powershell.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    208.95.112.1scan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                    • ip-api.com/line/?fields=hosting
                                    PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                    • ip-api.com/json/?fields=225545
                                    A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                    • ip-api.com/line/?fields=hosting
                                    185.196.9.150VtkzI2DleKAWijQ.exeGet hashmaliciousAgentTeslaBrowse
                                      rQUu2eHuvuSOA1L.exeGet hashmaliciousAgentTeslaBrowse
                                        7ITEwXm2Pk.exeGet hashmaliciousAgentTeslaBrowse
                                          r7XXceHRzO.exeGet hashmaliciousAgentTeslaBrowse
                                            z23T2A9LQmk3VeaWi6.exeGet hashmaliciousAgentTeslaBrowse
                                              rIlzbkxg.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                  twoLikylgdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                    inlawQzshlu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      inlawBtyja.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        s-part-0017.t-0009.t-msedge.nethttps://forms.office.com/Pages/ShareFormPage.aspx?id=W8eUhlA4rUOuklSyoCn21mtmgAvPzYFJuSM99R6gX3dUQ1IyWUM1UUhTS1pWQ0xXNkI3RzlRRkFIVi4u&sharetoken=93tGEOrxpFy3X0nnxFcrGet hashmaliciousHTMLPhisherBrowse
                                                        • 13.107.246.45
                                                        file.exeGet hashmaliciousVidarBrowse
                                                        • 13.107.246.45
                                                        https://email.oxblue.com/e3t/Ctc/Q+113/cdDrv04/VXdfjN46m5dxW4GJlKB4fd0DdW2sbCLr5lTFq6N7Hm8xT3qgyTW7Y8-PT6lZ3lzW1ccS1H8Y8rzXW1hrlTV77h1NhW5_pVzH8bsnn6W1PWxqV8D5TN_W4_z5yx2Cz_4sMrZF-GqDHzcW8pZQ3N3BhYgKW3tmwg72n4TxDW4fS46V1-s7dgW57YVF64HfrMMW2BxxC75X21XdW1nBYw_1PMVGyW8s_YKQ6BTQZmW8wDJ4k3-yNbbW2_BGfy66mfVdW937hqt5kq1CcW4XD3mN54BQSWW4G8TK98NTx7zW74frv25zlZbQW5ztJ6n6fGJFrMSqBjr36qwYW2tk9Xh21wMKrW5RXwDq1M2mmrW3nyq_P20wBvNN8-tVH1nqcD1W5m3Vz04sj9CQf2ygfDq04Get hashmaliciousUnknownBrowse
                                                        • 13.107.246.45
                                                        YSjOEAta07.exeGet hashmaliciousFormBookBrowse
                                                        • 13.107.246.45
                                                        Payment.vbsGet hashmaliciousFormBookBrowse
                                                        • 13.107.246.45
                                                        original.emlGet hashmaliciousTycoon2FABrowse
                                                        • 13.107.246.45
                                                        5fe2eenspI.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.45
                                                        http://46.27.141.62Get hashmaliciousUnknownBrowse
                                                        • 13.107.246.45
                                                        https://kohlhage-de.powerappsportals.com/Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                        • 13.107.246.45
                                                        SecuriteInfo.com.Win32.PWSX-gen.19312.293.exeGet hashmaliciousUnknownBrowse
                                                        • 13.107.246.45
                                                        ip-api.comscan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        http://tcaconnect.ac-page.com/toronto-construction-association-inc/Get hashmaliciousUnknownBrowse
                                                        • 51.77.64.70
                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                        • 208.95.112.1
                                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                        • 208.95.112.1
                                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                        • 208.95.112.1
                                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        mail.apexrnun.comVtkzI2DleKAWijQ.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.196.9.150
                                                        rQUu2eHuvuSOA1L.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.196.9.150
                                                        7ITEwXm2Pk.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.196.9.150
                                                        r7XXceHRzO.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.196.9.150
                                                        z23T2A9LQmk3VeaWi6.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 185.196.9.150
                                                        rIlzbkxg.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 185.196.9.150
                                                        mFduH8XG1f.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 185.196.9.150
                                                        twoLikylgdo.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 185.196.9.150
                                                        inlawQzshlu.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 185.196.9.150
                                                        inlawBtyja.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 185.196.9.150

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        TUT-ASUSscan_374783.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        RFQ 002593810024350.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        DHL_Doc.9787653446578978656879764534576879764545766456.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        Request For Quotation.jsGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        PixpFUv4G7.exeGet hashmaliciousQuasar, XWormBrowse
                                                        • 208.95.112.1
                                                        H2f8SkAvdV.exeGet hashmaliciousBlank Grabber, XWormBrowse
                                                        • 208.95.112.1
                                                        A39tzaySzX.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                        • 208.95.112.1
                                                        Bpz46JayQ4.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        qtYuyATh0U.exeGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        SOA-injazfe-10424.vbsGet hashmaliciousXWormBrowse
                                                        • 208.95.112.1
                                                        SIMPLECARRIERCH1tstvk3Sls.exeGet hashmaliciousRHADAMANTHYSBrowse
                                                        • 185.196.11.237
                                                        GX9zyKVNXR.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        Lys2hJAvd1.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        JfvFiUr0DO.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        gLKtR4HuEw.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        injector V2.5.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        Jeverly.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        by_execute.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        Shark#U041ePShC.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26
                                                        GipsonyVelo.exeGet hashmaliciousRedLineBrowse
                                                        • 185.196.9.26

                                                        JA3 Fingerprints

                                                        No context

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z71htmivzKAUpOkr2J.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.379401388151058
                                                        Encrypted:false
                                                        SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//YPUyus:fLHxvIIwLgZ2KRHWLOugQs
                                                        MD5:254E3634833B07F95061588B960F3D96
                                                        SHA1:10F786DD15EBD4FD93687219D109B0E2F8499010
                                                        SHA-256:A3C6A2952F11C3EEDF8D48AEC01FD3B12723526899714272D02FB20A6A3C76E0
                                                        SHA-512:78B9B4BE082863EAB414C444CB5A2CCCA0C81A0176D743D578EADE9A7321AD65A3083FE3416C3428BC7B757E76427D543AB18617B19811CCC17C78ACDC126B1E
                                                        Malicious:false
                                                        Reputation:low
                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3efkhjvs.p3h.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ksw4tic.4jw.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oxo5ki1p.psn.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1dnxjyq.zgz.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.9800870364050365
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:z71htmivzKAUpOkr2J.exe
                                                        File size:650'752 bytes
                                                        MD5:4cc4300ca47f721736cf09e113d5d911
                                                        SHA1:2c4cdbd5ecd86653e18945a320cd021001ca03f8
                                                        SHA256:60b3f4ef12794600833b77583624d77d037885f3bbc6361b013eb4ecf2017b99
                                                        SHA512:b7c715886f4bdbb02d2ce9277c96bcdb3eb0c5c84b67ea6d5b936a703ee6772c8eb9cd0f7205eeca9ccdc350c131039e1e7b3e19d7bd6df8b4166c3bf1f6af5e
                                                        SSDEEP:12288:nYf0+ST8QGjRBBeLICPy1CS9jPWinuHg7VCFYKK56eS95Cdr:nYpmeTBWn78TjuHghCNo6eOM
                                                        TLSH:DFD4335575ACAEA3D4046B750C8070614BF91A992C81EFD08E3812DD9F1F76D8F87BA3
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...a..g..............0.................. ... ....@.. .......................`............@................................

                                                        File Icon

                                                        Icon Hash:00928e8e8686b000

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4a02c2
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x67039F61 [Mon Oct 7 08:44:17 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa026f0x4f.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x5a4.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x9ec740x54.text
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000x9e2c80x9e400c6cd2af351644615e22b91d585926abeFalse0.984654238250395data7.984679239513805IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xa20000x5a40x60066f9f7331e6c93eb2f39a64fc4d8978eFalse0.419921875data4.0659408182545835IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xa40000xc0x20078a6e0d106e4929bfd1a015b974c0361False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0xa20900x314data0.4352791878172589
                                                        RT_MANIFEST0xa23b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 7, 2024 18:02:09.953363895 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:02:09.959073067 CEST8049745208.95.112.1192.168.2.9
                                                        Oct 7, 2024 18:02:09.959357977 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:02:09.960072041 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:02:09.965001106 CEST8049745208.95.112.1192.168.2.9
                                                        Oct 7, 2024 18:02:10.405968904 CEST8049745208.95.112.1192.168.2.9
                                                        Oct 7, 2024 18:02:10.455916882 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:02:11.449404001 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:11.454407930 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:11.454507113 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:12.781399965 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:12.781738043 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:12.786680937 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:13.208858967 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:13.209017038 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:13.214078903 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:13.612545013 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:13.646028996 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:13.651381016 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.122971058 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.123639107 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.123650074 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.123697042 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.174624920 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.184192896 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.189023972 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.490725994 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.534559011 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.535969019 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.540848970 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.984364033 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:14.994607925 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:14.999546051 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.397515059 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.397799969 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:15.404400110 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.618417025 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.618741035 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:15.623747110 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.803777933 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.804064989 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:15.809005976 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.992417097 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:15.992631912 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:15.997440100 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.177443027 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.177987099 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:16.178024054 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:16.178055048 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:16.178073883 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:02:16.182945967 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.182965994 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.183024883 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.183038950 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.645071983 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:02:16.690253019 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:03:01.143827915 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:03:01.149311066 CEST8049745208.95.112.1192.168.2.9
                                                        Oct 7, 2024 18:03:01.149384022 CEST4974580192.168.2.9208.95.112.1
                                                        Oct 7, 2024 18:03:51.158859968 CEST49755587192.168.2.9185.196.9.150
                                                        Oct 7, 2024 18:03:51.164546013 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:03:51.784041882 CEST58749755185.196.9.150192.168.2.9
                                                        Oct 7, 2024 18:03:51.792834997 CEST49755587192.168.2.9185.196.9.150

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Oct 7, 2024 18:02:09.922801018 CEST6102753192.168.2.91.1.1.1
                                                        Oct 7, 2024 18:02:09.929997921 CEST53610271.1.1.1192.168.2.9
                                                        Oct 7, 2024 18:02:11.132066965 CEST6021953192.168.2.91.1.1.1
                                                        Oct 7, 2024 18:02:11.448348999 CEST53602191.1.1.1192.168.2.9
                                                        Oct 7, 2024 18:02:34.244463921 CEST5357507162.159.36.2192.168.2.9
                                                        Oct 7, 2024 18:02:34.735824108 CEST6397453192.168.2.91.1.1.1
                                                        Oct 7, 2024 18:02:34.743804932 CEST53639741.1.1.1192.168.2.9
                                                        Oct 7, 2024 18:02:36.031763077 CEST6373653192.168.2.91.1.1.1
                                                        Oct 7, 2024 18:02:36.039124966 CEST53637361.1.1.1192.168.2.9

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Oct 7, 2024 18:02:09.922801018 CEST192.168.2.91.1.1.10xf093Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Oct 7, 2024 18:02:11.132066965 CEST192.168.2.91.1.1.10x1032Standard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false
                                                        Oct 7, 2024 18:02:34.735824108 CEST192.168.2.91.1.1.10xa511Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                        Oct 7, 2024 18:02:36.031763077 CEST192.168.2.91.1.1.10xeeaeStandard query (0)212.20.149.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Oct 7, 2024 18:02:01.765677929 CEST1.1.1.1192.168.2.90x8884No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                        Oct 7, 2024 18:02:01.765677929 CEST1.1.1.1192.168.2.90x8884No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 18:02:09.929997921 CEST1.1.1.1192.168.2.90xf093No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 18:02:11.448348999 CEST1.1.1.1192.168.2.90x1032No error (0)mail.apexrnun.com185.196.9.150A (IP address)IN (0x0001)false
                                                        Oct 7, 2024 18:02:34.743804932 CEST1.1.1.1192.168.2.90xa511Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                        Oct 7, 2024 18:02:36.039124966 CEST1.1.1.1192.168.2.90xeeaeName error (3)212.20.149.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.949745208.95.112.1807860C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe
                                                        TimestampBytes transferredDirectionData
                                                        Oct 7, 2024 18:02:09.960072041 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Oct 7, 2024 18:02:10.405968904 CEST175INHTTP/1.1 200 OK
                                                        Date: Mon, 07 Oct 2024 16:02:09 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 6
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 66 61 6c 73 65 0a
                                                        Data Ascii: false


                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Oct 7, 2024 18:02:12.781399965 CEST58749755185.196.9.150192.168.2.9220 cp.apexrnun.com
                                                        Oct 7, 2024 18:02:12.781738043 CEST49755587192.168.2.9185.196.9.150EHLO 247525
                                                        Oct 7, 2024 18:02:13.208858967 CEST58749755185.196.9.150192.168.2.9250-cp.apexrnun.com Hello 247525 [8.46.123.33]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPE_CONNECT
                                                        250-CHUNKING
                                                        250-STARTTLS
                                                        250 HELP
                                                        Oct 7, 2024 18:02:13.209017038 CEST49755587192.168.2.9185.196.9.150STARTTLS
                                                        Oct 7, 2024 18:02:13.612545013 CEST58749755185.196.9.150192.168.2.9220 TLS go ahead

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:12:02:05
                                                        Start date:07/10/2024
                                                        Path:C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                                                        Imagebase:0x710000
                                                        File size:650'752 bytes
                                                        MD5 hash:4CC4300CA47F721736CF09E113D5D911
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1445809859.0000000003AC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1445809859.0000000003CED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:12:02:07
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                                                        Imagebase:0xce0000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:12:02:07
                                                        Start date:07/10/2024
                                                        Path:C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                                                        Imagebase:0x230000
                                                        File size:650'752 bytes
                                                        MD5 hash:4CC4300CA47F721736CF09E113D5D911
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:12:02:07
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff70f010000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:12:02:07
                                                        Start date:07/10/2024
                                                        Path:C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\z71htmivzKAUpOkr2J.exe"
                                                        Imagebase:0xd80000
                                                        File size:650'752 bytes
                                                        MD5 hash:4CC4300CA47F721736CF09E113D5D911
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2673856097.00000000034D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2673856097.00000000034AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2670976514.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2673856097.0000000003481000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:7
                                                        Start time:12:02:09
                                                        Start date:07/10/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff72d8c0000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:10.1%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:4.1%
                                                          Total number of Nodes:244
                                                          Total number of Limit Nodes:10
                                                          execution_graph 31428 7246065 31429 7246079 31428->31429 31432 72472d0 31428->31432 31436 72472c2 31428->31436 31433 72472ea 31432->31433 31434 72472f2 31433->31434 31440 7247660 31433->31440 31434->31429 31438 72472d0 31436->31438 31437 72472f2 31437->31429 31438->31437 31439 7247660 12 API calls 31438->31439 31439->31437 31441 7247685 31440->31441 31456 7247840 31441->31456 31461 72479fb 31441->31461 31465 7247d3f 31441->31465 31470 724791e 31441->31470 31475 7247eb3 31441->31475 31480 72477f2 31441->31480 31485 7247831 31441->31485 31490 7247b30 31441->31490 31495 7247db4 31441->31495 31499 7247a8b 31441->31499 31505 72479c9 31441->31505 31510 7247788 31441->31510 31514 7247961 31441->31514 31442 7247697 31442->31434 31457 7247cfb 31456->31457 31519 72457c0 31457->31519 31523 72457b8 31457->31523 31458 7247d16 31527 7245890 31461->31527 31531 7245898 31461->31531 31462 7247a21 31466 7247d45 31465->31466 31535 7245950 31466->31535 31539 7245958 31466->31539 31467 7247d77 31471 7247964 31470->31471 31473 7245950 WriteProcessMemory 31471->31473 31474 7245958 WriteProcessMemory 31471->31474 31472 7247be7 31473->31472 31474->31472 31476 7247eb9 31475->31476 31477 72480dd 31476->31477 31543 72452d0 31476->31543 31547 72452d8 31476->31547 31477->31442 31481 72477fd 31480->31481 31482 72480dd 31481->31482 31483 72452d0 ResumeThread 31481->31483 31484 72452d8 ResumeThread 31481->31484 31482->31442 31483->31481 31484->31481 31486 7247e26 31485->31486 31488 72457c0 Wow64SetThreadContext 31486->31488 31489 72457b8 Wow64SetThreadContext 31486->31489 31487 7247e41 31488->31487 31489->31487 31491 7247b3d 31490->31491 31492 72480dd 31491->31492 31493 72452d0 ResumeThread 31491->31493 31494 72452d8 ResumeThread 31491->31494 31492->31442 31493->31491 31494->31491 31497 7245950 WriteProcessMemory 31495->31497 31498 7245958 WriteProcessMemory 31495->31498 31496 7247dd8 31497->31496 31498->31496 31500 7247a91 31499->31500 31501 72480f0 31500->31501 31503 7245950 WriteProcessMemory 31500->31503 31504 7245958 WriteProcessMemory 31500->31504 31502 7247d77 31503->31502 31504->31502 31506 7247c4d 31505->31506 31551 7245a40 31506->31551 31555 7245a48 31506->31555 31507 7247c72 31559 7245bd4 31510->31559 31563 7245be0 31510->31563 31515 7247964 31514->31515 31517 7245950 WriteProcessMemory 31515->31517 31518 7245958 WriteProcessMemory 31515->31518 31516 7247be7 31517->31516 31518->31516 31520 7245805 Wow64SetThreadContext 31519->31520 31522 724584d 31520->31522 31522->31458 31524 72457bd Wow64SetThreadContext 31523->31524 31526 724584d 31524->31526 31526->31458 31528 7245898 VirtualAllocEx 31527->31528 31530 7245915 31528->31530 31530->31462 31532 72458d8 VirtualAllocEx 31531->31532 31534 7245915 31532->31534 31534->31462 31536 7245958 WriteProcessMemory 31535->31536 31538 72459f7 31536->31538 31538->31467 31540 72459a0 WriteProcessMemory 31539->31540 31542 72459f7 31540->31542 31542->31467 31544 72452d8 ResumeThread 31543->31544 31546 7245349 31544->31546 31546->31476 31548 7245318 ResumeThread 31547->31548 31550 7245349 31548->31550 31550->31476 31552 7245a46 ReadProcessMemory 31551->31552 31554 7245ad7 31552->31554 31554->31507 31556 7245a93 ReadProcessMemory 31555->31556 31558 7245ad7 31556->31558 31558->31507 31560 7245be0 CreateProcessA 31559->31560 31562 7245e2b 31560->31562 31564 7245c69 CreateProcessA 31563->31564 31566 7245e2b 31564->31566 31567 72485e0 31568 724876b 31567->31568 31570 7248606 31567->31570 31570->31568 31571 7246a80 31570->31571 31572 7248860 PostMessageW 31571->31572 31573 72488cc 31572->31573 31573->31570 31657 109d01c 31658 109d034 31657->31658 31659 109d08e 31658->31659 31662 5032808 31658->31662 31667 5032818 31658->31667 31663 5032845 31662->31663 31664 5032877 31663->31664 31672 5032990 31663->31672 31677 50329a0 31663->31677 31668 5032845 31667->31668 31669 5032877 31668->31669 31670 5032990 2 API calls 31668->31670 31671 50329a0 2 API calls 31668->31671 31670->31669 31671->31669 31674 50329b4 31672->31674 31673 5032a40 31673->31664 31682 5032a47 31674->31682 31685 5032a58 31674->31685 31678 50329b4 31677->31678 31680 5032a47 2 API calls 31678->31680 31681 5032a58 2 API calls 31678->31681 31679 5032a40 31679->31664 31680->31679 31681->31679 31684 5032a69 31682->31684 31688 5034012 31682->31688 31684->31673 31686 5032a69 31685->31686 31687 5034012 2 API calls 31685->31687 31686->31673 31687->31686 31692 5034030 31688->31692 31696 5034040 31688->31696 31689 503402a 31689->31684 31693 5034040 31692->31693 31694 50340da CallWindowProcW 31693->31694 31695 5034089 31693->31695 31694->31695 31695->31689 31697 5034082 31696->31697 31698 5034089 31696->31698 31697->31698 31699 50340da CallWindowProcW 31697->31699 31698->31689 31699->31698 31700 117cfe0 31701 117d026 31700->31701 31705 117d5b9 31701->31705 31708 117d5c8 31701->31708 31702 117d113 31711 117d21c 31705->31711 31709 117d5f6 31708->31709 31710 117d21c DuplicateHandle 31708->31710 31709->31702 31710->31709 31712 117d630 DuplicateHandle 31711->31712 31713 117d5f6 31712->31713 31713->31702 31574 5036a48 31575 5036a75 31574->31575 31586 5036654 31575->31586 31578 5036654 2 API calls 31579 5036b2d 31578->31579 31580 5036654 2 API calls 31579->31580 31581 5036b5f 31580->31581 31582 5036654 2 API calls 31581->31582 31583 5036b91 31582->31583 31590 5036664 31583->31590 31585 5036bc3 31587 503665f 31586->31587 31595 5036764 31587->31595 31589 5036afb 31589->31578 31591 503666f 31590->31591 31593 1175cc4 2 API calls 31591->31593 31594 11782a8 2 API calls 31591->31594 31592 503806b 31592->31585 31593->31592 31594->31592 31596 503676f 31595->31596 31600 1175cc4 31596->31600 31606 11782a8 31596->31606 31597 5037dec 31597->31589 31601 1175ccf 31600->31601 31603 117856b 31601->31603 31613 117ac18 31601->31613 31602 11785a9 31602->31597 31603->31602 31617 117cd18 31603->31617 31607 1178205 31606->31607 31608 11782ab 31606->31608 31608->31607 31610 117856b 31608->31610 31611 117ac18 2 API calls 31608->31611 31609 11785a9 31609->31597 31610->31609 31612 117cd18 2 API calls 31610->31612 31611->31610 31612->31609 31622 117ac3f 31613->31622 31627 117ac50 31613->31627 31614 117ac2e 31614->31603 31618 117cd39 31617->31618 31619 117cd5d 31618->31619 31641 117ceb7 31618->31641 31645 117cec8 31618->31645 31619->31602 31623 117ac50 31622->31623 31631 117ad38 31623->31631 31636 117ad48 31623->31636 31624 117ac5f 31624->31614 31629 117ad38 GetModuleHandleW 31627->31629 31630 117ad48 GetModuleHandleW 31627->31630 31628 117ac5f 31628->31614 31629->31628 31630->31628 31632 117ad7c 31631->31632 31633 117ad59 31631->31633 31632->31624 31633->31632 31634 117af80 GetModuleHandleW 31633->31634 31635 117afad 31634->31635 31635->31624 31637 117ad7c 31636->31637 31638 117ad59 31636->31638 31637->31624 31638->31637 31639 117af80 GetModuleHandleW 31638->31639 31640 117afad 31639->31640 31640->31624 31642 117ced5 31641->31642 31643 117cf0f 31642->31643 31649 117ba80 31642->31649 31643->31619 31646 117ced5 31645->31646 31647 117cf0f 31646->31647 31648 117ba80 2 API calls 31646->31648 31647->31619 31648->31647 31650 117ba85 31649->31650 31652 117dc28 31650->31652 31653 117d27c 31650->31653 31652->31652 31654 117d287 31653->31654 31655 1175cc4 2 API calls 31654->31655 31656 117dc97 31655->31656 31656->31652 31714 1174668 31715 117467a 31714->31715 31716 1174686 31715->31716 31720 1174778 31715->31720 31725 1173e28 31716->31725 31718 11746a5 31721 117479d 31720->31721 31729 1174878 31721->31729 31733 1174888 31721->31733 31726 1173e33 31725->31726 31741 1175c44 31726->31741 31728 1176ff0 31728->31718 31730 11748af 31729->31730 31731 117498c 31730->31731 31737 11744b0 31730->31737 31735 11748af 31733->31735 31734 117498c 31734->31734 31735->31734 31736 11744b0 CreateActCtxA 31735->31736 31736->31734 31738 1175918 CreateActCtxA 31737->31738 31740 11759db 31738->31740 31742 1175c4f 31741->31742 31745 1175c64 31742->31745 31744 1177095 31744->31728 31746 1175c6f 31745->31746 31749 1175c94 31746->31749 31748 117717a 31748->31744 31750 1175c9f 31749->31750 31751 1175cc4 2 API calls 31750->31751 31752 117726d 31751->31752 31752->31748

                                                          Executed Functions

                                                          Function 05036A48 Relevance: 2.4, Strings: 1, Instructions: 1159COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 5036a48-5036a73 1 5036a75 0->1 2 5036a7a-50371c1 call 5036654 * 4 call 5036664 call 5036674 call 5036684 call 5036694 call 50366a4 call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 0->2 1->2 100 50371ce-50371df 2->100 101 50371c3-50371cb 100->101 102 50371e1-50371e2 100->102 101->100 103 5037203-5037215 102->103 104 5037217-503725c 103->104 105 50371e4-50371f1 103->105 110 5037313-5037325 104->110 106 50371f3 105->106 107 50371f8-5037202 105->107 106->107 107->103 111 5037261-503727c 110->111 112 503732b-503733b 110->112 117 5037289-503728c 111->117 118 503727e-5037280 111->118 113 503749e-50374b3 112->113 115 50374b5 113->115 116 50374bb-50374bd 113->116 119 50374b7-50374b9 115->119 120 50374bf 115->120 121 50374c4-50374cb 116->121 124 5037293-5037299 117->124 125 503728e 117->125 122 5037282 118->122 123 5037287 118->123 119->116 119->120 120->121 126 50374d1-50379c3 call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036704 call 5036694 call 50366a4 call 50366b4 121->126 127 5037340-503735e 121->127 122->123 123->124 128 50372a0-50372b3 124->128 129 503729b 124->129 125->124 218 50379c5 126->218 219 50379ca-5037b1a 126->219 130 5037360 127->130 131 5037365-503737f 127->131 135 50372b5 128->135 136 50372ba-50372d4 128->136 129->128 130->131 132 5037381 131->132 133 5037386-503739c 131->133 132->133 139 50373a3-50373c6 call 50366f4 133->139 140 503739e 133->140 135->136 137 50372d6 136->137 138 50372db-50372f1 136->138 137->138 143 50372f3 138->143 144 50372f8-5037312 call 50366f4 138->144 150 50373c8 139->150 151 50373cd-50373dd 139->151 140->139 143->144 144->110 150->151 153 50373e4-503740d 151->153 154 50373df 151->154 156 503740f-5037416 153->156 157 503742e-503744c 153->157 154->153 161 503741e-503742d 156->161 158 5037453-5037464 157->158 159 503744e 157->159 162 5037466 158->162 163 503746b-5037489 158->163 159->158 161->157 162->163 167 5037490-503749d 163->167 168 503748b 163->168 167->113 168->167 218->219 232 5037b25-5037d29 call 50366c4 call 5036714 call 5036724 call 5036734 * 5 call 5036704 call 50366a4 call 5036744 call 5036754 219->232
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1447350311.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5030000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 90
                                                          • API String ID: 0-1770303465
                                                          • Opcode ID: ab455581f43024d8a3f2a1dbcb8c0a53d1d0181537b8d56b92326a0588f7350f
                                                          • Instruction ID: c17f033065c51058a11b0e1af7d1660f4ae727e1c13d7796b8b3f17683c84a45
                                                          • Opcode Fuzzy Hash: ab455581f43024d8a3f2a1dbcb8c0a53d1d0181537b8d56b92326a0588f7350f
                                                          • Instruction Fuzzy Hash: 4BC2DF34A00219CFDB24DF64D998AE9B7B2FF89304F1181E9D509AB361DB31AE85CF50
                                                          Function 05036A38 Relevance: 2.2, Strings: 1, Instructions: 998COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 268 5036a38-5036a73 270 5036a75 268->270 271 5036a7a-5036ae0 268->271 270->271 276 5036aea-5036af6 call 5036654 271->276 278 5036afb-5036ba8 call 5036654 * 3 276->278 292 5036bb2-5036bbe call 5036664 278->292 294 5036bc3-5036bda 292->294 296 5036be5-5036c11 294->296 298 5036c17-5036c26 call 5036674 296->298 300 5036c2b-5036c33 298->300 301 5036c3b-5036cb1 call 5036684 300->301 306 5036cbc-5036cd6 call 5036694 301->306 308 5036cdb-5036d1d call 50366a4 306->308 311 5036d27-5036d41 call 50366b4 308->311 313 5036d46-50371c1 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 311->313 369 50371ce-50371df 313->369 370 50371c3-50371cb 369->370 371 50371e1-50371e2 369->371 370->369 372 5037203-5037215 371->372 373 5037217-503725c 372->373 374 50371e4-50371f1 372->374 379 5037313-5037325 373->379 375 50371f3 374->375 376 50371f8-5037202 374->376 375->376 376->372 380 5037261-503727c 379->380 381 503732b-503733b 379->381 386 5037289-503728c 380->386 387 503727e-5037280 380->387 382 503749e-50374b3 381->382 384 50374b5 382->384 385 50374bb-50374bd 382->385 388 50374b7-50374b9 384->388 389 50374bf 384->389 390 50374c4-50374cb 385->390 393 5037293-5037299 386->393 394 503728e 386->394 391 5037282 387->391 392 5037287 387->392 388->385 388->389 389->390 395 50374d1-50377de call 50366b4 call 50366c4 call 50366d4 call 50366e4 call 5036674 call 5036684 call 5036694 call 50366a4 call 50366b4 call 50366c4 call 50366d4 call 50366e4 390->395 396 5037340-503735e 390->396 391->392 392->393 397 50372a0-50372b3 393->397 398 503729b 393->398 394->393 468 50377e8-5037831 call 5036704 395->468 399 5037360 396->399 400 5037365-503737f 396->400 404 50372b5 397->404 405 50372ba-50372d4 397->405 398->397 399->400 401 5037381 400->401 402 5037386-503739c 400->402 401->402 408 50373a3-50373c6 call 50366f4 402->408 409 503739e 402->409 404->405 406 50372d6 405->406 407 50372db-50372f1 405->407 406->407 412 50372f3 407->412 413 50372f8-5037312 call 50366f4 407->413 419 50373c8 408->419 420 50373cd-50373dd 408->420 409->408 412->413 413->379 419->420 422 50373e4-503740d 420->422 423 50373df 420->423 425 503740f-5037416 422->425 426 503742e-503744c 422->426 423->422 430 503741e-503742d 425->430 427 5037453-5037464 426->427 428 503744e 426->428 431 5037466 427->431 432 503746b-5037489 427->432 428->427 430->426 431->432 436 5037490-503749d 432->436 437 503748b 432->437 436->382 437->436 471 5037837-503795f call 5036694 call 50366a4 call 50366b4 468->471 483 5037966-5037984 471->483 484 503798f-503799b 483->484 485 50379a5-50379ad 484->485 486 50379b3-50379c3 485->486 487 50379c5 486->487 488 50379ca-5037af1 486->488 487->488 500 5037afc-5037b1a 488->500 501 5037b25-5037d29 call 50366c4 call 5036714 call 5036724 call 5036734 * 5 call 5036704 call 50366a4 call 5036744 call 5036754 500->501
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1447350311.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5030000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: 90
                                                          • API String ID: 0-1770303465
                                                          • Opcode ID: d42c2b2c9a99157f918fbf86c9228c914de28d1429e99f3c24d9b87699240a64
                                                          • Instruction ID: 7dbf49289b4e62f4afb58f2d88e6109777c2757facc3360b6be7a1ca32454032
                                                          • Opcode Fuzzy Hash: d42c2b2c9a99157f918fbf86c9228c914de28d1429e99f3c24d9b87699240a64
                                                          • Instruction Fuzzy Hash: 3CB2B134A01218CFDB25DF64D998AE9B7B2FF89305F1181E9D509AB361DB31AE85CF40
                                                          Function 07248C70 Relevance: .3, Instructions: 341COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9a1decccc9edca339184ebb52923786e1c97d4e38e6b8163fe089669468e1ed1
                                                          • Instruction ID: 0a67ecab35a068fb533e26c3a3b2af442522bf49512e4041c19271b9cf00c052
                                                          • Opcode Fuzzy Hash: 9a1decccc9edca339184ebb52923786e1c97d4e38e6b8163fe089669468e1ed1
                                                          • Instruction Fuzzy Hash: AFC1B9B17216068FDB2ADB75C410BAEB7FAAF8A600F14846DD146CB790CF75E842CB51
                                                          Function 07240040 Relevance: .2, Instructions: 162COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d7b2d639f117d7990ba20927b31b06bb60baca9963d7587051a367bedd48779
                                                          • Instruction ID: bf5802a77dd79d82d3c090296b64201a4140423e4f6a29c04c63ac450407751f
                                                          • Opcode Fuzzy Hash: 9d7b2d639f117d7990ba20927b31b06bb60baca9963d7587051a367bedd48779
                                                          • Instruction Fuzzy Hash: 3671F8B4D24219CFDB28CF99C844BEDBBB6BF89300F10D0A9D909A7255D774A985CF60
                                                          Function 07240006 Relevance: .1, Instructions: 86COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a385ae877898832c5667af4b613753ad422650968cdcf5cc273fb63e9369b74e
                                                          • Instruction ID: c95773085571b7a4b8f4d21bbb5d6432ebc6c9f4fc26a6eea6d00c2f75efd099
                                                          • Opcode Fuzzy Hash: a385ae877898832c5667af4b613753ad422650968cdcf5cc273fb63e9369b74e
                                                          • Instruction Fuzzy Hash: FB313BB0C157989FDB1ACFA6C8443DEBFF2AF8A300F04C4AAC449AA261D7740945CF61
                                                          Function 07245BD4 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 537 7245bd4-7245c75 540 7245c77-7245c81 537->540 541 7245cae-7245cce 537->541 540->541 542 7245c83-7245c85 540->542 546 7245d07-7245d36 541->546 547 7245cd0-7245cda 541->547 543 7245c87-7245c91 542->543 544 7245ca8-7245cab 542->544 548 7245c95-7245ca4 543->548 549 7245c93 543->549 544->541 557 7245d6f-7245e29 CreateProcessA 546->557 558 7245d38-7245d42 546->558 547->546 550 7245cdc-7245cde 547->550 548->548 551 7245ca6 548->551 549->548 552 7245ce0-7245cea 550->552 553 7245d01-7245d04 550->553 551->544 555 7245cec 552->555 556 7245cee-7245cfd 552->556 553->546 555->556 556->556 559 7245cff 556->559 569 7245e32-7245eb8 557->569 570 7245e2b-7245e31 557->570 558->557 560 7245d44-7245d46 558->560 559->553 562 7245d48-7245d52 560->562 563 7245d69-7245d6c 560->563 564 7245d54 562->564 565 7245d56-7245d65 562->565 563->557 564->565 565->565 567 7245d67 565->567 567->563 580 7245ec8-7245ecc 569->580 581 7245eba-7245ebe 569->581 570->569 582 7245edc-7245ee0 580->582 583 7245ece-7245ed2 580->583 581->580 584 7245ec0 581->584 586 7245ef0-7245ef4 582->586 587 7245ee2-7245ee6 582->587 583->582 585 7245ed4 583->585 584->580 585->582 589 7245f06-7245f0d 586->589 590 7245ef6-7245efc 586->590 587->586 588 7245ee8 587->588 588->586 591 7245f24 589->591 592 7245f0f-7245f1e 589->592 590->589 593 7245f25 591->593 592->591 593->593
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07245E16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: ea3c9db1f9c9d4e73d7abaa40098f9ac029a16225d38fd90e0c27205df3198b1
                                                          • Instruction ID: 13bea0a2491037cafd1a40e958bd45010cf662006c56734bd692e64ee5877b17
                                                          • Opcode Fuzzy Hash: ea3c9db1f9c9d4e73d7abaa40098f9ac029a16225d38fd90e0c27205df3198b1
                                                          • Instruction Fuzzy Hash: 70A169B1D1035ACFEB24CF69C8407EEBBB2BF48310F148569E858A7280DB749995CF91
                                                          Function 07245BE0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 595 7245be0-7245c75 597 7245c77-7245c81 595->597 598 7245cae-7245cce 595->598 597->598 599 7245c83-7245c85 597->599 603 7245d07-7245d36 598->603 604 7245cd0-7245cda 598->604 600 7245c87-7245c91 599->600 601 7245ca8-7245cab 599->601 605 7245c95-7245ca4 600->605 606 7245c93 600->606 601->598 614 7245d6f-7245e29 CreateProcessA 603->614 615 7245d38-7245d42 603->615 604->603 607 7245cdc-7245cde 604->607 605->605 608 7245ca6 605->608 606->605 609 7245ce0-7245cea 607->609 610 7245d01-7245d04 607->610 608->601 612 7245cec 609->612 613 7245cee-7245cfd 609->613 610->603 612->613 613->613 616 7245cff 613->616 626 7245e32-7245eb8 614->626 627 7245e2b-7245e31 614->627 615->614 617 7245d44-7245d46 615->617 616->610 619 7245d48-7245d52 617->619 620 7245d69-7245d6c 617->620 621 7245d54 619->621 622 7245d56-7245d65 619->622 620->614 621->622 622->622 624 7245d67 622->624 624->620 637 7245ec8-7245ecc 626->637 638 7245eba-7245ebe 626->638 627->626 639 7245edc-7245ee0 637->639 640 7245ece-7245ed2 637->640 638->637 641 7245ec0 638->641 643 7245ef0-7245ef4 639->643 644 7245ee2-7245ee6 639->644 640->639 642 7245ed4 640->642 641->637 642->639 646 7245f06-7245f0d 643->646 647 7245ef6-7245efc 643->647 644->643 645 7245ee8 644->645 645->643 648 7245f24 646->648 649 7245f0f-7245f1e 646->649 647->646 650 7245f25 648->650 649->648 650->650
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07245E16
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 4bd9e7da4fd3860e5cc1754a726a222aa1f031f5528f24106c9a9f7b9f78b856
                                                          • Instruction ID: 1f5e675b5381e16932c0c49e1f8af9e62bda14efe6d35e6c7906a47375e93aa9
                                                          • Opcode Fuzzy Hash: 4bd9e7da4fd3860e5cc1754a726a222aa1f031f5528f24106c9a9f7b9f78b856
                                                          • Instruction Fuzzy Hash: 159159B1D1035ACFEB24CF69C8407EEBBB2AF48310F148569E859A7240DB749995CF91
                                                          Function 0117AD48 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 652 117ad48-117ad57 653 117ad83-117ad87 652->653 654 117ad59-117ad66 call 117a06c 652->654 655 117ad9b-117addc 653->655 656 117ad89-117ad93 653->656 661 117ad7c 654->661 662 117ad68 654->662 663 117adde-117ade6 655->663 664 117ade9-117adf7 655->664 656->655 661->653 707 117ad6e call 117afd1 662->707 708 117ad6e call 117afe0 662->708 663->664 665 117ae1b-117ae1d 664->665 666 117adf9-117adfe 664->666 670 117ae20-117ae27 665->670 668 117ae00-117ae07 call 117a078 666->668 669 117ae09 666->669 667 117ad74-117ad76 667->661 671 117aeb8-117af78 667->671 674 117ae0b-117ae19 668->674 669->674 672 117ae34-117ae3b 670->672 673 117ae29-117ae31 670->673 702 117af80-117afab GetModuleHandleW 671->702 703 117af7a-117af7d 671->703 677 117ae3d-117ae45 672->677 678 117ae48-117ae51 call 117a088 672->678 673->672 674->670 677->678 683 117ae53-117ae5b 678->683 684 117ae5e-117ae63 678->684 683->684 686 117ae65-117ae6c 684->686 687 117ae81-117ae85 684->687 686->687 688 117ae6e-117ae7e call 117a098 call 117a0a8 686->688 689 117ae8b-117ae8e 687->689 688->687 692 117aeb1-117aeb7 689->692 693 117ae90-117aeae 689->693 693->692 704 117afb4-117afc8 702->704 705 117afad-117afb3 702->705 703->702 705->704 707->667 708->667
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0117AF9E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: e22c7c03cd0bba898d66711e124de3770af13707efc5d0d84754b0b071cc9a1b
                                                          • Instruction ID: d0db7aee7eb8d6326badf3061e7244c4754ff6b1ac29b0663e500eb541825aad
                                                          • Opcode Fuzzy Hash: e22c7c03cd0bba898d66711e124de3770af13707efc5d0d84754b0b071cc9a1b
                                                          • Instruction Fuzzy Hash: CC712470A00B058FE729DF29E45475ABBF1FF88204F14892DD48AD7B40DB75E949CB91
                                                          Function 0117590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 709 117590c-1175913 710 117591c-11759d9 CreateActCtxA 709->710 712 11759e2-1175a3c 710->712 713 11759db-11759e1 710->713 720 1175a3e-1175a41 712->720 721 1175a4b-1175a4f 712->721 713->712 720->721 722 1175a51-1175a5d 721->722 723 1175a60 721->723 722->723 725 1175a61 723->725 725->725
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011759C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 3b44d64bfa056127a30a6ce0df4fdb5c9f4361af321fe4fcf2efade64727eb52
                                                          • Instruction ID: 065201dc99d79266de8ae288b0d21866d4ea7a0d355d6ebaf53f041319869e19
                                                          • Opcode Fuzzy Hash: 3b44d64bfa056127a30a6ce0df4fdb5c9f4361af321fe4fcf2efade64727eb52
                                                          • Instruction Fuzzy Hash: 8541C3B0C00719CFEB24DFA9C8847CDBBB6BF89704F24806AD418AB251DB75694ACF51
                                                          Function 011744B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 726 11744b0-11759d9 CreateActCtxA 729 11759e2-1175a3c 726->729 730 11759db-11759e1 726->730 737 1175a3e-1175a41 729->737 738 1175a4b-1175a4f 729->738 730->729 737->738 739 1175a51-1175a5d 738->739 740 1175a60 738->740 739->740 742 1175a61 740->742 742->742
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 011759C9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: 796fdecb4287e290b76f444dc9e98b570a1361c4b52889e28380bc91b472918e
                                                          • Instruction ID: 606cd38a9871c5d1f51d38b33132287712eebe26d8999d2ab21bd6fc5a90c4c7
                                                          • Opcode Fuzzy Hash: 796fdecb4287e290b76f444dc9e98b570a1361c4b52889e28380bc91b472918e
                                                          • Instruction Fuzzy Hash: 8541B2B0C00719CBEB28DFA9C8447DEBBB6BF49704F24806AD408AB251DB756945CF91
                                                          Function 05034040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 743 5034040-503407c 744 5034082-5034087 743->744 745 503412c-503414c 743->745 746 50340da-5034112 CallWindowProcW 744->746 747 5034089-50340c0 744->747 751 503414f-503415c 745->751 749 5034114-503411a 746->749 750 503411b-503412a 746->750 753 50340c2-50340c8 747->753 754 50340c9-50340d8 747->754 749->750 750->751 753->754 754->751
                                                          APIs
                                                          • CallWindowProcW.USER32(?,?,?,?,?), ref: 05034101
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1447350311.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5030000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CallProcWindow
                                                          • String ID:
                                                          • API String ID: 2714655100-0
                                                          • Opcode ID: d5ce9c5793151f0cea2af1c6762980f256d8c362ccb0528014926bfc7c3640ba
                                                          • Instruction ID: 10142fe08946614737950eb47f5ee1db30dc95664002aeb41f2618e191754596
                                                          • Opcode Fuzzy Hash: d5ce9c5793151f0cea2af1c6762980f256d8c362ccb0528014926bfc7c3640ba
                                                          • Instruction Fuzzy Hash: 1A4138B4A00709DFDB14CF99C849AAEBBF5FB88314F24C499D519AB321D374A841CFA0
                                                          Function 07245950 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 757 7245950-72459a6 760 72459b6-72459f5 WriteProcessMemory 757->760 761 72459a8-72459b4 757->761 763 72459f7-72459fd 760->763 764 72459fe-7245a2e 760->764 761->760 763->764
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072459E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: ecfca627554da1a571c0c44648f594ba9404a2585699b03bd197ae7c7e02b347
                                                          • Instruction ID: 62454b4d7b6b2ab37411c30b176709b6f283459a5b85a7b4b5a700baefdefbd1
                                                          • Opcode Fuzzy Hash: ecfca627554da1a571c0c44648f594ba9404a2585699b03bd197ae7c7e02b347
                                                          • Instruction Fuzzy Hash: 062148B291034A9FDB10CFAAC8857DEBBF5FF48310F14842AE959A7240D7799554CBA0
                                                          Function 07245958 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 768 7245958-72459a6 770 72459b6-72459f5 WriteProcessMemory 768->770 771 72459a8-72459b4 768->771 773 72459f7-72459fd 770->773 774 72459fe-7245a2e 770->774 771->770 773->774
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072459E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: d7f15ff551b9916b783f8f49332e84d60649c9a9fa1cc3a6401c35794f6e94e3
                                                          • Instruction ID: 69224cf253e841623a2749e84b72ac57b8b4137155dc3f4735e0bd369fac50ca
                                                          • Opcode Fuzzy Hash: d7f15ff551b9916b783f8f49332e84d60649c9a9fa1cc3a6401c35794f6e94e3
                                                          • Instruction Fuzzy Hash: FB216BB290030ADFDB10CFAAC8857DEBBF5FF48310F108429E958A7240D7789550CBA0
                                                          Function 07245A40 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 778 7245a40-7245a44 779 7245a46-7245a99 778->779 780 7245a9c-7245ad5 ReadProcessMemory 778->780 779->780 783 7245ad7-7245add 780->783 784 7245ade-7245b0e 780->784 783->784
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07245AC8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: a3bcc46c977f4736f23f82722a4a1e87c52d9c8d2dedd7185bb2f3a64026c08e
                                                          • Instruction ID: 5436b8d49ed28daecbbe32f29599b1b49fc83ceb5dd264ed49278950194817e9
                                                          • Opcode Fuzzy Hash: a3bcc46c977f4736f23f82722a4a1e87c52d9c8d2dedd7185bb2f3a64026c08e
                                                          • Instruction Fuzzy Hash: 222139B281035A9FDB10CFAAC8807EEFBF5FF48310F14842AE558A7240D7799514CBA0
                                                          Function 072457B8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 789 72457b8-724580b 793 724580d-7245819 789->793 794 724581b-724584b Wow64SetThreadContext 789->794 793->794 796 7245854-7245884 794->796 797 724584d-7245853 794->797 797->796
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0724583E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 645626231f608170c416d21c176fc75b4743f98706d08690a23024b54d34d86e
                                                          • Instruction ID: 490da2f6997c95914b18689202f938b54f2a26a87ba079138ca5eb68418bf859
                                                          • Opcode Fuzzy Hash: 645626231f608170c416d21c176fc75b4743f98706d08690a23024b54d34d86e
                                                          • Instruction Fuzzy Hash: AA213AB1D103099FEB14DFAAC4857EEBBF4EF48210F148429D559A7240DB789944CFA5
                                                          Function 0117D21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 801 117d21c-117d6c4 DuplicateHandle 803 117d6c6-117d6cc 801->803 804 117d6cd-117d6ea 801->804 803->804
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0117D5F6,?,?,?,?,?), ref: 0117D6B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 7ce2357c281b77b60e0888d0f2650eb0de68ac9ea3d8419770ff1119455631cd
                                                          • Instruction ID: 68393794e6966d10e3fc57c5ea83c42e749251ecacf6f886807fffaa743f06bb
                                                          • Opcode Fuzzy Hash: 7ce2357c281b77b60e0888d0f2650eb0de68ac9ea3d8419770ff1119455631cd
                                                          • Instruction Fuzzy Hash: A621E3B590020DDFDB10CF9AD584ADEBBF4EB48310F14802AE918A3350D378A954CFA5
                                                          Function 0117D629 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 807 117d629-117d6c4 DuplicateHandle 808 117d6c6-117d6cc 807->808 809 117d6cd-117d6ea 807->809 808->809
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0117D5F6,?,?,?,?,?), ref: 0117D6B7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 89d7299e138c16a4e0523c1e439704a16a6d51ca8d680de7fe8b2f7669e98b04
                                                          • Instruction ID: 815bf822c31418f8f76f40a31ff4aba4106c23cc23f32cd778d2c9d6d07a598a
                                                          • Opcode Fuzzy Hash: 89d7299e138c16a4e0523c1e439704a16a6d51ca8d680de7fe8b2f7669e98b04
                                                          • Instruction Fuzzy Hash: 7321E4B5901209DFDB10CFAAD584ADEBBF5EF48310F14802AE958A7350D378A941CFA5
                                                          Function 072457C0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 812 72457c0-724580b 814 724580d-7245819 812->814 815 724581b-724584b Wow64SetThreadContext 812->815 814->815 817 7245854-7245884 815->817 818 724584d-7245853 815->818 818->817
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0724583E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 1c1eb8ee834e10e9340a7cf22d536af741e60e7b36508fbf0f76837cb6f2483c
                                                          • Instruction ID: 9c1bfa495d351f19286aaa9945473b91691862952c1ea323b5cb730169f14655
                                                          • Opcode Fuzzy Hash: 1c1eb8ee834e10e9340a7cf22d536af741e60e7b36508fbf0f76837cb6f2483c
                                                          • Instruction Fuzzy Hash: 932149B1D103098FDB14CFAAC4857EEBBF4EF48210F14842AD559A7240DB789944CFA4
                                                          Function 07245A48 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07245AC8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 887db52253af474a3a5b66026c4bf725b699e2b3d4bf472a50ff93a0d87ab893
                                                          • Instruction ID: 6cf1030d3fcd8c0067c06e720f7690e4a9bec9268192be7986fefea8f7029f76
                                                          • Opcode Fuzzy Hash: 887db52253af474a3a5b66026c4bf725b699e2b3d4bf472a50ff93a0d87ab893
                                                          • Instruction Fuzzy Hash: D42139B28003599FDB10DFAAC880BEEFBF5FF48310F14842AE558A7240D7799554CBA4
                                                          Function 07245890 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07245906
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: fc2ad65f844ec72abe1fb17b42b19820990c8b5f5fb03a1ad27f43e64df55065
                                                          • Instruction ID: b9f4cafd8cdc97020796e708e6990c361787d0e1f108f26b32dd9f45f72f2c11
                                                          • Opcode Fuzzy Hash: fc2ad65f844ec72abe1fb17b42b19820990c8b5f5fb03a1ad27f43e64df55065
                                                          • Instruction Fuzzy Hash: FD2189768043499FDB10CFAAC8447EEBFF5EF48320F14842AE559A7250C7759554CFA0
                                                          Function 072452D0 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 6929b3e69ccb5fca381795e067087f71701841fcc9fab5171ec5ead244739458
                                                          • Instruction ID: cc32c13f5b6deba7ca18d953590d30b66ae53eed96e056cafc60fae09f76030e
                                                          • Opcode Fuzzy Hash: 6929b3e69ccb5fca381795e067087f71701841fcc9fab5171ec5ead244739458
                                                          • Instruction Fuzzy Hash: 46115BB18043498FDB24DFAAC4457DEFFF4EF88220F24842AD559A7640C779A544CB95
                                                          Function 07245898 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07245906
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 53eb43ce3c02963b6903e5d65ab78328066d378d147a51f51ae8b3617779c66f
                                                          • Instruction ID: 956aa824609e96dbd461dfcd61e4aadb9550d400645546f2afe3fa0ea12e9d69
                                                          • Opcode Fuzzy Hash: 53eb43ce3c02963b6903e5d65ab78328066d378d147a51f51ae8b3617779c66f
                                                          • Instruction Fuzzy Hash: CD1137B29003499FDB14DFAAC844BDFBBF5EF48320F148829E559A7250C779A650CFA0
                                                          Function 072452D8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 5fd5788e964bf4be3e9fa0f9e6f51d93fc6737ad1751b7dce2c52abc886c2c14
                                                          • Instruction ID: 6c36639ce23f2a6add593f4d85fe27c10622603190e40a080666a09bf82678b0
                                                          • Opcode Fuzzy Hash: 5fd5788e964bf4be3e9fa0f9e6f51d93fc6737ad1751b7dce2c52abc886c2c14
                                                          • Instruction Fuzzy Hash: BF113AB19043498FDB14DFAAC4457DEFBF4EF88210F148429D559A7240C7796544CB94
                                                          Function 07246A80 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 072488BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 871eb15910916d3553c67256455688d7f64122db6c97e8156a3be99ea7573aca
                                                          • Instruction ID: e71d60d3df0fcb628ab945b75aadb21a840ebaf6de881f114e86850e5d7fd419
                                                          • Opcode Fuzzy Hash: 871eb15910916d3553c67256455688d7f64122db6c97e8156a3be99ea7573aca
                                                          • Instruction Fuzzy Hash: EA11F2B581034D9FEB10DF9AC444BDEBBF8EB48310F10842AE958B7200D379A944CFA5
                                                          Function 0117AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 0117AF9E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 64a1ec46ab5681f202f57020776dfb5973a8e545a7175f3e043253f099d1fed0
                                                          • Instruction ID: d98fe56ef69984de5f56e7c8d718d20ebec233cb9b20f22c3753f73d3e97dd4d
                                                          • Opcode Fuzzy Hash: 64a1ec46ab5681f202f57020776dfb5973a8e545a7175f3e043253f099d1fed0
                                                          • Instruction Fuzzy Hash: C01110B5C002498FDB14CF9AD544BDEFBF4AF88214F14842AD828A7340D379A545CFA5
                                                          Function 0724885B Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 072488BD
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 94f50734555d141105387a9d5907bae19d677107656b2b2df6914724feec650b
                                                          • Instruction ID: bafc1f05badf77df0d90a0b2a5da144906853efdddc02f5741da97771d94e958
                                                          • Opcode Fuzzy Hash: 94f50734555d141105387a9d5907bae19d677107656b2b2df6914724feec650b
                                                          • Instruction Fuzzy Hash: 3711F2B58103499FDB10CF9AC445BDEBBF8EB48320F10845AE958A7200D379A944CFA5
                                                          Function 00F7D110 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59a6cd138b025654ddeb952d12a59935f377a7288be7ab108487d5f4b70c44c2
                                                          • Instruction ID: 9107570c9b89cb873de0801fdbea420f72c3ad76135304e6b396272986d255b5
                                                          • Opcode Fuzzy Hash: 59a6cd138b025654ddeb952d12a59935f377a7288be7ab108487d5f4b70c44c2
                                                          • Instruction Fuzzy Hash: 0D210672904244DFEB04DF10D9C0B16BB76FF94324FA4C16AE80D0B246C376D856D6A2
                                                          Function 00F7D3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 194a9f7ddbdae7a1c14ea209598643f0722531be8998618d9f435ba04c506956
                                                          • Instruction ID: a911a23b2bce6f984c4e52ff299c286e51f1ef6ba49cef784f615ce34d43926c
                                                          • Opcode Fuzzy Hash: 194a9f7ddbdae7a1c14ea209598643f0722531be8998618d9f435ba04c506956
                                                          • Instruction Fuzzy Hash: D5210372900244DFDB04DF10D9C0B26BB75FF98324F64C16AE80E4B256C336E856EAA3
                                                          Function 0109D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439966804.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_109d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf65160b9ffd12f59bd55a3ff862b220c3b8bf7aaba906855316d83f55fc3c88
                                                          • Instruction ID: 877f35b48ce6de6d2c8e078e613b53ef9c57e94895e1d484bfd852ebab8838d8
                                                          • Opcode Fuzzy Hash: bf65160b9ffd12f59bd55a3ff862b220c3b8bf7aaba906855316d83f55fc3c88
                                                          • Instruction Fuzzy Hash: 75210371544340DFDF15DF94D4D0B1ABBA5FB84254F24C5A9E88A4B282C336D407DB61
                                                          Function 0109D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439966804.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_109d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9413a26ef59853f8dc74a835809c859b41a182e8103184d85a3bff41be10522d
                                                          • Instruction ID: d532cfc810fa141eb9abbff7079422e680a1a43253f91fb2a8ee0f2d2c0e26e2
                                                          • Opcode Fuzzy Hash: 9413a26ef59853f8dc74a835809c859b41a182e8103184d85a3bff41be10522d
                                                          • Instruction Fuzzy Hash: AC210071544300AFDF05DF94D9D0B2ABBA5FB94324F24C5EDE8894B282C336D806DB61
                                                          Function 00F7D3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                          • Instruction ID: 700076ca14f4d51aec6ac1b37215d2ec9b37128539acc25a1f9863562da821b7
                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                          • Instruction Fuzzy Hash: FC11D376904240DFCB15CF10D5C4B56BF71FF94324F24C6AAD8090B656C33AE856DBA2
                                                          Function 00F7D10B Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                          • Instruction ID: 0eeac6f6fcb171bca8eaa5650d8daf7c2051e4e5d0eb3266b4989f14dc7aa806
                                                          • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                                          • Instruction Fuzzy Hash: 9B110372904240CFDB01CF00D9C0B16BF72FF94324F24C1AAD8090B256C376D856DBA2
                                                          Function 0109D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439966804.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_109d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction ID: 1651b46fa02385acf7ebe10e70f879630bb4011d0aa067ed02c467a2b76f0cc2
                                                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction Fuzzy Hash: CB11BB75544280DFCF02CF54C5D0B15BBA1FB84224F28C6EAD8894B696C33AD44ADB61
                                                          Function 0109D017 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439966804.000000000109D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0109D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_109d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction ID: 697463008a11a9b6c1018f944964a936dd6b388f45122d71118b3a6f505b84fe
                                                          • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                                          • Instruction Fuzzy Hash: 4211D075544280CFDF12CF54D5D4B15FFA2FB84314F24C6AAE8494B696C33AD44ACB61
                                                          Function 00F7D759 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e2c316b39b92a5dd22ed5af80184623ee6a91cbba18a796a84d47e726e716e53
                                                          • Instruction ID: e8534d7e46d4a679bf0a737fdecaf019ba92c1d46b4a53f8c43b8e993169a308
                                                          • Opcode Fuzzy Hash: e2c316b39b92a5dd22ed5af80184623ee6a91cbba18a796a84d47e726e716e53
                                                          • Instruction Fuzzy Hash: 4301F2724043009FE7288B26CC80B26BBA8DF41330F58C41BED0C4A282C2799841EAB3
                                                          Function 00F7D758 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1439240568.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_f7d000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf9f216f382414bf2790427da3affe9ffecec8a8fc1f58d628ac6cfe20c5d637
                                                          • Instruction ID: 75e765243914d916a7edf0ee2f1786f1521c7d344bbfe20cb07abbe88d1a6358
                                                          • Opcode Fuzzy Hash: bf9f216f382414bf2790427da3affe9ffecec8a8fc1f58d628ac6cfe20c5d637
                                                          • Instruction Fuzzy Hash: 64F0C2714053409EE7248B06CD84B62FBA8EF50734F18C45BED0C0E286C2799844DAB1

                                                          Non-executed Functions

                                                          Function 05030040 Relevance: .3, Instructions: 315COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1447350311.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5030000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 78c285939875c0797ea2c356b890b8c4d23af1644d7b4057c6241167e66d61b7
                                                          • Instruction ID: f3814d12f1a9450bf4f7901263622224c23da02db8b3f3d601af89e6578064e9
                                                          • Opcode Fuzzy Hash: 78c285939875c0797ea2c356b890b8c4d23af1644d7b4057c6241167e66d61b7
                                                          • Instruction Fuzzy Hash: 641273F4C817458BE710CF65EC4C1897BB1BB85318BD24A09DE612A2E1EFB8956BCF44
                                                          Function 07242FCB Relevance: .3, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79f21162e29d52812c95cfadb2cdbaca5f28489f9053ab15dd0876ad23a1243e
                                                          • Instruction ID: f0b03a666c14756e98dabcce83aefbc53779e2ebd2003d9e30579fe5cb84ec1c
                                                          • Opcode Fuzzy Hash: 79f21162e29d52812c95cfadb2cdbaca5f28489f9053ab15dd0876ad23a1243e
                                                          • Instruction Fuzzy Hash: FDE1D8B4E102198FDB18DFA9C5809AEFBB2FF89305F248169D415AB356D731AD42CF60
                                                          Function 07245388 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3b7d7da4d0bb2cf031b64a04bbce423d84cfbeeefcaa8e3bbe41eb147c1352eb
                                                          • Instruction ID: 57cf9fc4893a81ac95ff03be77503dfbd0ca4edc8834ad4e9d56b2c3823722c1
                                                          • Opcode Fuzzy Hash: 3b7d7da4d0bb2cf031b64a04bbce423d84cfbeeefcaa8e3bbe41eb147c1352eb
                                                          • Instruction Fuzzy Hash: 0CE1D7B4E102198FDB18DFA9C580AAEFBB2FF89305F248169D454AB355D731AD42CF60
                                                          Function 07242B98 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dfd71651c33840b00fea56e00429f40191d98a08c80a7aa557859869db69efc4
                                                          • Instruction ID: 651173a463f15e095c2837a6c761ce391c81aef839f64dabd5d9ea65e6334424
                                                          • Opcode Fuzzy Hash: dfd71651c33840b00fea56e00429f40191d98a08c80a7aa557859869db69efc4
                                                          • Instruction Fuzzy Hash: 3CE1D7B4E10219CFDB18DFA9C580AAEFBF2FB89305F248169E414AB355D731A941CF60
                                                          Function 07243408 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8d3db84579ca96d8a422b15aa98efbfb6dca1a594c51a7bb4d551ef7f25d716
                                                          • Instruction ID: a815ef8bbefde85e132efaf4160cfa9e10d1971e943832d85a5880236524d24c
                                                          • Opcode Fuzzy Hash: f8d3db84579ca96d8a422b15aa98efbfb6dca1a594c51a7bb4d551ef7f25d716
                                                          • Instruction Fuzzy Hash: 33E1D8B4E102198FDB18DFA9C580AAEFBB2FF89305F248169D454AB356D731AD41CF60
                                                          Function 0117D55C Relevance: .3, Instructions: 264COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1441917072.0000000001170000.00000040.00000800.00020000.00000000.sdmp, Offset: 01170000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1170000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4ec29808c4c89621b9da57f9c8d70e4097cec943d43e530f3c3888f516a3f0ef
                                                          • Instruction ID: 1eaa089ba0a717b66c5b2bba287f15bfdcab653294301cb3460f73e742fbf24c
                                                          • Opcode Fuzzy Hash: 4ec29808c4c89621b9da57f9c8d70e4097cec943d43e530f3c3888f516a3f0ef
                                                          • Instruction Fuzzy Hash: F0A19032E0021ACFCF09DFB4D84459EBBB2FF85314B15856AE916AB361DB31E916CB40
                                                          Function 0503001A Relevance: .2, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1447350311.0000000005030000.00000040.00000800.00020000.00000000.sdmp, Offset: 05030000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_5030000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d104fe97b105dc2ca78a9b8ee29827346bb66c41babafba0c0b9bcd2d0a22bb0
                                                          • Instruction ID: 25549f03f9b96a9e1bb6b2adefd2711e476fca3d7f35d0ef819e08c09b0714fb
                                                          • Opcode Fuzzy Hash: d104fe97b105dc2ca78a9b8ee29827346bb66c41babafba0c0b9bcd2d0a22bb0
                                                          • Instruction Fuzzy Hash: BFC105F0C817458BE711CF69EC481897BB1BB85314F928A09DE616B2E1EFB4946BCF44
                                                          Function 072433F8 Relevance: .1, Instructions: 136COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3d50b93811fb0d6e86d2b7c74aa85bf4cacf9d879d265ee4a3a3c553734acaca
                                                          • Instruction ID: c8d050c93a6dcc6f4cb69135bcdaa7e4487807026916d500953696649ce14e52
                                                          • Opcode Fuzzy Hash: 3d50b93811fb0d6e86d2b7c74aa85bf4cacf9d879d265ee4a3a3c553734acaca
                                                          • Instruction Fuzzy Hash: 53511DB4E102198FDB18DFA9C5409AEFBF6FF89305F248169D418A7316D7319941CFA1
                                                          Function 07242FD0 Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d474b73307cf956f788192b04486dd54d29342d4e6988e782f5ad4970efc5c3
                                                          • Instruction ID: 9a34e3a76b592ecc8cd983842248cc26186c1255e3b8204319bcf31dd98da170
                                                          • Opcode Fuzzy Hash: 9d474b73307cf956f788192b04486dd54d29342d4e6988e782f5ad4970efc5c3
                                                          • Instruction Fuzzy Hash: 4051E8B4E102198FDB18DFA9C9809AEFBF6EB89301F248169D418B7316D7319942CF60
                                                          Function 0724798E Relevance: .0, Instructions: 20COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450851201.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_7240000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 157131026a3c1bd5a6beeb56bf1b1bf0670540298de4d5c8328d44bd23d122c0
                                                          • Instruction ID: f1491aa96cd240810a8a76133041f944cdc9b4f02696ecd059f71be60ff87237
                                                          • Opcode Fuzzy Hash: 157131026a3c1bd5a6beeb56bf1b1bf0670540298de4d5c8328d44bd23d122c0
                                                          • Instruction Fuzzy Hash: ECD0A756CBE6818BC34549A028010F4B7345953530F0420D3CA29B70E2D248096A4216

                                                          Execution Graph

                                                          Execution Coverage:10.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:6.7%
                                                          Total number of Nodes:45
                                                          Total number of Limit Nodes:9
                                                          execution_graph 39290 16d0848 39291 16d084e 39290->39291 39292 16d091b 39291->39292 39295 16d137f 39291->39295 39300 16d14b0 39291->39300 39296 16d1383 39295->39296 39297 16d1332 39295->39297 39296->39297 39298 16d14b0 2 API calls 39296->39298 39306 16d8258 39296->39306 39297->39291 39298->39296 39302 16d1396 39300->39302 39303 16d14b3 39300->39303 39301 16d14a6 39301->39291 39302->39301 39304 16d8258 2 API calls 39302->39304 39305 16d14b0 2 API calls 39302->39305 39303->39291 39304->39302 39305->39302 39307 16d8262 39306->39307 39310 16d827c 39307->39310 39311 6cafa00 39307->39311 39315 6cafa10 39307->39315 39310->39296 39313 6cafa25 39311->39313 39312 6cafc3a 39312->39310 39313->39312 39314 6cafc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 39313->39314 39314->39313 39317 6cafa25 39315->39317 39316 6cafc3a 39316->39310 39317->39316 39318 6cafc50 GlobalMemoryStatusEx GlobalMemoryStatusEx 39317->39318 39318->39317 39322 6c73490 39323 6c734d6 GetCurrentProcess 39322->39323 39325 6c73521 39323->39325 39326 6c73528 GetCurrentThread 39323->39326 39325->39326 39327 6c73565 GetCurrentProcess 39326->39327 39328 6c7355e 39326->39328 39329 6c7359b 39327->39329 39328->39327 39330 6c735c3 GetCurrentThreadId 39329->39330 39331 6c735f4 39330->39331 39332 6c7dbb0 39333 6c7dc18 CreateWindowExW 39332->39333 39335 6c7dcd4 39333->39335 39319 16d70a0 39320 16d70e4 CheckRemoteDebuggerPresent 39319->39320 39321 16d7126 39320->39321 39336 6c736d8 DuplicateHandle 39337 6c7376e 39336->39337 39338 6c7bbb8 39339 6c7bc00 GetModuleHandleW 39338->39339 39340 6c7bbfa 39338->39340 39341 6c7bc2d 39339->39341 39340->39339

                                                          Executed Functions

                                                          Function 06CA5568 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 568 6ca5568-6ca5585 569 6ca5587-6ca558a 568->569 570 6ca558c-6ca55a2 569->570 571 6ca55a7-6ca55aa 569->571 570->571 572 6ca55bb-6ca55be 571->572 573 6ca55ac-6ca55b0 571->573 577 6ca55da-6ca55dd 572->577 578 6ca55c0-6ca55d5 572->578 575 6ca55b6 573->575 576 6ca5737-6ca5744 573->576 575->572 579 6ca55df-6ca55e2 577->579 580 6ca55e7-6ca55ea 577->580 578->577 579->580 582 6ca55fe-6ca5601 580->582 583 6ca55ec-6ca55f9 580->583 584 6ca56a3-6ca56a6 582->584 585 6ca5607-6ca560a 582->585 583->582 586 6ca56a8 584->586 587 6ca5686-6ca5699 584->587 589 6ca5648-6ca564b 585->589 590 6ca560c-6ca5615 585->590 591 6ca56ad-6ca56b0 586->591 602 6ca569e-6ca56a1 587->602 594 6ca564d-6ca5656 589->594 595 6ca5657-6ca565a 589->595 592 6ca561b-6ca5623 590->592 593 6ca5745-6ca5773 590->593 597 6ca56b2-6ca56c1 591->597 598 6ca56c6-6ca56c9 591->598 592->593 601 6ca5629-6ca5639 592->601 612 6ca577d-6ca5780 593->612 599 6ca5669-6ca566c 595->599 600 6ca565c-6ca5662 595->600 597->598 605 6ca56cb-6ca56ce 598->605 606 6ca56d0-6ca56d9 598->606 607 6ca566e-6ca5673 599->607 608 6ca5676-6ca5679 599->608 603 6ca567b-6ca567c 600->603 604 6ca5664 600->604 601->593 609 6ca563f-6ca5643 601->609 602->584 602->591 611 6ca5681-6ca5684 603->611 604->599 605->606 614 6ca56e4-6ca56e7 605->614 606->590 615 6ca56df 606->615 607->608 608->603 608->611 609->589 611->587 611->602 618 6ca578a-6ca578d 612->618 619 6ca5782-6ca5789 612->619 616 6ca56e9-6ca56ec 614->616 617 6ca56f1-6ca56f4 614->617 615->614 616->617 620 6ca56fe-6ca5701 617->620 621 6ca56f6-6ca56fb 617->621 622 6ca57af-6ca57b2 618->622 623 6ca578f-6ca5793 618->623 624 6ca5703-6ca5720 620->624 625 6ca5725-6ca5727 620->625 621->620 628 6ca57c6-6ca57c9 622->628 629 6ca57b4-6ca57bb 622->629 626 6ca5799-6ca57a1 623->626 627 6ca586e-6ca58ac 623->627 624->625 633 6ca5729 625->633 634 6ca572e-6ca5731 625->634 626->627 630 6ca57a7-6ca57aa 626->630 644 6ca58ae-6ca58b1 627->644 635 6ca57eb-6ca57ee 628->635 636 6ca57cb-6ca57cf 628->636 631 6ca57c1 629->631 632 6ca5866-6ca586d 629->632 630->622 631->628 633->634 634->569 634->576 640 6ca57ff-6ca5802 635->640 641 6ca57f0-6ca57fa 635->641 636->627 639 6ca57d5-6ca57dd 636->639 639->627 645 6ca57e3-6ca57e6 639->645 642 6ca581a-6ca581d 640->642 643 6ca5804-6ca5815 640->643 641->640 649 6ca581f-6ca5823 642->649 650 6ca5837-6ca583a 642->650 643->642 647 6ca58bf-6ca58c2 644->647 648 6ca58b3-6ca58ba 644->648 645->635 653 6ca5bab-6ca5bae 647->653 654 6ca58c8-6ca5a5c 647->654 648->647 649->627 655 6ca5825-6ca582d 649->655 656 6ca583c-6ca5840 650->656 657 6ca5854-6ca5856 650->657 658 6ca5bbc-6ca5bbf 653->658 659 6ca5bb0-6ca5bb7 653->659 717 6ca5a62-6ca5a69 654->717 718 6ca5b95-6ca5ba8 654->718 655->627 660 6ca582f-6ca5832 655->660 656->627 661 6ca5842-6ca584a 656->661 662 6ca5858 657->662 663 6ca585d-6ca5860 657->663 664 6ca5bc1-6ca5bd4 658->664 665 6ca5bd7-6ca5bda 658->665 659->658 660->650 661->627 667 6ca584c-6ca584f 661->667 662->663 663->612 663->632 668 6ca5bdc-6ca5bed 665->668 669 6ca5bf4-6ca5bf7 665->669 667->657 668->664 679 6ca5bef 668->679 670 6ca5bf9-6ca5c0a 669->670 671 6ca5c11-6ca5c14 669->671 670->659 681 6ca5c0c 670->681 674 6ca5c1e-6ca5c21 671->674 675 6ca5c16-6ca5c1b 671->675 674->654 678 6ca5c27-6ca5c2a 674->678 675->674 682 6ca5c48-6ca5c4b 678->682 683 6ca5c2c-6ca5c3d 678->683 679->669 681->671 685 6ca5c4d-6ca5c5e 682->685 686 6ca5c65-6ca5c68 682->686 683->659 692 6ca5c43 683->692 685->683 694 6ca5c60 685->694 687 6ca5c6a-6ca5c7b 686->687 688 6ca5c86-6ca5c89 686->688 687->659 699 6ca5c81 687->699 688->654 691 6ca5c8f-6ca5c91 688->691 696 6ca5c98-6ca5c9b 691->696 697 6ca5c93 691->697 692->682 694->686 696->644 700 6ca5ca1-6ca5caa 696->700 697->696 699->688 719 6ca5a6f-6ca5aa2 717->719 720 6ca5b1d-6ca5b24 717->720 731 6ca5aa7-6ca5ae8 719->731 732 6ca5aa4 719->732 720->718 721 6ca5b26-6ca5b59 720->721 733 6ca5b5b 721->733 734 6ca5b5e-6ca5b8b 721->734 742 6ca5aea-6ca5afb 731->742 743 6ca5b00-6ca5b07 731->743 732->731 733->734 734->700 742->700 745 6ca5b0f-6ca5b11 743->745 745->700
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 14a34efccfef79d197ce95299200f744fa1037cf81bd1cbdb5af09845c10c80d
                                                          • Instruction ID: 5a9e78b435f11e23c31610f7d70202a65a4a122cb2127df09dce9a17971f6378
                                                          • Opcode Fuzzy Hash: 14a34efccfef79d197ce95299200f744fa1037cf81bd1cbdb5af09845c10c80d
                                                          • Instruction Fuzzy Hash: 4A229F75E0031A8FEB64DBA4C4806AEBBB2FB84314F64C56AD415EB384DB35ED41CB90
                                                          Function 016D70A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 806 16d70a0-16d7124 CheckRemoteDebuggerPresent 808 16d712d-16d7168 806->808 809 16d7126-16d712c 806->809 809->808
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016D7117
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672682240.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_16d0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: 80e808503877e85074d2c1255456780c1c52fa888792d1f53a87065400189f7c
                                                          • Instruction ID: a554fb9164f8da4eddbd7a4f62ad48469821a37d1a9d76776bc465f56a5319cf
                                                          • Opcode Fuzzy Hash: 80e808503877e85074d2c1255456780c1c52fa888792d1f53a87065400189f7c
                                                          • Instruction Fuzzy Hash: 802148B1800259CFDB10CF9AD844BEEBBF4AF49210F14846AE454A7350D778A944CF61
                                                          Function 06CA2340 Relevance: 1.0, Instructions: 1008COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ea40cb88e7dbbbadd4bd0ab8fe0bc46183108739ee64bffc4de69dd55ccd71ea
                                                          • Instruction ID: e5a01ebe4d73055f32c98ecbff0cbb192eeacf1223e127f8b3443009433657c1
                                                          • Opcode Fuzzy Hash: ea40cb88e7dbbbadd4bd0ab8fe0bc46183108739ee64bffc4de69dd55ccd71ea
                                                          • Instruction Fuzzy Hash: 12924630E003158FDB64DB68C588A5DBBF2FF45319F5885AAD4499B361DB39EE81CB80
                                                          Function 06CA65C0 Relevance: .8, Instructions: 813COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: deba2394f2c8473860ee1a65c2b530765da5b514e1b250e08ef429cf0422280d
                                                          • Instruction ID: 114324b000d0baafada4a4a8690c20cdefca542839b4baaa37b892074329ba2f
                                                          • Opcode Fuzzy Hash: deba2394f2c8473860ee1a65c2b530765da5b514e1b250e08ef429cf0422280d
                                                          • Instruction Fuzzy Hash: 8F627C35A003068FEB64DB69D594AADB7F2FF88318F188469E406DB394DB35ED41CB90
                                                          Function 06CAC148 Relevance: .6, Instructions: 636COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e4025e6d4e0eed25f80810d6f0106e27803a51ecfc85898827c44724a621321f
                                                          • Instruction ID: 22734f6f4cfcf4b4a9b3c2881b025bd08c6586df37cb402e56ec06989fc1168d
                                                          • Opcode Fuzzy Hash: e4025e6d4e0eed25f80810d6f0106e27803a51ecfc85898827c44724a621321f
                                                          • Instruction Fuzzy Hash: 98324875B0030A8FEF54DB68D890AAEB7B6FB88314F148929E405EB351DB35ED41CB91
                                                          Function 06CAB1F8 Relevance: .6, Instructions: 568COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a85111e0227b1e1fc8691b152c0c2efc6388c971301f7c0521c54ea5883067d7
                                                          • Instruction ID: 0c0a02bed55b48d23839effd7ebabfe3f380f42bda8aca9c565d10156f46c833
                                                          • Opcode Fuzzy Hash: a85111e0227b1e1fc8691b152c0c2efc6388c971301f7c0521c54ea5883067d7
                                                          • Instruction Fuzzy Hash: BF224030E1030A8FEFA4DBA8D4947ADB7B2FB89314F24852EE445DB391DA35DD818B51
                                                          Function 06CA3028 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 46e483b1b60c5f7b82cd1f1d1c1ae8b05547a362ccc11f064c90e6717ebce2dc
                                                          • Instruction ID: 5cd9e39ea45e529afd593e792e6e7af3bb07a44d512cf8cfa5a6f482f550a4de
                                                          • Opcode Fuzzy Hash: 46e483b1b60c5f7b82cd1f1d1c1ae8b05547a362ccc11f064c90e6717ebce2dc
                                                          • Instruction Fuzzy Hash: 6C321F34E1075ACFDB15DB79D85469DB7B2FF89300F60C669D409AB250EF30AA85CB90
                                                          Function 06CA7D50 Relevance: .5, Instructions: 469COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 06816e18f0fb1b5962003706e8f4babba70051cd4a190d2771ba690b92d1b50d
                                                          • Instruction ID: 7f2e940c0dd50672752a35ac3c208b6728e1deef1dffde24a0f77c6359437adc
                                                          • Opcode Fuzzy Hash: 06816e18f0fb1b5962003706e8f4babba70051cd4a190d2771ba690b92d1b50d
                                                          • Instruction Fuzzy Hash: 9502BE30B013068FEB54DB69D894AAEB7F2FF88304F148569D516AB391DB35ED42CB90
                                                          Function 06C7348A Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 06C7350E
                                                          • GetCurrentThread.KERNEL32 ref: 06C7354B
                                                          • GetCurrentProcess.KERNEL32 ref: 06C73588
                                                          • GetCurrentThreadId.KERNEL32 ref: 06C735E1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: efe096f6d06f3b8f3311fb52cb94759c34915a7d20d62ff1e368b4cc4a5cdd0e
                                                          • Instruction ID: 3c00c7699e98238f587961a2e6be4653f4ecf930dc8649514c64914c037181b4
                                                          • Opcode Fuzzy Hash: efe096f6d06f3b8f3311fb52cb94759c34915a7d20d62ff1e368b4cc4a5cdd0e
                                                          • Instruction Fuzzy Hash: DF5175B0D003498FDB94DFAAD948BAEBBF1EF48314F208059E009A7360D735A944CB65
                                                          Function 06C73490 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 06C7350E
                                                          • GetCurrentThread.KERNEL32 ref: 06C7354B
                                                          • GetCurrentProcess.KERNEL32 ref: 06C73588
                                                          • GetCurrentThreadId.KERNEL32 ref: 06C735E1
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: 9db9af417948bf0ffb5e90df9596260b41209a45b1760560b646443a7a3d10ce
                                                          • Instruction ID: 9cfe3d28f19864fb00315d40d8c50eb97f5449839d5340971703d1f3efd5519c
                                                          • Opcode Fuzzy Hash: 9db9af417948bf0ffb5e90df9596260b41209a45b1760560b646443a7a3d10ce
                                                          • Instruction Fuzzy Hash: 285165B0D007498FDB94DFAAD948BAEBBF1FF48314F208459D019A73A0D774A944CB65
                                                          Function 016DF0A1 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 746 16df0a1-16df0bb 747 16df0bd-16df0e4 746->747 748 16df0e5-16df0fb 746->748 769 16df0fd call 16df188 748->769 770 16df0fd call 16df0a1 748->770 751 16df102-16df104 752 16df10a-16df169 751->752 753 16df106-16df109 751->753 760 16df16f-16df1fc GlobalMemoryStatusEx 752->760 761 16df16b-16df16e 752->761 765 16df1fe-16df204 760->765 766 16df205-16df22d 760->766 765->766 769->751 770->751
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672682240.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_16d0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 096e7d42e34fa47c12e137389820b39a2dad1fad86772d9cf4ab1895540f5cd9
                                                          • Instruction ID: ab849dd7828f5404458169f6f4165359cf77eacf529a14ea8f0e68724358dc29
                                                          • Opcode Fuzzy Hash: 096e7d42e34fa47c12e137389820b39a2dad1fad86772d9cf4ab1895540f5cd9
                                                          • Instruction Fuzzy Hash: 6E413772D0439A8FEB14DFB9D8142AEBBF1EF89210F1485AAD404E7381EB749845CBD1
                                                          Function 06C7DBAF Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 771 6c7dbaf-6c7dc16 773 6c7dc21-6c7dc28 771->773 774 6c7dc18-6c7dc1e 771->774 775 6c7dc33-6c7dc6b 773->775 776 6c7dc2a-6c7dc30 773->776 774->773 777 6c7dc73-6c7dcd2 CreateWindowExW 775->777 776->775 778 6c7dcd4-6c7dcda 777->778 779 6c7dcdb-6c7dd13 777->779 778->779 783 6c7dd15-6c7dd18 779->783 784 6c7dd20 779->784 783->784 785 6c7dd21 784->785 785->785
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C7DCC2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: 4ba1bb40d6fb0e6bd7ef93411632993f85a54ee283a34559f6d47750157524e5
                                                          • Instruction ID: 2a541b2e0d40cf98c961bcd4451564067f637cc4c8ab778297bc7bba78fdca57
                                                          • Opcode Fuzzy Hash: 4ba1bb40d6fb0e6bd7ef93411632993f85a54ee283a34559f6d47750157524e5
                                                          • Instruction Fuzzy Hash: 4B41B1B1D00309DFDB14DF9AD884ADEBBB5BF48310F24812AE419AB250D775A945CF90
                                                          Function 06C7DBB0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 786 6c7dbb0-6c7dc16 787 6c7dc21-6c7dc28 786->787 788 6c7dc18-6c7dc1e 786->788 789 6c7dc33-6c7dcd2 CreateWindowExW 787->789 790 6c7dc2a-6c7dc30 787->790 788->787 792 6c7dcd4-6c7dcda 789->792 793 6c7dcdb-6c7dd13 789->793 790->789 792->793 797 6c7dd15-6c7dd18 793->797 798 6c7dd20 793->798 797->798 799 6c7dd21 798->799 799->799
                                                          APIs
                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06C7DCC2
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CreateWindow
                                                          • String ID:
                                                          • API String ID: 716092398-0
                                                          • Opcode ID: dee08af966e51e2e3e31bf62823929cb563271e00a2c1e4659974f53c66e55fe
                                                          • Instruction ID: 4fa68f20c5c168b6500e082700e4dcd9a60e78a7491f553d4f7c70f7a7cbc380
                                                          • Opcode Fuzzy Hash: dee08af966e51e2e3e31bf62823929cb563271e00a2c1e4659974f53c66e55fe
                                                          • Instruction Fuzzy Hash: 5E41B0B1D00309DFDB14DF9AC884ADEFBB6BF48310F24812AE819AB250D775A945CF90
                                                          Function 016D7099 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 800 16d7099-16d7124 CheckRemoteDebuggerPresent 802 16d712d-16d7168 800->802 803 16d7126-16d712c 800->803 803->802
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016D7117
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672682240.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_16d0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: e2424c680273cb5992980496ebabf54607492f5ce551af2a273354d82dfc3d10
                                                          • Instruction ID: d77cc52dbe81ab9d4ea425dc98fb3ae5894ceb766adade9672716484bd394d00
                                                          • Opcode Fuzzy Hash: e2424c680273cb5992980496ebabf54607492f5ce551af2a273354d82dfc3d10
                                                          • Instruction Fuzzy Hash: EB2166B1C0025ACFDB14CFAAD884BEEBBF4AF49310F14842AE454A7251C3789944CFA1
                                                          Function 06C736D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 812 6c736d0-6c7376c DuplicateHandle 813 6c73775-6c73792 812->813 814 6c7376e-6c73774 812->814 814->813
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C7375F
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: b5485ca2defb63af5f2ac7fdd738ac6c00c7e6ca7264e739fbdcf10f2d16a237
                                                          • Instruction ID: c219667a3a8681e745421f389e4116f010ef11739d6ce926104f8365644cc562
                                                          • Opcode Fuzzy Hash: b5485ca2defb63af5f2ac7fdd738ac6c00c7e6ca7264e739fbdcf10f2d16a237
                                                          • Instruction Fuzzy Hash: 4D21F5B5D00249DFDB10CFAAD984ADEBBF5FB48310F14801AE918A7350D378A954CF60
                                                          Function 06C736D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 817 6c736d8-6c7376c DuplicateHandle 818 6c73775-6c73792 817->818 819 6c7376e-6c73774 817->819 819->818
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06C7375F
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 86b2fb5311cf90f4e5672893716399c1d2718be5357646607dbe172d088bc599
                                                          • Instruction ID: 70b175c3e0765b478504fc6ceda3f3596b8b35d57ec71f50bb1b23ff4197933d
                                                          • Opcode Fuzzy Hash: 86b2fb5311cf90f4e5672893716399c1d2718be5357646607dbe172d088bc599
                                                          • Instruction Fuzzy Hash: 9A21E4B5900249DFDB10CFAAD984ADEBBF8EB48310F14801AE918A3350D378A944CF60
                                                          Function 016DF188 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 822 16df188-16df1fc GlobalMemoryStatusEx 824 16df1fe-16df204 822->824 825 16df205-16df22d 822->825 824->825
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 016DF1EF
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672682240.00000000016D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_16d0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: bf6fa4a674e39a14a7459d41afcd66640169776953e9f8c7e62b66abc2050b3f
                                                          • Instruction ID: 2d1f5a06b370fe9fe021f584b78dee6b7d6f17e9156327daddae105a5987ac68
                                                          • Opcode Fuzzy Hash: bf6fa4a674e39a14a7459d41afcd66640169776953e9f8c7e62b66abc2050b3f
                                                          • Instruction Fuzzy Hash: F811E2B2C0065A9BDB10DF9AC844BDEFBF4AF48320F15816AD818A7241D778A945CFA5
                                                          Function 06C7BBB7 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 828 6c7bbb7-6c7bbf8 830 6c7bc00-6c7bc2b GetModuleHandleW 828->830 831 6c7bbfa-6c7bbfd 828->831 832 6c7bc34-6c7bc48 830->832 833 6c7bc2d-6c7bc33 830->833 831->830 833->832
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 06C7BC1E
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 29a1211ae875f1579adf9a8e7fddde56d3c776af6de5663c0a0a30c37f8d2529
                                                          • Instruction ID: 78eeb0b8486471ad3eb23a276ae85b4a0f14458226c26bd6f9474a7b33f40f42
                                                          • Opcode Fuzzy Hash: 29a1211ae875f1579adf9a8e7fddde56d3c776af6de5663c0a0a30c37f8d2529
                                                          • Instruction Fuzzy Hash: EF11E0B5C006498FDB10DF9AD844BDEFBF8AF88314F14C42AD419A7610D779A545CFA1
                                                          Function 06C7BBB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 835 6c7bbb8-6c7bbf8 836 6c7bc00-6c7bc2b GetModuleHandleW 835->836 837 6c7bbfa-6c7bbfd 835->837 838 6c7bc34-6c7bc48 836->838 839 6c7bc2d-6c7bc33 836->839 837->836 839->838
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 06C7BC1E
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677169582.0000000006C70000.00000040.00000800.00020000.00000000.sdmp, Offset: 06C70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6c70000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: ce0b858e4ef5e3dbfcecc8f0cbd6447f713a14544651d6ea48c9c73123eff984
                                                          • Instruction ID: 3f334d32a4fd316135c4f78fdfa6bc67148c9a0fa979fe7c1c105324a02db504
                                                          • Opcode Fuzzy Hash: ce0b858e4ef5e3dbfcecc8f0cbd6447f713a14544651d6ea48c9c73123eff984
                                                          • Instruction Fuzzy Hash: C211E0B5C006498FDB10DF9AD844BDEFBF4AF88314F14C42AD419A7610D779A545CFA1
                                                          Function 06CAFEA3 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: |
                                                          • API String ID: 0-2343686810
                                                          • Opcode ID: c14f8e0b3fdfe5f665870af5ff4a1de2a8ede8b6a9cd1b96a71f0493122f612d
                                                          • Instruction ID: 5ce0fccf57de61235d12b34f7e28db8edbc582a4f71db8917d47838114082ba7
                                                          • Opcode Fuzzy Hash: c14f8e0b3fdfe5f665870af5ff4a1de2a8ede8b6a9cd1b96a71f0493122f612d
                                                          • Instruction Fuzzy Hash: 6F218E71B042559FDB54DB788818B6E7BF1AF49600F0484AEE54ADB3A1EB399C01CB94
                                                          Function 06CAFEC0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: |
                                                          • API String ID: 0-2343686810
                                                          • Opcode ID: 2bc7b78e5446469989aa49017a7fb9a20b9611f4abd27505b796dac17c9c01da
                                                          • Instruction ID: 2e5e36ac4f0a2e3627ba0b1e5fe9b7a66a525dac1c8a94fc03cd0b7ba42f11e7
                                                          • Opcode Fuzzy Hash: 2bc7b78e5446469989aa49017a7fb9a20b9611f4abd27505b796dac17c9c01da
                                                          • Instruction Fuzzy Hash: 7B115B74B002159FEB94DB788804BAE77F5AF48600F10846DE91AE73A0DB359D00CB94
                                                          Function 06CACF18 Relevance: .8, Instructions: 796COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b532745a9c497b484ed4f1c1f30fe279384579abb693fbfcd9c27fa0b77c5b0
                                                          • Instruction ID: a2e6b5f6a2cfbb49e3333cd8a1b756c622b493081b61887db85f5d40cb45e13e
                                                          • Opcode Fuzzy Hash: 5b532745a9c497b484ed4f1c1f30fe279384579abb693fbfcd9c27fa0b77c5b0
                                                          • Instruction Fuzzy Hash: 70625970A0030ACFEB55DB68D990A5EB7F6FF84304B248A68D0069F765DB35ED46CB80
                                                          Function 06CAB610 Relevance: .5, Instructions: 470COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f32f81e326186259b3e1b5b052d7fcc34cf11219d2f7c2968b41a9755cbe28d
                                                          • Instruction ID: d0b6704adfab595b21a0dfd230d6511a83993caf5b2063eb70dde8680362dbe6
                                                          • Opcode Fuzzy Hash: 7f32f81e326186259b3e1b5b052d7fcc34cf11219d2f7c2968b41a9755cbe28d
                                                          • Instruction Fuzzy Hash: 4F027D30E1030A8FEBA4DBA9D5807ADB7B2FB89318F10892AD445DB351DB75ED41CB91
                                                          Function 06CAACA0 Relevance: .4, Instructions: 392COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3e8476291a8ef04083bb4e5e1bc7a06a9943237f371d9d8beeaefab7b9e7b6dc
                                                          • Instruction ID: 948dbbd8c5b492d4212ea89c9a5c08d169d8dc7d9a7b451ab6d5b3a5144a6865
                                                          • Opcode Fuzzy Hash: 3e8476291a8ef04083bb4e5e1bc7a06a9943237f371d9d8beeaefab7b9e7b6dc
                                                          • Instruction Fuzzy Hash: BBE13C30E1030A8FEF69DBA9D8506AEB7B2FB89304F10852DD405AB254DB75ED46CB91
                                                          Function 06CA9120 Relevance: .2, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 266ba27c92c6d8b77a82c83d9db6f185b5318404931187d31d3ceef20e0cd5f3
                                                          • Instruction ID: 3da8328ba4b62c0651e27b589a4c7344f1ac2b134e04aa7edf0ec66847a18734
                                                          • Opcode Fuzzy Hash: 266ba27c92c6d8b77a82c83d9db6f185b5318404931187d31d3ceef20e0cd5f3
                                                          • Instruction Fuzzy Hash: 62916E30F1020A8FEB54DB68D861BAEB7F6FF88304F548569C509AB341EB75ED418B90
                                                          Function 06CA61C0 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3861951b8d13b97f4b0f92ecc7e268f4d477c82e14f8d0e71be4141e7e54af02
                                                          • Instruction ID: 6079cad1e4622d99e6dfc820ebcf40df2bdd3afcf1231091737ad7130dc59e04
                                                          • Opcode Fuzzy Hash: 3861951b8d13b97f4b0f92ecc7e268f4d477c82e14f8d0e71be4141e7e54af02
                                                          • Instruction Fuzzy Hash: 0D61F471F002114BDF619B7EC95466EBAE7AFC4220B194139D80AEB360DEB5ED0287D1
                                                          Function 06CA3E61 Relevance: .2, Instructions: 224COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c0d35c97012dd591baffb52192230377d4e08e59629e4117bb66a399a0d25a9
                                                          • Instruction ID: be1cd64bc61d2689ee9edb9032670851e34d49b516f062d1df71e67464123f37
                                                          • Opcode Fuzzy Hash: 8c0d35c97012dd591baffb52192230377d4e08e59629e4117bb66a399a0d25a9
                                                          • Instruction Fuzzy Hash: 90814D30B103468FDF54DBA9D8A07AEB7F2EB89304F148569D40ADB395DB74DC428B91
                                                          Function 06CA4184 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0dab34f9fb170846042adf093f63b01e5017268ee3144e0a142e28938c1095bf
                                                          • Instruction ID: b229abdf07c6cb7e2a3e0db9fab34ea012398e0cc86dd364215fe105e68014bf
                                                          • Opcode Fuzzy Hash: 0dab34f9fb170846042adf093f63b01e5017268ee3144e0a142e28938c1095bf
                                                          • Instruction Fuzzy Hash: 8E914E30E1021A8BDF64CF68C880B9DB7B1FF89314F20C699D549AB255DB71AA85CF90
                                                          Function 06CA4198 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52dea09d0ce0998b9d7c37e0dd2349c49e875057754c540280c5eb996c275d33
                                                          • Instruction ID: 390ea4c233075bfdb6647827428da4464b3adb15b90638e49dabeefc1105ae5d
                                                          • Opcode Fuzzy Hash: 52dea09d0ce0998b9d7c37e0dd2349c49e875057754c540280c5eb996c275d33
                                                          • Instruction Fuzzy Hash: 97914F30E1061A8BDF64DFA4C880B9DB7B1FF89314F20C699D549BB245DB71AA85CF90
                                                          Function 06CAEAE0 Relevance: .2, Instructions: 203COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05be8eaff7aa0259ae8271cca4096e340467281191d1b9616a2bdab5541145d0
                                                          • Instruction ID: db1b418e2ce1f666c4fef0e99bb41a17b8371ee0c34e9d4575ebd177cb16fbce
                                                          • Opcode Fuzzy Hash: 05be8eaff7aa0259ae8271cca4096e340467281191d1b9616a2bdab5541145d0
                                                          • Instruction Fuzzy Hash: 98712C70E0020A8FDB54DFA9D984AADBBF6FF88304F148529D416AB355DB30ED46DB90
                                                          Function 06CAEAF0 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 213315da516f03fc448d58fb9d9507dcf1eaa9e25570c5f00079f2f8b240d648
                                                          • Instruction ID: 27de9c55b72cebb08d8ca5c07eb16e296f37ca5e82556f6d615631c3b06e744d
                                                          • Opcode Fuzzy Hash: 213315da516f03fc448d58fb9d9507dcf1eaa9e25570c5f00079f2f8b240d648
                                                          • Instruction Fuzzy Hash: DC713B70E0020A8FDB54DFA9D884AADBBF6FF88304F248429D416AB355DB30ED45DB90
                                                          Function 06CAFC50 Relevance: .2, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 17c33a6037a87ca337174515671924b71f4850ff03a35ae8a94365b7aa96af7d
                                                          • Instruction ID: 1ac02ab9f553ba0fbd5dc44b374ae555edc2716cf16465ccc46189831b852be7
                                                          • Opcode Fuzzy Hash: 17c33a6037a87ca337174515671924b71f4850ff03a35ae8a94365b7aa96af7d
                                                          • Instruction Fuzzy Hash: 8851B031E0020ADFDF64EF78E8586ADB7B2FB84219F10886ED416D7251DB358A15CB81
                                                          Function 06CAFA00 Relevance: .2, Instructions: 169COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 713112bf51b1ef5c8b6c6c8340f3f7820f19312d685c3d9d188eba162c5d2b16
                                                          • Instruction ID: 08affdd806408bfbf51c31a381111575eb7b09375755cf365ff928aee508d9e5
                                                          • Opcode Fuzzy Hash: 713112bf51b1ef5c8b6c6c8340f3f7820f19312d685c3d9d188eba162c5d2b16
                                                          • Instruction Fuzzy Hash: BD51A370B103169BFF649668E8A476F276BE78D314F20843ED40AC7391CA7DCD4587A2
                                                          Function 06CAFA10 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7f8daf6a0b7b87c651beba7ec7e0118f79eca94d163b04ff1bc3a89061776669
                                                          • Instruction ID: 3593a6f80f55de902a300d272eef3d56538e2063404700c236734f239a425efe
                                                          • Opcode Fuzzy Hash: 7f8daf6a0b7b87c651beba7ec7e0118f79eca94d163b04ff1bc3a89061776669
                                                          • Instruction Fuzzy Hash: 5D51C370B103169BFF649668E8A476F666BE78D314F20842EE41BC7391CA7DCD4583A2
                                                          Function 06CA9114 Relevance: .2, Instructions: 157COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8e1c102731ae16dc4b8816494fed811b2cc7b3cfc3dbeabad8dcd0557d319e4
                                                          • Instruction ID: a10f7d9e37b1a29968c9b3a22da1f4b8921a888112b3d98c7b869a3154542d96
                                                          • Opcode Fuzzy Hash: b8e1c102731ae16dc4b8816494fed811b2cc7b3cfc3dbeabad8dcd0557d319e4
                                                          • Instruction Fuzzy Hash: 73518D30B102069FEB54DB68D8A1BAE77F6FB88700F448569C509DB395EB75EC018BA0
                                                          Function 06CADA8D Relevance: .1, Instructions: 124COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a17c873e83990638e79ba7a2b7728776078a5a60aa13b32915580dca3102cc1e
                                                          • Instruction ID: e8f26238dbf2b95858a45fc58268fabac500b99f5ce68809f091f7e1844fef4b
                                                          • Opcode Fuzzy Hash: a17c873e83990638e79ba7a2b7728776078a5a60aa13b32915580dca3102cc1e
                                                          • Instruction Fuzzy Hash: 2D418F70E0030ACFDB65DFA5D8947AEBBF2BF85244F204529E402EB650DB74A946CB91
                                                          Function 06CA21B5 Relevance: .1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfec73953b9e073f2c4af826e9923468eaad75de0ab1c7efc547d0a0867f1b88
                                                          • Instruction ID: 9bfe5855a4a29d9de4ba715e970154755e822568d19acff855e378f2e8a1c073
                                                          • Opcode Fuzzy Hash: bfec73953b9e073f2c4af826e9923468eaad75de0ab1c7efc547d0a0867f1b88
                                                          • Instruction Fuzzy Hash: FB31CD30B003168FEB599B74D85866F7BA6FB89214F18862CD406DB391DE39CE46CBD1
                                                          Function 06CA21C8 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5061bbd12c37026048da1c37fe7dc94d5735dc2bab0310f294a27576cabd2d13
                                                          • Instruction ID: 09643f78a1f9740d5463f2ed6c1cde0ffc6ac6d963e5f86bb46eb999491a6b41
                                                          • Opcode Fuzzy Hash: 5061bbd12c37026048da1c37fe7dc94d5735dc2bab0310f294a27576cabd2d13
                                                          • Instruction Fuzzy Hash: BC31CD30B003168FEB599B74D85866F7BE6BB89214F28852CD406DB390DE39DE45CB91
                                                          Function 06CA2078 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0310f887e1631d12d8c6be7f88b4fc9d049483949cf0ca3e0efaaeb6c81ff875
                                                          • Instruction ID: 8911ed85f9566e2562e802c29c8ec1d887904afbfbfdf4a6237655b194251af5
                                                          • Opcode Fuzzy Hash: 0310f887e1631d12d8c6be7f88b4fc9d049483949cf0ca3e0efaaeb6c81ff875
                                                          • Instruction Fuzzy Hash: 26316930E0071A9BDB59CF68D854AAEB7B2FF89300F10852DE906E7250DB71ED42CB50
                                                          Function 06CAD940 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: de3b9ad5bd643e60fc3f1660722ad50c5ae4659aa65726686709b5aaaaec995e
                                                          • Instruction ID: 112d62624a0486fd5d4050a2185d24c5ea57ed18411ed3a77d4c35a21f0149f5
                                                          • Opcode Fuzzy Hash: de3b9ad5bd643e60fc3f1660722ad50c5ae4659aa65726686709b5aaaaec995e
                                                          • Instruction Fuzzy Hash: FA31A270E1070A8BEF65CF64D99069EB7F6FF85304F108529E406AB710EB70E946CB91
                                                          Function 06CA2088 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 94baf5f2a93343866034200894086f38fccc146c87a6869333ac35dd6d36912e
                                                          • Instruction ID: bc868b10759c8f4d9f36ae8fda748fa24c73aa0e967fb8bac664cc73219d97f9
                                                          • Opcode Fuzzy Hash: 94baf5f2a93343866034200894086f38fccc146c87a6869333ac35dd6d36912e
                                                          • Instruction Fuzzy Hash: B1315830E0071A9BDB59CF69D894AAEB7B2FF89300F148529E906E7350DB75ED42CB50
                                                          Function 06CA3A69 Relevance: .1, Instructions: 80COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eadfe7e609d70c202078a4aa6fd4dabc9e4eae7487fc390fda546240f8084fee
                                                          • Instruction ID: e834cd82c68f2e770f29d9dca3d1de0133a2fd2b231f4d8d0c11a0c2cebc4f8d
                                                          • Opcode Fuzzy Hash: eadfe7e609d70c202078a4aa6fd4dabc9e4eae7487fc390fda546240f8084fee
                                                          • Instruction Fuzzy Hash: D3217C71F003559FEB50CFA9D880AAEBBF6EB48710F148129E905E7390EB34ED018B90
                                                          Function 06CA3A78 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e8af7727c57ae635dc28cf1acbfa5cf265640d0379ecc3131e35c3b6472af585
                                                          • Instruction ID: 59f26f24b62953d7d5f91e42efa515c56782511942c955a3f06b34306df045de
                                                          • Opcode Fuzzy Hash: e8af7727c57ae635dc28cf1acbfa5cf265640d0379ecc3131e35c3b6472af585
                                                          • Instruction Fuzzy Hash: EE216D75E007559FEB50CFA9D890AAEBBF2FB48700F148129E909E7390EB34DD408B94
                                                          Function 06CA6CD8 Relevance: .1, Instructions: 73COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: da0c7cd3fe6410c372e09717a04009ffbf031ee533721d5404c6d7a52de64a06
                                                          • Instruction ID: 1fb2c0e97e149cd1d9a15f4c409128cb8b085a460e5909150d902c4a61ca5392
                                                          • Opcode Fuzzy Hash: da0c7cd3fe6410c372e09717a04009ffbf031ee533721d5404c6d7a52de64a06
                                                          • Instruction Fuzzy Hash: DF21CF31F102168FDF94CB29E8906AEB7B6FB84358F248429D805EB351DB36ED41CB90
                                                          Function 015FD006 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672393883.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15fd000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 13deac427d03806ba33c476e50945f7027d94d5754bdabce5d1620da2a2a7ce8
                                                          • Instruction ID: a61f7ee4191c8eaf96ac35f91c1c17358a6306f901cbc35739b7084e50ab9532
                                                          • Opcode Fuzzy Hash: 13deac427d03806ba33c476e50945f7027d94d5754bdabce5d1620da2a2a7ce8
                                                          • Instruction Fuzzy Hash: B0217C711093C09FCB03CF64D990715BF71AB46214F29C5DBD9888F2A7C23A980ACB62
                                                          Function 015FD030 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2672393883.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_15fd000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aad9e4b9838c8416672f005dee0df49fa57354bed0670e9604827e0cf37b91b0
                                                          • Instruction ID: ff07d9154c7d19dd8a2dfbae534d6d87cab365ab743a5a216b15bdc6dad7998b
                                                          • Opcode Fuzzy Hash: aad9e4b9838c8416672f005dee0df49fa57354bed0670e9604827e0cf37b91b0
                                                          • Instruction Fuzzy Hash: 5E213071504200DFDB10DF94C8C0B2ABBB9FB84314F24C96DDA0A4F282D336D806CA62
                                                          Function 06CAAEF0 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfea7b5375f56d3f1bb9d40ccb3ee5814e6badb2ad4a6a1ec118a6a91f07b93b
                                                          • Instruction ID: 6601491d345852b88427fea377ca5430e634891d62b4a27709849e30f034a792
                                                          • Opcode Fuzzy Hash: bfea7b5375f56d3f1bb9d40ccb3ee5814e6badb2ad4a6a1ec118a6a91f07b93b
                                                          • Instruction Fuzzy Hash: 82214C71E1071A9BDF65CFA9C8406AEBBB5FF86304F10892EE805FB240D770A945CB80
                                                          Function 06CA6CE8 Relevance: .1, Instructions: 68COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 83d4c15130da561b652284a0cccb48a10243cef324d64094a587df36c0afb0c9
                                                          • Instruction ID: f732423f24423eb43e2ff9c5bad140c4ae40bc789408986ac34e8921cb2c40ef
                                                          • Opcode Fuzzy Hash: 83d4c15130da561b652284a0cccb48a10243cef324d64094a587df36c0afb0c9
                                                          • Instruction Fuzzy Hash: B721E131F1021A8BDF84DB69E8506AEB7B6FB84354F288429D405EB340DB32ED41CB90
                                                          Function 06CA3B88 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 061af254a4439343349d6b7eeeba37f4488e007b4066aa93a5b3f3e8e62a3e38
                                                          • Instruction ID: 20b5dd759750c59c01b00bff5e364bcd5f05b0f7db626f585d2cc3809762343b
                                                          • Opcode Fuzzy Hash: 061af254a4439343349d6b7eeeba37f4488e007b4066aa93a5b3f3e8e62a3e38
                                                          • Instruction Fuzzy Hash: C711A132B106698FDF549679DC206AE77F6EBC8715F044139C40AE7344DE25DC028BE0
                                                          Function 06CA3DBF Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4eb4ca25c9810a56dd4763c7b76e3445d27dfaeda579d4a574302ba674a4b545
                                                          • Instruction ID: 88f67f95dfeb81c35f1f730a63b1381329aa9420f22f35ba9862f654dd533680
                                                          • Opcode Fuzzy Hash: 4eb4ca25c9810a56dd4763c7b76e3445d27dfaeda579d4a574302ba674a4b545
                                                          • Instruction Fuzzy Hash: F601B531F102514FEBA5866C982476F77E6DBC9724F14843EE40EC7356EA69CD0247E1
                                                          Function 06CAED61 Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cae397713d18e294f29dd35c844465381cae90e96c10b2f3a19c7db4f8940c33
                                                          • Instruction ID: b8b810059a9d44d0d0748675666c784b9be94cc7b962b23af206d74df40aa27d
                                                          • Opcode Fuzzy Hash: cae397713d18e294f29dd35c844465381cae90e96c10b2f3a19c7db4f8940c33
                                                          • Instruction Fuzzy Hash: AE018431F006124FEB65867C985472E7BE6EBCA714F14843EE50AC7351DA29DD0293D1
                                                          Function 06CA3841 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 41ed66371a8c77261b09ae3d7024d477c837c7a4a0c84f569e24fe00bb0a2bc2
                                                          • Instruction ID: 941d1df9ad222704ff9cc6663b52f11356f70dd5eb8dcc45d1a1fd2d1406e6b9
                                                          • Opcode Fuzzy Hash: 41ed66371a8c77261b09ae3d7024d477c837c7a4a0c84f569e24fe00bb0a2bc2
                                                          • Instruction Fuzzy Hash: 2D2103B1D002599FCB10CF9AD884ADEFBB4FB48314F10812AE918A7200C3786954CFA4
                                                          Function 06CA3B79 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15370f5b657b4fed3b7bedddcb7c2a01c468439ad9a87575aee47373e3505e46
                                                          • Instruction ID: d72077b20035de582d1af37fa0721587699b71b7ca7a514af7f0250b91332a79
                                                          • Opcode Fuzzy Hash: 15370f5b657b4fed3b7bedddcb7c2a01c468439ad9a87575aee47373e3505e46
                                                          • Instruction Fuzzy Hash: 5901DF32F102294BEB9896699C21ABF72ABEBC8314F04013AD40AD7240EE25DD0287D1
                                                          Function 06CA3848 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bd87eb16a413cfc072d7bef1f1cf7a981bd60e7f95c4dce2c6b476c91f91a8ba
                                                          • Instruction ID: 39a9fab7307ed7d89eb42fab44c922f9b69ab259fec1ceb0316890fa2043a7cb
                                                          • Opcode Fuzzy Hash: bd87eb16a413cfc072d7bef1f1cf7a981bd60e7f95c4dce2c6b476c91f91a8ba
                                                          • Instruction Fuzzy Hash: 9F11E4B5D012599FDB00CF9AD884ACEFBB4FB48314F10812AE518A7340D378A544CFA5
                                                          Function 06CA3DD0 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34d08df99a8ba42302c3bd28fc8283bcb4a3c9ead07fc3823c0f89dde0508243
                                                          • Instruction ID: 8e20a33117f978f029ca416ce57d0fea0a65bce46e65109619fe0b6f462778cf
                                                          • Opcode Fuzzy Hash: 34d08df99a8ba42302c3bd28fc8283bcb4a3c9ead07fc3823c0f89dde0508243
                                                          • Instruction Fuzzy Hash: 2601DC31B002110BEB65966D942072FB7DADBC9B24F20843EE10ECB385EE66DD0243E1
                                                          Function 06CAA2D8 Relevance: .0, Instructions: 50COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: acc96acc628115819ae6d09bdfe364588dee51ece89bd667804f1773c223e736
                                                          • Instruction ID: fa5c4ac1969af02dbf36b52c6835fcaca74e9417613e927dc32ed45cbe4c2f6b
                                                          • Opcode Fuzzy Hash: acc96acc628115819ae6d09bdfe364588dee51ece89bd667804f1773c223e736
                                                          • Instruction Fuzzy Hash: F601DF30B103124FEB61CA7CE81476E77E6EB89714F10843DE50ACB351EA65EC018791
                                                          Function 06CAED70 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eec4038e220010d8c54bd0c0a9fc1e4bdfb60ea4e33cfc4a9088c25670aac571
                                                          • Instruction ID: c670dea74b9443a12179c301761287b01bb15bd77c5ab3d7f7b7b1bbf092e234
                                                          • Opcode Fuzzy Hash: eec4038e220010d8c54bd0c0a9fc1e4bdfb60ea4e33cfc4a9088c25670aac571
                                                          • Instruction Fuzzy Hash: 0E016931B006120BEA65966D985472F77EAEBCE724F10882DE50AC7345EA25ED029391
                                                          Function 06CAA2E8 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 40932bf4f182c9ecdf5d1c4fafa8575e72a4edd18c3ffea37405579e7cc84682
                                                          • Instruction ID: d9ac1e1d2f084c13f48e9e115e92995bb5cc7542c2305021eb93846e7e1fd090
                                                          • Opcode Fuzzy Hash: 40932bf4f182c9ecdf5d1c4fafa8575e72a4edd18c3ffea37405579e7cc84682
                                                          • Instruction Fuzzy Hash: 5B01AF30B102120FEB61DAADE85072F73DAFB89718F10843CE50ACB351EB25ED018791
                                                          Function 06CAC7A8 Relevance: .0, Instructions: 33COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 28612396ea8fcc1b8988a1edf14a99fae0deaea22be653bf595acf2b9fd5f6aa
                                                          • Instruction ID: ce3ca23d4e63209d58e13d036325765b8e4a1ef0ef2523f11ab671f6abc91fc6
                                                          • Opcode Fuzzy Hash: 28612396ea8fcc1b8988a1edf14a99fae0deaea22be653bf595acf2b9fd5f6aa
                                                          • Instruction Fuzzy Hash: D3F0A036E20329ABDF14A975EC40A9AB77AE784758F104429E901E7340DA35AD00C7C0
                                                          Function 06CA6441 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e5e07244341b057b34358ffaf198fa7f92ebeba56418d7eb01f6532bd4fcb6a
                                                          • Instruction ID: f29a8be1c69ab23127eae30094200122f5933208cbfa799de880376410e4a3ef
                                                          • Opcode Fuzzy Hash: 5e5e07244341b057b34358ffaf198fa7f92ebeba56418d7eb01f6532bd4fcb6a
                                                          • Instruction Fuzzy Hash: CDE0D8B0D2430D6FDF50CE71895036A76E9D71120CF1044A5D404CB202E576CE014740
                                                          Function 06CA4619 Relevance: .0, Instructions: 25COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000006.00000002.2677382592.0000000006CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CA0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_6_2_6ca0000_z71htmivzKAUpOkr2J.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 148237249b7218ce9d75ad2e097201490b79c5530e2cc275386063950114d60d
                                                          • Instruction ID: c312287b98ec23a6d97dc5295422c0840a4e70a75a663dfe0d94938578611f88
                                                          • Opcode Fuzzy Hash: 148237249b7218ce9d75ad2e097201490b79c5530e2cc275386063950114d60d
                                                          • Instruction Fuzzy Hash: EFF0F830A1021ADFDB68DF94E858BAEBBB2FF88704F204119E402A7394CBB41D41CB80