Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Q7bAgeTZB8vmku7.exe

Overview

General Information

Sample name:Q7bAgeTZB8vmku7.exe
Analysis ID:1559490
MD5:9948091d5e1b566c2573df3d3d1cea91
SHA1:7f447c10dfc5d6562a3e7b48868ab972d99d7da4
SHA256:8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
Tags:exeuser-zn03zh
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Q7bAgeTZB8vmku7.exe (PID: 3208 cmdline: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe" MD5: 9948091D5E1B566C2573DF3D3D1CEA91)
    • powershell.exe (PID: 2952 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3868 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6532 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Q7bAgeTZB8vmku7.exe (PID: 4796 cmdline: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe" MD5: 9948091D5E1B566C2573DF3D3D1CEA91)
  • ODIlHgaFNJ.exe (PID: 3276 cmdline: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe MD5: 9948091D5E1B566C2573DF3D3D1CEA91)
    • schtasks.exe (PID: 3224 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • ODIlHgaFNJ.exe (PID: 3920 cmdline: "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe" MD5: 9948091D5E1B566C2573DF3D3D1CEA91)
    • ODIlHgaFNJ.exe (PID: 1560 cmdline: "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe" MD5: 9948091D5E1B566C2573DF3D3D1CEA91)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs           "}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000D.00000002.4527865138.0000000002E79000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.4523809745.0000000000437000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 11 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316d7:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31749:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317d3:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31865:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318cf:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31941:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319d7:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a67:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe", ParentImage: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe, ParentProcessId: 3208, ParentProcessName: Q7bAgeTZB8vmku7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", ProcessId: 2952, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe", ParentImage: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe, ParentProcessId: 3208, ParentProcessName: Q7bAgeTZB8vmku7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", ProcessId: 2952, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe, ParentImage: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe, ParentProcessId: 3276, ParentProcessName: ODIlHgaFNJ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp", ProcessId: 3224, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 107.178.108.41, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe, Initiated: true, ProcessId: 1560, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49717
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe", ParentImage: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe, ParentProcessId: 3208, ParentProcessName: Q7bAgeTZB8vmku7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", ProcessId: 6532, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe", ParentImage: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe, ParentProcessId: 3208, ParentProcessName: Q7bAgeTZB8vmku7.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe", ProcessId: 2952, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe", ParentImage: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe, ParentProcessId: 3208, ParentProcessName: Q7bAgeTZB8vmku7.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp", ProcessId: 6532, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-20T15:49:08.317454+010020283713Unknown Traffic192.168.2.54971420.42.65.92443TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: Q7bAgeTZB8vmku7.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeAvira: detection malicious, Label: HEUR/AGEN.1306899
                    Found malware configuration
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pgsu.co.id", "Username": "joko.wahyono@pgsu.co.id", "Password": "Vecls16@Vezs "}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeReversingLabs: Detection: 44%
                    Multi AV Scanner detection for submitted file
                    Source: Q7bAgeTZB8vmku7.exeReversingLabs: Detection: 44%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Q7bAgeTZB8vmku7.exeJoe Sandbox ML: detected
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 4x nop then jmp 077AB853h0_2_077AB770
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 4x nop then jmp 077AB853h0_2_077AAECE
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 4x nop then jmp 04F8A6F3h8_2_04F8A610
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 4x nop then jmp 04F8A6F3h8_2_04F89D6E

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.5:49717 -> 107.178.108.41:587
                    Source: Joe Sandbox ViewIP Address: 107.178.108.41 107.178.108.41
                    Source: Joe Sandbox ViewASN Name: IOFLOODUS IOFLOODUS
                    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 20.42.65.92:443
                    Source: global trafficTCP traffic: 192.168.2.5:49717 -> 107.178.108.41:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.pgsu.co.id
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pgsu.co.id
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pgsu.co.id
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.i.lencr.org/0
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r10.o.lencr.org0#
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2085088517.000000000325B000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 00000008.00000002.2125798809.00000000024DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001037000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4536016099.00000000065E2000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lo
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001037000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4536016099.00000000065E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4523811022.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, cPKWk.cs.Net Code: gdCwU6rsZ
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, cPKWk.cs.Net Code: gdCwU6rsZ
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_0304D51C0_2_0304D51C
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077AC9400_2_077AC940
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A57380_2_077A5738
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A53000_2_077A5300
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A72480_2_077A7248
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A72380_2_077A7238
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A6E100_2_077A6E10
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A69D80_2_077A69D8
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 0_2_077A69C70_2_077A69C7
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F793807_2_00F79380
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F74AA07_2_00F74AA0
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F79B487_2_00F79B48
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F73E887_2_00F73E88
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F741D07_2_00F741D0
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_00F7E76F7_2_00F7E76F
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060B67A17_2_060B67A1
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060B32C07_2_060B32C0
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060B00407_2_060B0040
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060B9D287_2_060B9D28
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060BD3A87_2_060BD3A8
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060BD3A27_2_060BD3A2
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_060B2BD87_2_060B2BD8
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeCode function: 7_2_063A04E87_2_063A04E8
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_00B0D51C8_2_00B0D51C
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F8B9418_2_04F8B941
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F86E108_2_04F86E10
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F869D88_2_04F869D8
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F869C78_2_04F869C7
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F857388_2_04F85738
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F872488_2_04F87248
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 8_2_04F853008_2_04F85300
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_02D24AA013_2_02D24AA0
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_02D23E8813_2_02D23E88
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_02D2CDC813_2_02D2CDC8
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_02D241D013_2_02D241D0
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_02D2FC1813_2_02D2FC18
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F56C013_2_060F56C0
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F2EF013_2_060F2EF0
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F3F3813_2_060F3F38
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060FDCF813_2_060FDCF8
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060FBCF013_2_060FBCF0
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F8B6B13_2_060F8B6B
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F004013_2_060F0040
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F362313_2_060F3623
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeCode function: 13_2_060F4FE013_2_060F4FE0
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2083213386.000000000151E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2093687229.0000000007FC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2083213386.0000000001553000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exe.muij% vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2085088517.000000000325B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000000.2056239349.0000000000F48000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWxKt.exe6 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2091899530.0000000005CB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000007.00000002.4524599568.0000000000CF9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exe, 00000007.00000002.4523809745.0000000000437000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1a08a05-b195-4d04-8a01-a86b7545550f.exe4 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exeBinary or memory string: OriginalFilenameWxKt.exe6 vs Q7bAgeTZB8vmku7.exe
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ODIlHgaFNJ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, lYUFQjICpY24meU9US.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, lYUFQjICpY24meU9US.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sGnSlU7H3CGve1ofOV.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@18/11@2/1
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2364:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:764:120:WilError_03
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile created: C:\Users\user\AppData\Local\Temp\tmpC03F.tmpJump to behavior
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Q7bAgeTZB8vmku7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Q7bAgeTZB8vmku7.exe, 00000007.00000002.4526857350.0000000002ADB000.00000004.00000800.00020000.00000000.sdmp, Q7bAgeTZB8vmku7.exe, 00000007.00000002.4526857350.0000000002AC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Q7bAgeTZB8vmku7.exeReversingLabs: Detection: 44%
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile read: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sGnSlU7H3CGve1ofOV.cs.Net Code: yRAorAthCJ System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sGnSlU7H3CGve1ofOV.cs.Net Code: yRAorAthCJ System.Reflection.Assembly.Load(byte[])
                    Source: Q7bAgeTZB8vmku7.exeStatic PE information: section name: .text entropy: 7.939738052659757
                    Source: ODIlHgaFNJ.exe.0.drStatic PE information: section name: .text entropy: 7.939738052659757
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, EIeZdTjjwSdcuiJnKuE.csHigh entropy of concatenated method names: 'LoaHC7ldMo', 'XZwHzENI09', 'AuJncqOw9J', 'Pl0njPV5XA', 'D50nviJnp3', 'zXqnXC0lRK', 'UrynomuHnS', 'RNonBv2r6g', 'sqgnUWekNg', 'lupnbUFPkv'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, lYUFQjICpY24meU9US.csHigh entropy of concatenated method names: 'NhEbKXbuPo', 'MG8bghHx3j', 'SWmb8JDrdP', 'SJkbLaXxeC', 'EXwbdhf4Fv', 'IcnbFen2Yt', 'mZWbWrS2Wk', 'GpZbmIG67A', 'A6ZbTbVeb9', 'jXXbC167JB'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, Kr5SUZa1nvug3Q96Ci.csHigh entropy of concatenated method names: 'ATKpIOYqsP', 'bYmptZV3LM', 'hnBpEkFg37', 'sRIpYLThCj', 'bd8pOjZN0o', 'EfwpQolooC', 'jWap0YXjIB', 'jdPp3U9HuA', 'riNpiJnPjT', 'i1Ppfhh3wP'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, fdWYIO5qN39Wn9XfNM.csHigh entropy of concatenated method names: 'sxBVZN4iPI', 'VcHVwMqTtS', 'ztFVrusHVb', 'mYrVsvGIMn', 'GLtVSqICCt', 'T8OVeWd5tg', 'WFXV6VnMea', 'MgMVIoIy35', 'HUuVtBBpvu', 'netV9r9H5j'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, QZxClXjod6svrc4YMmX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lyl2MO57fC', 'peX2HjCM5B', 'cKg2nWNkCi', 'gnB226hC23', 'wSC2qGBjFm', 'yRa2uQ8eWk', 'yhT2PMIv0j'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, RADoXiTjs8N7A45kem.csHigh entropy of concatenated method names: 'AwCMEFSHEp', 'u9UMYKykaG', 'oBwMDHuFMQ', 'A76MOL58xn', 'tI6MQFcMd4', 'AIEMx31X6K', 'iGBM0IaPMh', 'vgwM3kjJ1D', 'DXHM5ouZrN', 'Tt2MimsBOh'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, WT2Hxoo4APYyW6xraM.csHigh entropy of concatenated method names: 'fIAjVYUFQj', 'YpYj724meU', 'rXhjkLBRIV', 'hLrjlZC5kG', 'yrrjhbLaJQ', 'gPMj1GXxQ1', 'gbhwJ51jUQgm9H44Mq', 'Ji90yyCRV57XdUSS2t', 'jxpjjgdmvg', 'csFjXROJMd'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sw4uVMtXhLBRIVyLrZ.csHigh entropy of concatenated method names: 'B3jys4Ufk6', 'l4KyeaKn74', 'wQ8yIUWtcv', 'tyHytMl0AJ', 'kh8yhVDtQ0', 'LoPy16josS', 'UGnyGNK4ls', 'zDRy4NxrgW', 'SeByMU8sHQ', 'CvKyHYsIbx'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, V9yGOcFtMXZZDi3TIi.csHigh entropy of concatenated method names: 'wNIGm5aBft', 'kRLGCgfcaO', 'GgM4camMbH', 'Otv4jm8ITl', 'sNnGfGAXsW', 'Qq0GJX9Hvl', 'aavGapniHl', 'XOpGKMSKi8', 'pk6GgtV4Mb', 'OocG8vDorr'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, duqyKebdyid31vjTFo.csHigh entropy of concatenated method names: 'Dispose', 'hDxjT1pKIx', 'sEJvYVSe1X', 'ioH5fSBLX8', 'bDYjC95V1F', 'U1rjzBiDmV', 'ProcessDialogKey', 'KeKvcADoXi', 'bs8vjN7A45', 'lemvvtI5ZI'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, HinwPhjcHESMgAN1iup.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WDfHfsV8Ul', 'oIaHJLGW2k', 'tCBHalGjxE', 'nmhHK9uB7s', 'EjxHgqv5TW', 'MiyH83nrxH', 'm9yHLoqDcg'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, SXZtChz6qZRHoWD2Pv.csHigh entropy of concatenated method names: 'oG6Heb8I7s', 'FdHHII4EyI', 'mNbHt1cBlc', 'NaJHEcuR3D', 'z6KHYdv5lJ', 'WE7HORkbxB', 'VuVHQHZ6jX', 'bNyHPbbIQ6', 'tHoHZqdpp5', 'xq5Hwql48a'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, fJU01Ijv2dL34Mt5WnQ.csHigh entropy of concatenated method names: 'ToString', 'PQ2nICV25G', 'w1FntZHtaG', 'XYOn9kdLqy', 'wAvnEvENL0', 'RwWnYY8Bms', 'pV4nDnpnmZ', 'GcgnOegjOS', 'CpEBZnIkaM1GOEqrSCc', 'HhoK33ILo2RT1yjaqk7'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, PjZMQMKIujBjJaJMUV.csHigh entropy of concatenated method names: 'AWFhisqCUJ', 'CXjhJuAXN4', 'YslhKTSdq1', 'mQHhgM5cvZ', 'QgnhYY1tdd', 'OwThDFpg0U', 'lOThOgR2CI', 'NEehQOqsh3', 'vp0hxoLGlD', 'kN7h0F7umE'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, sGnSlU7H3CGve1ofOV.csHigh entropy of concatenated method names: 'o04XBlXDA1', 'kPiXUrJNI7', 'OYaXb28ts7', 'v2RXyWT1T8', 'uN3XNcvIKN', 'Gt5XRtjCoj', 'uMaXVftOtu', 'NG1X7wAdwr', 'BREXAw4Sah', 'VxWXk1OZkC'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, QJQyPMEGXxQ1DIV6jb.csHigh entropy of concatenated method names: 'bhoRBLVsxX', 'rprRbx1dJb', 'ifhRNG5Pmi', 'OYURVsvcQd', 'M1XR7n6crL', 'qMPNdyqJfY', 'YIuNFGhS1O', 'bOqNWUwanL', 'j86NmZgPZu', 'o0YNT4h29e'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, fb7vbBWPHNDx1pKIxj.csHigh entropy of concatenated method names: 'R3mMh6n0v0', 'JXeMGaBsXv', 'qsJMMj5QlP', 'AYRMn8Rc6R', 'R73MqDD6kA', 'G2kMP2AHVG', 'Dispose', 'tId4URt4Sn', 'dRZ4bFb3e1', 'SUU4yTsiVh'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.7fc0000.4.raw.unpack, wmdFOJv5buKVQKZtF0.csHigh entropy of concatenated method names: 'l0Ur5iiHh', 'Tfrsit4R7', 'QtReNiIa3', 'H3Z6ECCjR', 'KaRt5rpx5', 'rTc9Y76OP', 'SpNdOOkAE4Te3eshHP', 'RSmqOSLElF4ytCNYW1', 'pIO40SiGZ', 'cu8Hn6BC8'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, EIeZdTjjwSdcuiJnKuE.csHigh entropy of concatenated method names: 'LoaHC7ldMo', 'XZwHzENI09', 'AuJncqOw9J', 'Pl0njPV5XA', 'D50nviJnp3', 'zXqnXC0lRK', 'UrynomuHnS', 'RNonBv2r6g', 'sqgnUWekNg', 'lupnbUFPkv'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, lYUFQjICpY24meU9US.csHigh entropy of concatenated method names: 'NhEbKXbuPo', 'MG8bghHx3j', 'SWmb8JDrdP', 'SJkbLaXxeC', 'EXwbdhf4Fv', 'IcnbFen2Yt', 'mZWbWrS2Wk', 'GpZbmIG67A', 'A6ZbTbVeb9', 'jXXbC167JB'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, Kr5SUZa1nvug3Q96Ci.csHigh entropy of concatenated method names: 'ATKpIOYqsP', 'bYmptZV3LM', 'hnBpEkFg37', 'sRIpYLThCj', 'bd8pOjZN0o', 'EfwpQolooC', 'jWap0YXjIB', 'jdPp3U9HuA', 'riNpiJnPjT', 'i1Ppfhh3wP'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, fdWYIO5qN39Wn9XfNM.csHigh entropy of concatenated method names: 'sxBVZN4iPI', 'VcHVwMqTtS', 'ztFVrusHVb', 'mYrVsvGIMn', 'GLtVSqICCt', 'T8OVeWd5tg', 'WFXV6VnMea', 'MgMVIoIy35', 'HUuVtBBpvu', 'netV9r9H5j'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, QZxClXjod6svrc4YMmX.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'lyl2MO57fC', 'peX2HjCM5B', 'cKg2nWNkCi', 'gnB226hC23', 'wSC2qGBjFm', 'yRa2uQ8eWk', 'yhT2PMIv0j'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, RADoXiTjs8N7A45kem.csHigh entropy of concatenated method names: 'AwCMEFSHEp', 'u9UMYKykaG', 'oBwMDHuFMQ', 'A76MOL58xn', 'tI6MQFcMd4', 'AIEMx31X6K', 'iGBM0IaPMh', 'vgwM3kjJ1D', 'DXHM5ouZrN', 'Tt2MimsBOh'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, WT2Hxoo4APYyW6xraM.csHigh entropy of concatenated method names: 'fIAjVYUFQj', 'YpYj724meU', 'rXhjkLBRIV', 'hLrjlZC5kG', 'yrrjhbLaJQ', 'gPMj1GXxQ1', 'gbhwJ51jUQgm9H44Mq', 'Ji90yyCRV57XdUSS2t', 'jxpjjgdmvg', 'csFjXROJMd'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sw4uVMtXhLBRIVyLrZ.csHigh entropy of concatenated method names: 'B3jys4Ufk6', 'l4KyeaKn74', 'wQ8yIUWtcv', 'tyHytMl0AJ', 'kh8yhVDtQ0', 'LoPy16josS', 'UGnyGNK4ls', 'zDRy4NxrgW', 'SeByMU8sHQ', 'CvKyHYsIbx'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, V9yGOcFtMXZZDi3TIi.csHigh entropy of concatenated method names: 'wNIGm5aBft', 'kRLGCgfcaO', 'GgM4camMbH', 'Otv4jm8ITl', 'sNnGfGAXsW', 'Qq0GJX9Hvl', 'aavGapniHl', 'XOpGKMSKi8', 'pk6GgtV4Mb', 'OocG8vDorr'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, duqyKebdyid31vjTFo.csHigh entropy of concatenated method names: 'Dispose', 'hDxjT1pKIx', 'sEJvYVSe1X', 'ioH5fSBLX8', 'bDYjC95V1F', 'U1rjzBiDmV', 'ProcessDialogKey', 'KeKvcADoXi', 'bs8vjN7A45', 'lemvvtI5ZI'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, HinwPhjcHESMgAN1iup.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WDfHfsV8Ul', 'oIaHJLGW2k', 'tCBHalGjxE', 'nmhHK9uB7s', 'EjxHgqv5TW', 'MiyH83nrxH', 'm9yHLoqDcg'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, SXZtChz6qZRHoWD2Pv.csHigh entropy of concatenated method names: 'oG6Heb8I7s', 'FdHHII4EyI', 'mNbHt1cBlc', 'NaJHEcuR3D', 'z6KHYdv5lJ', 'WE7HORkbxB', 'VuVHQHZ6jX', 'bNyHPbbIQ6', 'tHoHZqdpp5', 'xq5Hwql48a'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, fJU01Ijv2dL34Mt5WnQ.csHigh entropy of concatenated method names: 'ToString', 'PQ2nICV25G', 'w1FntZHtaG', 'XYOn9kdLqy', 'wAvnEvENL0', 'RwWnYY8Bms', 'pV4nDnpnmZ', 'GcgnOegjOS', 'CpEBZnIkaM1GOEqrSCc', 'HhoK33ILo2RT1yjaqk7'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, PjZMQMKIujBjJaJMUV.csHigh entropy of concatenated method names: 'AWFhisqCUJ', 'CXjhJuAXN4', 'YslhKTSdq1', 'mQHhgM5cvZ', 'QgnhYY1tdd', 'OwThDFpg0U', 'lOThOgR2CI', 'NEehQOqsh3', 'vp0hxoLGlD', 'kN7h0F7umE'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, sGnSlU7H3CGve1ofOV.csHigh entropy of concatenated method names: 'o04XBlXDA1', 'kPiXUrJNI7', 'OYaXb28ts7', 'v2RXyWT1T8', 'uN3XNcvIKN', 'Gt5XRtjCoj', 'uMaXVftOtu', 'NG1X7wAdwr', 'BREXAw4Sah', 'VxWXk1OZkC'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, QJQyPMEGXxQ1DIV6jb.csHigh entropy of concatenated method names: 'bhoRBLVsxX', 'rprRbx1dJb', 'ifhRNG5Pmi', 'OYURVsvcQd', 'M1XR7n6crL', 'qMPNdyqJfY', 'YIuNFGhS1O', 'bOqNWUwanL', 'j86NmZgPZu', 'o0YNT4h29e'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, fb7vbBWPHNDx1pKIxj.csHigh entropy of concatenated method names: 'R3mMh6n0v0', 'JXeMGaBsXv', 'qsJMMj5QlP', 'AYRMn8Rc6R', 'R73MqDD6kA', 'G2kMP2AHVG', 'Dispose', 'tId4URt4Sn', 'dRZ4bFb3e1', 'SUU4yTsiVh'
                    Source: 0.2.Q7bAgeTZB8vmku7.exe.4497a80.0.raw.unpack, wmdFOJv5buKVQKZtF0.csHigh entropy of concatenated method names: 'l0Ur5iiHh', 'Tfrsit4R7', 'QtReNiIa3', 'H3Z6ECCjR', 'KaRt5rpx5', 'rTc9Y76OP', 'SpNdOOkAE4Te3eshHP', 'RSmqOSLElF4ytCNYW1', 'pIO40SiGZ', 'cu8Hn6BC8'
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 3208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ODIlHgaFNJ.exe PID: 3276, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 1870000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 5200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 8140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 9140000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 92F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: A2F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: 49F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 4480000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 6DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 7DB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 7F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 8F50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 2E00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory allocated: 2C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199641Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199531Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199422Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199311Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199203Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199094Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198985Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198873Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198766Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198641Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198498Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198387Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198280Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198146Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198008Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197866Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197736Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197484Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197373Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197263Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197152Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197047Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196938Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196828Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196719Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196485Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196360Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196235Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196110Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195985Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195860Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195735Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195485Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195316Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195167Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195047Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194930Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194813Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194688Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194563Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194453Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194344Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194219Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194109Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1193998Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6963Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWindow / User API: threadDelayed 5265Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWindow / User API: threadDelayed 4566Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWindow / User API: threadDelayed 7517Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWindow / User API: threadDelayed 2338Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 2780Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6568Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep count: 42 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -38738162554790034s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 4760Thread sleep count: 5265 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 4760Thread sleep count: 4566 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199311s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1199094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198873s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198498s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198387s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198280s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198146s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1198008s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197866s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197736s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197373s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197263s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197152s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1197047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196938s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1196110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195316s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195167s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1195047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194930s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194688s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194563s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1194109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe TID: 6564Thread sleep time: -1193998s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6392Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep count: 33 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6460Thread sleep count: 7517 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6460Thread sleep count: 2338 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99376s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -99120s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98968s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98750s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98297s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98187s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -98078s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97968s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97750s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97640s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97422s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97312s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -97092s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96623s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96512s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96294s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96184s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -96062s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95953s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95843s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95734s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95391s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95281s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -95062s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94953s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94844s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94734s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94296s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94187s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe TID: 6576Thread sleep time: -94078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1200000Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199875Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199766Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199641Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199531Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199422Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199311Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199203Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1199094Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198985Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198873Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198766Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198641Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198498Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198387Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198280Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198146Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1198008Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197866Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197736Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197484Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197373Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197263Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197152Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1197047Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196938Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196828Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196719Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196485Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196360Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196235Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1196110Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195985Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195860Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195735Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195610Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195485Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195316Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195167Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1195047Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194930Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194813Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194688Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194563Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194453Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194344Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194219Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1194109Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeThread delayed: delay time: 1193998Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99376Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 99120Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98297Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97968Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97640Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97422Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 97092Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96623Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96512Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96294Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96184Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 96062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95843Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95391Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95281Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95172Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 95062Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94953Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94296Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94187Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeThread delayed: delay time: 94078Jump to behavior
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2092999110.0000000007692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 0hGfs
                    Source: Q7bAgeTZB8vmku7.exe, 00000000.00000002.2092999110.0000000007692000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ic0hGfs
                    Source: ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeMemory written: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeMemory written: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeProcess created: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe "C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeProcess created: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 3208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ODIlHgaFNJ.exe PID: 1560, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.4523809745.0000000000437000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.4526857350.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 3208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ODIlHgaFNJ.exe PID: 1560, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.Q7bAgeTZB8vmku7.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4453880.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Q7bAgeTZB8vmku7.exe.4418e60.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.4527865138.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 3208, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Q7bAgeTZB8vmku7.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ODIlHgaFNJ.exe PID: 1560, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559490 Sample: Q7bAgeTZB8vmku7.exe Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 44 pgsu.co.id 2->44 46 mail.pgsu.co.id 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 10 other signatures 2->56 8 Q7bAgeTZB8vmku7.exe 7 2->8         started        12 ODIlHgaFNJ.exe 5 2->12         started        signatures3 process4 file5 36 C:\Users\user\AppData\...\ODIlHgaFNJ.exe, PE32 8->36 dropped 38 C:\Users\...\ODIlHgaFNJ.exe:Zone.Identifier, ASCII 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpC03F.tmp, XML 8->40 dropped 42 C:\Users\user\...\Q7bAgeTZB8vmku7.exe.log, ASCII 8->42 dropped 58 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 Q7bAgeTZB8vmku7.exe 2 8->14         started        17 powershell.exe 23 8->17         started        19 schtasks.exe 1 8->19         started        66 Antivirus detection for dropped file 12->66 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 21 ODIlHgaFNJ.exe 2 12->21         started        24 schtasks.exe 1 12->24         started        26 ODIlHgaFNJ.exe 12->26         started        signatures6 process7 dnsIp8 72 Installs a global keyboard hook 14->72 74 Loading BitLocker PowerShell Module 17->74 28 WmiPrvSE.exe 17->28         started        30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        48 pgsu.co.id 107.178.108.41, 49717, 587 IOFLOODUS United States 21->48 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->76 78 Tries to steal Mail credentials (via file / registry access) 21->78 80 Tries to harvest and steal ftp login credentials 21->80 82 Tries to harvest and steal browser information (history, passwords, etc) 21->82 34 conhost.exe 24->34         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Q7bAgeTZB8vmku7.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    Q7bAgeTZB8vmku7.exe100%AviraHEUR/AGEN.1306899
                    Q7bAgeTZB8vmku7.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe100%AviraHEUR/AGEN.1306899
                    C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe45%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://x1.c.lo0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    pgsu.co.id
                    		107.178.108.41
                    		truetrue
                      		unknown
                      mail.pgsu.co.id
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://x1.c.loODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://pgsu.co.idODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://r10.o.lencr.org0#ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/Q7bAgeTZB8vmku7.exe, 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4523811022.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://mail.pgsu.co.idODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQ7bAgeTZB8vmku7.exe, 00000000.00000002.2085088517.000000000325B000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 00000008.00000002.2125798809.00000000024DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://x1.c.lencr.org/0ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001037000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4536016099.00000000065E2000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://x1.i.lencr.org/0ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001037000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4536016099.00000000065E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://r10.i.lencr.org/0ODIlHgaFNJ.exe, 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000001027000.00000004.00000020.00020000.00000000.sdmp, ODIlHgaFNJ.exe, 0000000D.00000002.4525511693.0000000000FBE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        107.178.108.41
                                        		pgsu.co.idUnited States
                                        		53755IOFLOODUStrue

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1559490
                                        Start date and time:2024-11-20 15:48:09 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 8m 57s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:16
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:Q7bAgeTZB8vmku7.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@18/11@2/1
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 157
                                        • Number of non-executed functions: 10
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                        • VT rate limit hit for: Q7bAgeTZB8vmku7.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        09:49:01API Interceptor8510550x Sleep call for process: Q7bAgeTZB8vmku7.exe modified
                                        09:49:04API Interceptor13x Sleep call for process: powershell.exe modified
                                        09:49:05API Interceptor6161477x Sleep call for process: ODIlHgaFNJ.exe modified
                                        15:49:04Task SchedulerRun new task: ODIlHgaFNJ path: C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        107.178.108.41QcgYuePXfjXfcUD.exeGet hashmaliciousAgentTeslaBrowse
                                          XXKPgtA6DfbWnGL.exeGet hashmaliciousAgentTeslaBrowse
                                            Q2EoNFhO7QQHxgS.exeGet hashmaliciousAgentTeslaBrowse
                                              QCP6Umel59hDYWj.exeGet hashmaliciousAgentTeslaBrowse
                                                kE7yGmDoMD.exeGet hashmaliciousAgentTeslaBrowse
                                                  sdd.exeGet hashmaliciousAgentTeslaBrowse
                                                    kk.exeGet hashmaliciousAgentTeslaBrowse
                                                      mm.exeGet hashmaliciousAgentTeslaBrowse
                                                        tUaGg541L8.exeGet hashmaliciousAgentTeslaBrowse
                                                          fXE0FZxunm.exeGet hashmaliciousAgentTeslaBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            IOFLOODUSQcgYuePXfjXfcUD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            XXKPgtA6DfbWnGL.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                            • 107.167.84.42
                                                            botx.arm.elfGet hashmaliciousMiraiBrowse
                                                            • 107.178.118.180
                                                            Q2EoNFhO7QQHxgS.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            QCP6Umel59hDYWj.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            kE7yGmDoMD.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            sdd.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 107.178.108.41
                                                            file.exeGet hashmaliciousWhiteSnake StealerBrowse
                                                            • 104.161.33.60
                                                            botnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                                            • 107.178.106.86

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ODIlHgaFNJ.exe.log

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Q7bAgeTZB8vmku7.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.3792772635987225
                                                            Encrypted:false
                                                            SSDEEP:48:bWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:bLHxvCsIfA2KRHmOugw1s
                                                            MD5:24BC35D470461ED90FC4BFFF902B8C7E
                                                            SHA1:0FA16F6526E5ECF142B47EF95DC7FF9F6C12734A
                                                            SHA-256:FF60D2E27C696044BADA174E175C85E8CACB9E310EDCAC365AE6864B38709EFF
                                                            SHA-512:584AAF5C4E5CBD704DA722965920F21FF80CC25A7B79E6D552E8BDF7A30416AEC3CC7D314A9A15630A6B8EBDEADBB3CDC7784927E8276788DEE2DFF8556617F4
                                                            Malicious:false
                                                            Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_10dmezfp.n1a.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_efzbhu0s.akm.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hll5coqd.ufc.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwiwdhbb.bdp.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\tmpC03F.tmp

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1583
                                                            Entropy (8bit):5.105032620959646
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtsVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTsrv
                                                            MD5:4A76F289B1D9D99ED4A01CD81E7E9F70
                                                            SHA1:AE480E97B33A35A19E47596E12375A21539BF620
                                                            SHA-256:9CA9307A3E43445B06E0EFD5C184BD5DA2785EC6965F6CEFE2F6265318C5FD9B
                                                            SHA-512:6FF6DF860799A1B97C1A258279E7006E15B4A8A60B15FD9EC6470F6FCEB948AA8303B501997FDF6627ED99E307DFCEE5DC8B72110BB3C28CB9A6DF7E8A4207C5
                                                            Malicious:true
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp

                                                            Download File
                                                            Process:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            File Type:XML 1.0 document, ASCII text
                                                            Category:dropped
                                                            Size (bytes):1583
                                                            Entropy (8bit):5.105032620959646
                                                            Encrypted:false
                                                            SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtsVxvn:cgergYrFdOFzOzN33ODOiDdKrsuTsrv
                                                            MD5:4A76F289B1D9D99ED4A01CD81E7E9F70
                                                            SHA1:AE480E97B33A35A19E47596E12375A21539BF620
                                                            SHA-256:9CA9307A3E43445B06E0EFD5C184BD5DA2785EC6965F6CEFE2F6265318C5FD9B
                                                            SHA-512:6FF6DF860799A1B97C1A258279E7006E15B4A8A60B15FD9EC6470F6FCEB948AA8303B501997FDF6627ED99E307DFCEE5DC8B72110BB3C28CB9A6DF7E8A4207C5
                                                            Malicious:false
                                                            Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                            C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Category:dropped
                                                            Size (bytes):748544
                                                            Entropy (8bit):7.9328566957064925
                                                            Encrypted:false
                                                            SSDEEP:12288:BrOd+Ri3AgFd4q2PUFNd7yz0PvADOlnkv2QHRypn0iJyVR3iFJxmGZjB0jnjXUih:TQ3AgpeUF/e0nADbHcpnByM/d0jnrUm
                                                            MD5:9948091D5E1B566C2573DF3D3D1CEA91
                                                            SHA1:7F447C10DFC5D6562A3E7B48868AB972D99D7DA4
                                                            SHA-256:8C25A42242F041B0ECFC47164EF25A988B37735DAC00A6990F7BABD80EAA2487
                                                            SHA-512:B7EF2DB21BD6B074D2D4E5EF8F372C5DFF78E7BA96247F4CAC2017464E0DF6C4A2D0BDE434B9EBFA1DAE24C93A71EE4AEA14507D75F78426BD96A840A8950F59
                                                            Malicious:true
                                                            Antivirus:
                                                            • Antivirus: Avira, Detection: 100%
                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                            • Antivirus: ReversingLabs, Detection: 45%
                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*=g..............0..J... .......i... ........@.. ....................................`.................................Ti..O.......|............................................................................ ............... ..H............text....I... ...J.................. ..`.rsrc...|............L..............@..@.reloc...............j..............@..B.................i......H........6...(...........^................................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...

                                                            C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe:Zone.Identifier

                                                            Download File
                                                            Process:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):26
                                                            Entropy (8bit):3.95006375643621
                                                            Encrypted:false
                                                            SSDEEP:3:ggPYV:rPYV
                                                            MD5:187F488E27DB4AF347237FE461A079AD
                                                            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                            Malicious:true
                                                            Preview:[ZoneTransfer]....ZoneId=0

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.9328566957064925
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Windows Screen Saver (13104/52) 0.07%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:Q7bAgeTZB8vmku7.exe
                                                            File size:748'544 bytes
                                                            MD5:9948091d5e1b566c2573df3d3d1cea91
                                                            SHA1:7f447c10dfc5d6562a3e7b48868ab972d99d7da4
                                                            SHA256:8c25a42242f041b0ecfc47164ef25a988b37735dac00a6990f7babd80eaa2487
                                                            SHA512:b7ef2db21bd6b074d2d4e5ef8f372c5dff78e7ba96247f4cac2017464e0df6c4a2d0bde434b9ebfa1dae24c93a71ee4aea14507d75f78426bd96a840a8950f59
                                                            SSDEEP:12288:BrOd+Ri3AgFd4q2PUFNd7yz0PvADOlnkv2QHRypn0iJyVR3iFJxmGZjB0jnjXUih:TQ3AgpeUF/e0nADbHcpnByM/d0jnrUm
                                                            TLSH:2EF423A8773E2681D6EC7634557800808A347C1F2F85CBAE05CC155AABBA74CD2E6F73
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*=g..............0..J... .......i... ........@.. ....................................`................................

                                                            File Icon

                                                            Icon Hash:8bdb4b414d656d61

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4b69a6
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x673D2A8D [Wed Nov 20 00:17:17 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb69540x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x1d7c.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xb49ac0xb4a00c10662390f3ef7c80db39a531e1d0df9False0.9592655168685121data7.939738052659757IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xb80000x1d7c0x1e0016c194d24f39f276a8214bf5fb077631False0.8061197916666667data7.3218267193516215IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xba0000xc0x200a1201169110d5006fa411de6395bbe55False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_ICON0xb81000x1733PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9151372284896447
                                                            RT_GROUP_ICON0xb98440x14data1.05
                                                            RT_VERSION0xb98680x314data0.434010152284264
                                                            RT_MANIFEST0xb9b8c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                            2024-11-20T15:49:08.317454+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54971420.42.65.92443TCP

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 20, 2024 15:49:11.291646957 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:11.413541079 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:11.413619041 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:12.670484066 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:12.671546936 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:12.793396950 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.054065943 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.054392099 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:13.174065113 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.439734936 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.487601995 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:13.488390923 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:13.608063936 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.886177063 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.886199951 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.886291027 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:13.886320114 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:13.906723022 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:14.026756048 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:14.293001890 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:14.308492899 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:14.428076982 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:14.692168951 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:14.693662882 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:14.813199043 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.077040911 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.078058004 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:15.199855089 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.470035076 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.472222090 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:15.594768047 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.874273062 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:15.874543905 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:15.996198893 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.328713894 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.329122066 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:16.450145960 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.713818073 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.714684010 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:16.714751005 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:16.714773893 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:16.714795113 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:49:16.840527058 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.840670109 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.843346119 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:16.843358040 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:17.125783920 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:49:17.175137997 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:50:49.831872940 CET49717587192.168.2.5107.178.108.41
                                                            Nov 20, 2024 15:50:49.953891039 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:50:50.218111038 CET58749717107.178.108.41192.168.2.5
                                                            Nov 20, 2024 15:50:50.225426912 CET49717587192.168.2.5107.178.108.41

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 20, 2024 15:49:09.805022001 CET5985453192.168.2.51.1.1.1
                                                            Nov 20, 2024 15:49:10.800317049 CET5985453192.168.2.51.1.1.1
                                                            Nov 20, 2024 15:49:11.281320095 CET53598541.1.1.1192.168.2.5
                                                            Nov 20, 2024 15:49:11.281538963 CET53598541.1.1.1192.168.2.5

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 20, 2024 15:49:09.805022001 CET192.168.2.51.1.1.10x3f8Standard query (0)mail.pgsu.co.idA (IP address)IN (0x0001)false
                                                            Nov 20, 2024 15:49:10.800317049 CET192.168.2.51.1.1.10x3f8Standard query (0)mail.pgsu.co.idA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 20, 2024 15:49:11.281320095 CET1.1.1.1192.168.2.50x3f8No error (0)mail.pgsu.co.idpgsu.co.idCNAME (Canonical name)IN (0x0001)false
                                                            Nov 20, 2024 15:49:11.281320095 CET1.1.1.1192.168.2.50x3f8No error (0)pgsu.co.id107.178.108.41A (IP address)IN (0x0001)false
                                                            Nov 20, 2024 15:49:11.281538963 CET1.1.1.1192.168.2.50x3f8No error (0)mail.pgsu.co.idpgsu.co.idCNAME (Canonical name)IN (0x0001)false
                                                            Nov 20, 2024 15:49:11.281538963 CET1.1.1.1192.168.2.50x3f8No error (0)pgsu.co.id107.178.108.41A (IP address)IN (0x0001)false

                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Nov 20, 2024 15:49:12.670484066 CET58749717107.178.108.41192.168.2.5220-grogolvps.padinet.com ESMTP Exim 4.98 #2 Wed, 20 Nov 2024 21:49:12 +0700
                                                            220-We do not authorize the use of this system to transport unsolicited,
                                                            220 and/or bulk e-mail.
                                                            Nov 20, 2024 15:49:12.671546936 CET49717587192.168.2.5107.178.108.41EHLO 142233
                                                            Nov 20, 2024 15:49:13.054065943 CET58749717107.178.108.41192.168.2.5250-grogolvps.padinet.com Hello 142233 [8.46.123.75]
                                                            250-SIZE 52428800
                                                            250-LIMITS MAILMAX=1000 RCPTMAX=50000
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPECONNECT
                                                            250-AUTH PLAIN LOGIN
                                                            250-STARTTLS
                                                            250 HELP
                                                            Nov 20, 2024 15:49:13.054392099 CET49717587192.168.2.5107.178.108.41STARTTLS
                                                            Nov 20, 2024 15:49:13.439734936 CET58749717107.178.108.41192.168.2.5220 TLS go ahead

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:09:49:01
                                                            Start date:20/11/2024
                                                            Path:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"
                                                            Imagebase:0xe90000
                                                            File size:748'544 bytes
                                                            MD5 hash:9948091D5E1B566C2573DF3D3D1CEA91
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2086107945.0000000004209000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:09:49:02
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                                                            Imagebase:0x930000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:09:49:02
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:09:49:02
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpC03F.tmp"
                                                            Imagebase:0x860000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:09:49:02
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:7
                                                            Start time:09:49:02
                                                            Start date:20/11/2024
                                                            Path:C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\Q7bAgeTZB8vmku7.exe"
                                                            Imagebase:0x7c0000
                                                            File size:748'544 bytes
                                                            MD5 hash:9948091D5E1B566C2573DF3D3D1CEA91
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4523809745.0000000000437000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4526857350.00000000029F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:8
                                                            Start time:09:49:04
                                                            Start date:20/11/2024
                                                            Path:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            Imagebase:0x100000
                                                            File size:748'544 bytes
                                                            MD5 hash:9948091D5E1B566C2573DF3D3D1CEA91
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Antivirus matches:
                                                            • Detection: 100%, Avira
                                                            • Detection: 100%, Joe Sandbox ML
                                                            • Detection: 45%, ReversingLabs
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:9
                                                            Start time:09:49:05
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff6ef0c0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:09:49:07
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\SysWOW64\schtasks.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ODIlHgaFNJ" /XML "C:\Users\user\AppData\Local\Temp\tmpD2AD.tmp"
                                                            Imagebase:0x860000
                                                            File size:187'904 bytes
                                                            MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:11
                                                            Start time:09:49:07
                                                            Start date:20/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff6d64d0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:09:49:07
                                                            Start date:20/11/2024
                                                            Path:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                                                            Imagebase:0x1c0000
                                                            File size:748'544 bytes
                                                            MD5 hash:9948091D5E1B566C2573DF3D3D1CEA91
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:09:49:07
                                                            Start date:20/11/2024
                                                            Path:C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\AppData\Roaming\ODIlHgaFNJ.exe"
                                                            Imagebase:0x800000
                                                            File size:748'544 bytes
                                                            MD5 hash:9948091D5E1B566C2573DF3D3D1CEA91
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4527865138.0000000002E4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4527865138.0000000002E79000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.4527865138.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.4527865138.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:10.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:128
                                                              Total number of Limit Nodes:7
                                                              execution_graph 22438 304ac10 22439 304ac1f 22438->22439 22442 304ad08 22438->22442 22447 304acf8 22438->22447 22443 304ad3c 22442->22443 22444 304ad19 22442->22444 22443->22439 22444->22443 22445 304af40 GetModuleHandleW 22444->22445 22446 304af6d 22445->22446 22446->22439 22448 304ad19 22447->22448 22449 304ad3c 22447->22449 22448->22449 22450 304af40 GetModuleHandleW 22448->22450 22449->22439 22451 304af6d 22450->22451 22451->22439 22571 304cfa0 22572 304cfa5 GetCurrentProcess 22571->22572 22574 304d031 22572->22574 22575 304d038 GetCurrentThread 22572->22575 22574->22575 22576 304d075 GetCurrentProcess 22575->22576 22577 304d06e 22575->22577 22578 304d0ab 22576->22578 22577->22576 22579 304d0d3 GetCurrentThreadId 22578->22579 22580 304d104 22579->22580 22608 304d5f0 22609 304d5f5 DuplicateHandle 22608->22609 22610 304d686 22609->22610 22581 77abad0 22582 77abc5b 22581->22582 22584 77abaf6 22581->22584 22584->22582 22585 77a48b0 22584->22585 22586 77abd50 PostMessageW 22585->22586 22587 77abdbc 22586->22587 22587->22584 22452 77a8766 22453 77a8771 22452->22453 22455 77a8360 22452->22455 22457 77aa8f8 22453->22457 22458 77aa912 22457->22458 22461 77aac09 22458->22461 22459 77a8780 22462 77aac25 22461->22462 22463 77aac37 22462->22463 22475 77aadcb 22462->22475 22480 77ab155 22462->22480 22485 77aacf6 22462->22485 22489 77aae81 22462->22489 22493 77aaee1 22462->22493 22500 77aadb0 22462->22500 22504 77ab1d2 22462->22504 22509 77ab59e 22462->22509 22514 77aaffe 22462->22514 22519 77ab119 22462->22519 22523 77ab218 22462->22523 22463->22459 22476 77aafa4 22475->22476 22527 77a7b18 22476->22527 22531 77a7b20 22476->22531 22477 77aafbf 22477->22463 22481 77ab15e 22480->22481 22535 77a7cb8 22481->22535 22539 77a7cb0 22481->22539 22482 77ab3e9 22543 77a7f3d 22485->22543 22547 77a7f40 22485->22547 22491 77a7cb8 WriteProcessMemory 22489->22491 22492 77a7cb0 WriteProcessMemory 22489->22492 22490 77aad8c 22490->22463 22491->22490 22492->22490 22551 77a7bf8 22493->22551 22555 77a7bf0 22493->22555 22494 77aaeff 22495 77aad74 22494->22495 22496 77a7cb8 WriteProcessMemory 22494->22496 22497 77a7cb0 WriteProcessMemory 22494->22497 22495->22463 22496->22494 22497->22494 22501 77aadb6 22500->22501 22502 77ab432 22501->22502 22559 77a7a70 22501->22559 22502->22463 22505 77ab5a5 22504->22505 22506 77aad74 22505->22506 22563 77a7da8 22505->22563 22567 77a7da1 22505->22567 22506->22463 22510 77ab5a4 22509->22510 22512 77a7da8 ReadProcessMemory 22510->22512 22513 77a7da1 ReadProcessMemory 22510->22513 22511 77aad74 22511->22463 22512->22511 22513->22511 22515 77ab004 22514->22515 22516 77aad74 22515->22516 22517 77a7cb8 WriteProcessMemory 22515->22517 22518 77a7cb0 WriteProcessMemory 22515->22518 22516->22463 22517->22515 22518->22515 22520 77ab126 22519->22520 22521 77ab432 22520->22521 22522 77a7a70 ResumeThread 22520->22522 22521->22463 22522->22520 22525 77a7b18 Wow64SetThreadContext 22523->22525 22526 77a7b20 Wow64SetThreadContext 22523->22526 22524 77ab232 22525->22524 22526->22524 22528 77a7b20 Wow64SetThreadContext 22527->22528 22530 77a7bad 22528->22530 22530->22477 22532 77a7b65 Wow64SetThreadContext 22531->22532 22534 77a7bad 22532->22534 22534->22477 22536 77a7d00 WriteProcessMemory 22535->22536 22538 77a7d57 22536->22538 22538->22482 22540 77a7cb8 WriteProcessMemory 22539->22540 22542 77a7d57 22540->22542 22542->22482 22544 77a7fc9 22543->22544 22544->22544 22545 77a812e CreateProcessA 22544->22545 22546 77a818b 22545->22546 22546->22546 22548 77a7fc9 22547->22548 22548->22548 22549 77a812e CreateProcessA 22548->22549 22550 77a818b 22549->22550 22550->22550 22552 77a7c38 VirtualAllocEx 22551->22552 22554 77a7c75 22552->22554 22554->22494 22556 77a7bf8 VirtualAllocEx 22555->22556 22558 77a7c75 22556->22558 22558->22494 22560 77a7ab0 ResumeThread 22559->22560 22562 77a7ae1 22560->22562 22562->22501 22564 77a7df3 ReadProcessMemory 22563->22564 22566 77a7e37 22564->22566 22566->22506 22568 77a7da8 ReadProcessMemory 22567->22568 22570 77a7e37 22568->22570 22570->22506 22588 3044668 22589 3044672 22588->22589 22591 3044758 22588->22591 22592 304477d 22591->22592 22596 3044858 22592->22596 22600 3044868 22592->22600 22598 3044868 22596->22598 22597 304496c 22597->22597 22598->22597 22604 30444b0 22598->22604 22601 304488f 22600->22601 22602 304496c 22601->22602 22603 30444b0 CreateActCtxA 22601->22603 22603->22602 22605 30458f8 CreateActCtxA 22604->22605 22607 30459bb 22605->22607

                                                              Executed Functions

                                                              Function 077AC940 Relevance: .5, Instructions: 451COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f34e09d18548dc9f8b52fcdf911db9dc5f69fe1dbfa91b91468f6d07b4d43ff8
                                                              • Instruction ID: d2a685875f7cb5f8d6b4882fbc3ba15f9dc7353e8e69c861f4c60bb208907c80
                                                              • Opcode Fuzzy Hash: f34e09d18548dc9f8b52fcdf911db9dc5f69fe1dbfa91b91468f6d07b4d43ff8
                                                              • Instruction Fuzzy Hash: 9CF1F0B0702345AFEB2ADB75C550BAE7BFAAFCA340F1449ADD0468B291DB34D901C761
                                                              Function 0304CF90 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 294 304cf90-304cf9e 295 304cfa5-304d02f GetCurrentProcess 294->295 296 304cfa0-304cfa4 294->296 300 304d031-304d037 295->300 301 304d038-304d06c GetCurrentThread 295->301 296->295 300->301 302 304d075-304d0a9 GetCurrentProcess 301->302 303 304d06e-304d074 301->303 304 304d0b2-304d0cd call 304d578 302->304 305 304d0ab-304d0b1 302->305 303->302 309 304d0d3-304d102 GetCurrentThreadId 304->309 305->304 310 304d104-304d10a 309->310 311 304d10b-304d16d 309->311 310->311
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0304D01E
                                                              • GetCurrentThread.KERNEL32 ref: 0304D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 0304D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 0304D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 4f08a562a6f6caab1bcaa660ae73f2f01717ef7689362b4e54e1dd4cb5fb7711
                                                              • Instruction ID: 4ac9aaaad7c1e579aa37a8e9870be65700c39b3a900ec931a16f755b39c86385
                                                              • Opcode Fuzzy Hash: 4f08a562a6f6caab1bcaa660ae73f2f01717ef7689362b4e54e1dd4cb5fb7711
                                                              • Instruction Fuzzy Hash: 225166B09027498FDB54DFA9D548B9EBFF1FF88304F248469D408A7261D738A984CB65
                                                              Function 0304CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 318 304cfa0-304d02f GetCurrentProcess 323 304d031-304d037 318->323 324 304d038-304d06c GetCurrentThread 318->324 323->324 325 304d075-304d0a9 GetCurrentProcess 324->325 326 304d06e-304d074 324->326 327 304d0b2-304d0cd call 304d578 325->327 328 304d0ab-304d0b1 325->328 326->325 332 304d0d3-304d102 GetCurrentThreadId 327->332 328->327 333 304d104-304d10a 332->333 334 304d10b-304d16d 332->334 333->334
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 0304D01E
                                                              • GetCurrentThread.KERNEL32 ref: 0304D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 0304D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 0304D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: d33d4ff2bce3a2283cbfceaabd246955e8b355ccd0e4d2a28b65e7dd7616a273
                                                              • Instruction ID: a6927b55dbca68ea5988a90edd62cb1a42d1cafb80e24e39d22ee000b34441bf
                                                              • Opcode Fuzzy Hash: d33d4ff2bce3a2283cbfceaabd246955e8b355ccd0e4d2a28b65e7dd7616a273
                                                              • Instruction Fuzzy Hash: 345164B09027098FDB54DFA9D548BAEBBF1FF88304F24C469D409A7261D738A984CF65
                                                              Function 077A7F40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 420 77a7f40-77a7fd5 422 77a800e-77a802e 420->422 423 77a7fd7-77a7fe1 420->423 430 77a8030-77a803a 422->430 431 77a8067-77a8096 422->431 423->422 424 77a7fe3-77a7fe5 423->424 425 77a8008-77a800b 424->425 426 77a7fe7-77a7ff1 424->426 425->422 428 77a7ff3 426->428 429 77a7ff5-77a8004 426->429 428->429 429->429 432 77a8006 429->432 430->431 433 77a803c-77a803e 430->433 437 77a8098-77a80a2 431->437 438 77a80cf-77a8189 CreateProcessA 431->438 432->425 435 77a8040-77a804a 433->435 436 77a8061-77a8064 433->436 439 77a804e-77a805d 435->439 440 77a804c 435->440 436->431 437->438 442 77a80a4-77a80a6 437->442 451 77a818b-77a8191 438->451 452 77a8192-77a8218 438->452 439->439 441 77a805f 439->441 440->439 441->436 443 77a80a8-77a80b2 442->443 444 77a80c9-77a80cc 442->444 446 77a80b6-77a80c5 443->446 447 77a80b4 443->447 444->438 446->446 449 77a80c7 446->449 447->446 449->444 451->452 462 77a821a-77a821e 452->462 463 77a8228-77a822c 452->463 462->463 466 77a8220 462->466 464 77a822e-77a8232 463->464 465 77a823c-77a8240 463->465 464->465 467 77a8234 464->467 468 77a8242-77a8246 465->468 469 77a8250-77a8254 465->469 466->463 467->465 468->469 470 77a8248 468->470 471 77a8266-77a826d 469->471 472 77a8256-77a825c 469->472 470->469 473 77a826f-77a827e 471->473 474 77a8284 471->474 472->471 473->474 475 77a8285 474->475 475->475
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077A8176
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: d14a0930d101ecc632971e6ae26b57ff8217fc96c9d4c96886e98f4d9e21cb51
                                                              • Instruction ID: 8f9c22ae92878a17309204da5eebac8c57285d67a519ad418f41fcb3153d3dc2
                                                              • Opcode Fuzzy Hash: d14a0930d101ecc632971e6ae26b57ff8217fc96c9d4c96886e98f4d9e21cb51
                                                              • Instruction Fuzzy Hash: 95917DB1D0061ADFEF15DF68C8407EEBBB2BF84350F148669D818A7280DB759985CF92
                                                              Function 077A7F3D Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 363 77a7f3d-77a7fd5 365 77a800e-77a802e 363->365 366 77a7fd7-77a7fe1 363->366 373 77a8030-77a803a 365->373 374 77a8067-77a8096 365->374 366->365 367 77a7fe3-77a7fe5 366->367 368 77a8008-77a800b 367->368 369 77a7fe7-77a7ff1 367->369 368->365 371 77a7ff3 369->371 372 77a7ff5-77a8004 369->372 371->372 372->372 375 77a8006 372->375 373->374 376 77a803c-77a803e 373->376 380 77a8098-77a80a2 374->380 381 77a80cf-77a8189 CreateProcessA 374->381 375->368 378 77a8040-77a804a 376->378 379 77a8061-77a8064 376->379 382 77a804e-77a805d 378->382 383 77a804c 378->383 379->374 380->381 385 77a80a4-77a80a6 380->385 394 77a818b-77a8191 381->394 395 77a8192-77a8218 381->395 382->382 384 77a805f 382->384 383->382 384->379 386 77a80a8-77a80b2 385->386 387 77a80c9-77a80cc 385->387 389 77a80b6-77a80c5 386->389 390 77a80b4 386->390 387->381 389->389 392 77a80c7 389->392 390->389 392->387 394->395 405 77a821a-77a821e 395->405 406 77a8228-77a822c 395->406 405->406 409 77a8220 405->409 407 77a822e-77a8232 406->407 408 77a823c-77a8240 406->408 407->408 410 77a8234 407->410 411 77a8242-77a8246 408->411 412 77a8250-77a8254 408->412 409->406 410->408 411->412 413 77a8248 411->413 414 77a8266-77a826d 412->414 415 77a8256-77a825c 412->415 413->412 416 77a826f-77a827e 414->416 417 77a8284 414->417 415->414 416->417 418 77a8285 417->418 418->418
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077A8176
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 9e960f3220bce83fa78cf3d697bcc9f8d7d61f9f17d48c326206e8d86acde97c
                                                              • Instruction ID: 1e8eff9701652befe445bc25158eeb8d7e68d0cd9607bb9cd683ae23c499df58
                                                              • Opcode Fuzzy Hash: 9e960f3220bce83fa78cf3d697bcc9f8d7d61f9f17d48c326206e8d86acde97c
                                                              • Instruction Fuzzy Hash: 8D916EB1D0061ADFEB15DF68C8407EEBBB2BF84350F148669D818A7240DB759985CF92
                                                              Function 0304AD08 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 477 304ad08-304ad17 478 304ad43-304ad47 477->478 479 304ad19-304ad26 call 304a02c 477->479 480 304ad49-304ad53 478->480 481 304ad5b-304ad9c 478->481 484 304ad3c 479->484 485 304ad28 479->485 480->481 488 304ad9e-304ada6 481->488 489 304ada9-304adb7 481->489 484->478 536 304ad2e call 304af90 485->536 537 304ad2e call 304afa0 485->537 488->489 491 304adb9-304adbe 489->491 492 304addb-304addd 489->492 490 304ad34-304ad36 490->484 493 304ae78-304aef6 490->493 495 304adc0-304adc7 call 304a038 491->495 496 304adc9 491->496 494 304ade0-304ade7 492->494 527 304aefd-304af38 493->527 528 304aef8-304aefc 493->528 499 304adf4-304adfb 494->499 500 304ade9-304adf1 494->500 498 304adcb-304add9 495->498 496->498 498->494 502 304adfd-304ae05 499->502 503 304ae08-304ae11 call 304a048 499->503 500->499 502->503 508 304ae13-304ae1b 503->508 509 304ae1e-304ae23 503->509 508->509 510 304ae25-304ae2c 509->510 511 304ae41-304ae45 509->511 510->511 513 304ae2e-304ae3e call 304a058 call 304a068 510->513 534 304ae48 call 304b270 511->534 535 304ae48 call 304b2a0 511->535 513->511 516 304ae4b-304ae4e 518 304ae50-304ae6e 516->518 519 304ae71-304ae77 516->519 518->519 529 304af40-304af6b GetModuleHandleW 527->529 530 304af3a-304af3d 527->530 528->527 531 304af74-304af88 529->531 532 304af6d-304af73 529->532 530->529 532->531 534->516 535->516 536->490 537->490
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0304AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: cd013628e5fe81bde6bdbf921ec452f49052c5e3427a8984ff4c4578becf76a2
                                                              • Instruction ID: 3041945cf2954efa59f7dcddea8ae20b7bd490924eb6e1dc460d887e5071f8e2
                                                              • Opcode Fuzzy Hash: cd013628e5fe81bde6bdbf921ec452f49052c5e3427a8984ff4c4578becf76a2
                                                              • Instruction Fuzzy Hash: B47176B0A01B058FDB64DF6AD04479ABBF5FF88300F04892DD44ADBA50DB35EA49CB90
                                                              Function 030458EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 538 30458ec-30458f4 539 30458fc-30459b9 CreateActCtxA 538->539 541 30459c2-3045a1c 539->541 542 30459bb-30459c1 539->542 549 3045a1e-3045a21 541->549 550 3045a2b-3045a2f 541->550 542->541 549->550 551 3045a40 550->551 552 3045a31-3045a3d 550->552 554 3045a41 551->554 552->551 554->554
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 030459A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 13586209d8b723bfad7a78147d7a6aba8854e5b0b5380d049e94c1fcbedbf88e
                                                              • Instruction ID: b6062784dc31009dd6f954e21223d4a9868c08e8959ff1bb39e1c8d95f0f4cd8
                                                              • Opcode Fuzzy Hash: 13586209d8b723bfad7a78147d7a6aba8854e5b0b5380d049e94c1fcbedbf88e
                                                              • Instruction Fuzzy Hash: 2B41EFB0C01719CFDB28DFA9C88479DBBF1BF49304F24806AD418AB255DB766946CF91
                                                              Function 030444B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 555 30444b0-30459b9 CreateActCtxA 558 30459c2-3045a1c 555->558 559 30459bb-30459c1 555->559 566 3045a1e-3045a21 558->566 567 3045a2b-3045a2f 558->567 559->558 566->567 568 3045a40 567->568 569 3045a31-3045a3d 567->569 571 3045a41 568->571 569->568 571->571
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 030459A9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 4ed8dbc434121effc840d36ec2814e8541cac0aa744d1d6d731b45ad1d2790cb
                                                              • Instruction ID: c7758a4022cf554e2fb45b8a9ac945bc2d5b14de1c5ad11dd9839bfd8ef4c0aa
                                                              • Opcode Fuzzy Hash: 4ed8dbc434121effc840d36ec2814e8541cac0aa744d1d6d731b45ad1d2790cb
                                                              • Instruction Fuzzy Hash: 9041FFB0C0171DCBDB24DFA9C884B9EBBF5BF49304F24806AD418AB251DB766946CF91
                                                              Function 077A7CB0 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 572 77a7cb0-77a7d06 575 77a7d08-77a7d14 572->575 576 77a7d16-77a7d55 WriteProcessMemory 572->576 575->576 578 77a7d5e-77a7d8e 576->578 579 77a7d57-77a7d5d 576->579 579->578
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077A7D48
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: 467f9a8c115ff40480ed595d2cd9fbc97b76f020b14a160475a0aaf51dd811c9
                                                              • Instruction ID: 3d67b3eef4662879fc5a0304d06753b7e926f82047cb6ad8ae330539e1be8943
                                                              • Opcode Fuzzy Hash: 467f9a8c115ff40480ed595d2cd9fbc97b76f020b14a160475a0aaf51dd811c9
                                                              • Instruction Fuzzy Hash: E02127B19003099FDF14DFA9C885BEEBBF5FF88310F108829E919A7240D7789955CBA0
                                                              Function 077A7CB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 583 77a7cb8-77a7d06 585 77a7d08-77a7d14 583->585 586 77a7d16-77a7d55 WriteProcessMemory 583->586 585->586 588 77a7d5e-77a7d8e 586->588 589 77a7d57-77a7d5d 586->589 589->588
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077A7D48
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: e5475f1c4ea4d2cc52f1c07813c527d4ffc5d6fd9f4378ee750193c7728ce6d1
                                                              • Instruction ID: ddeaec8be7f72677f7bf3e1d10c88e324f400e6e36a8920fe99b02987fe24556
                                                              • Opcode Fuzzy Hash: e5475f1c4ea4d2cc52f1c07813c527d4ffc5d6fd9f4378ee750193c7728ce6d1
                                                              • Instruction Fuzzy Hash: 842127B19003099FDB14DFA9C885BEEBBF5FF88310F108829E919A7240D7789954CBA0
                                                              Function 077A7B18 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 593 77a7b18-77a7b6b 596 77a7b7b-77a7bab Wow64SetThreadContext 593->596 597 77a7b6d-77a7b79 593->597 599 77a7bad-77a7bb3 596->599 600 77a7bb4-77a7be4 596->600 597->596 599->600
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077A7B9E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 6fc6ba16b7bd457862efa206d7210391cdf8c090767a0bc25aff2998a12dcf96
                                                              • Instruction ID: b8b96fd52819dd38236dca00d77be44d3b119ef61e9b939e9e2ca513d58a8da6
                                                              • Opcode Fuzzy Hash: 6fc6ba16b7bd457862efa206d7210391cdf8c090767a0bc25aff2998a12dcf96
                                                              • Instruction Fuzzy Hash: D82168B19003099FDB14DFAAC485BEEBBF4EF88350F148429D419A7240CB78A985CFA1
                                                              Function 077A7DA1 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 604 77a7da1-77a7e35 ReadProcessMemory 608 77a7e3e-77a7e6e 604->608 609 77a7e37-77a7e3d 604->609 609->608
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077A7E28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 55ad699cc9101dd9430a4c7302bd0f3041ff0b0598f1a94967244b39476b7589
                                                              • Instruction ID: ea18dfe18548b77445b58a78f619e7aff0eaee1650215643774ecf169a2f0480
                                                              • Opcode Fuzzy Hash: 55ad699cc9101dd9430a4c7302bd0f3041ff0b0598f1a94967244b39476b7589
                                                              • Instruction Fuzzy Hash: EA2128B18003499FDB14DFAAC845AEEFBF5FF48310F108829E519A7240D7789945CBA1
                                                              Function 0304D5E9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 613 304d5e9-304d5ee 614 304d5f5-304d684 DuplicateHandle 613->614 615 304d5f0-304d5f4 613->615 616 304d686-304d68c 614->616 617 304d68d-304d6aa 614->617 615->614 616->617
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0304D677
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 652dd7c2aaaea5636603c97277c8118b8631e98d8705dd5851a1f3c58dfc0f01
                                                              • Instruction ID: 15f0964d4757f385dce34b197fa49fd82a55aea78c7cef0b70664b0f69945a16
                                                              • Opcode Fuzzy Hash: 652dd7c2aaaea5636603c97277c8118b8631e98d8705dd5851a1f3c58dfc0f01
                                                              • Instruction Fuzzy Hash: 912128B59012089FDB10CF9AD484ADEFFF4FB48310F14841AE918A3310D378AA40CFA5
                                                              Function 077A7DA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077A7E28
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 1c16aa37ffb55da82c4add3326a36a1890ac3a23a07be5368916746f0abcda98
                                                              • Instruction ID: cc4848e90974737c3cb9736a2c32993c4e236c5dbf9d46af5d1abc1eb1f5391f
                                                              • Opcode Fuzzy Hash: 1c16aa37ffb55da82c4add3326a36a1890ac3a23a07be5368916746f0abcda98
                                                              • Instruction Fuzzy Hash: 522128B18002499FDB14DFAAC840AEEFBF5FF48310F108829E519A7240D7389940CBA1
                                                              Function 077A7B20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 620 77a7b20-77a7b6b 622 77a7b7b-77a7bab Wow64SetThreadContext 620->622 623 77a7b6d-77a7b79 620->623 625 77a7bad-77a7bb3 622->625 626 77a7bb4-77a7be4 622->626 623->622 625->626
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077A7B9E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 954f27d1e0dd026dc664d34cd941c3855250f4c71734ed27230b888456c0ab67
                                                              • Instruction ID: 757918a85ab83af3544c76c80f48a2dd9648ae65f81b01dbafb539cc22abed1a
                                                              • Opcode Fuzzy Hash: 954f27d1e0dd026dc664d34cd941c3855250f4c71734ed27230b888456c0ab67
                                                              • Instruction Fuzzy Hash: 382138B19003099FDB14DFAAC4857EEBBF4EF89314F148429D419A7240CB789945CFA1
                                                              Function 0304D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0304D677
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: e5481a19e3fcb9945ba37ccf02fcc6d0165e65eae7117b98995a0f0cb6dcfbd7
                                                              • Instruction ID: 44751750cba806852ba46352af6fed418e152c88f5b127b3b49ad6755796f838
                                                              • Opcode Fuzzy Hash: e5481a19e3fcb9945ba37ccf02fcc6d0165e65eae7117b98995a0f0cb6dcfbd7
                                                              • Instruction Fuzzy Hash: 7E21D3B59012489FDB10DFAAD984ADEFFF9FB48310F14841AE918A3350D378A944CFA5
                                                              Function 077A7BF0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077A7C66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 9669b47f287c63a565e7d6a461c61d7ce672f67c48e5b1cc9b11808afe3e3a5e
                                                              • Instruction ID: 0c282ddf1fb062641113a7c25351cebd659c7123e01d4f9fed3f203e1cb01ad8
                                                              • Opcode Fuzzy Hash: 9669b47f287c63a565e7d6a461c61d7ce672f67c48e5b1cc9b11808afe3e3a5e
                                                              • Instruction Fuzzy Hash: B91159B28002099FCB14DFAAC845ADFBFF9EF88320F148819E519A7250C779A544CFA1
                                                              Function 077A7BF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077A7C66
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: bf262de6967881f934d2af99d3a20a367caea2d5f8edd31a778570433f6465db
                                                              • Instruction ID: 819618e2a38c9f560ce32e4e3b4eb8773652232bca2e382332d4e4b07f622c97
                                                              • Opcode Fuzzy Hash: bf262de6967881f934d2af99d3a20a367caea2d5f8edd31a778570433f6465db
                                                              • Instruction Fuzzy Hash: 9F113AB19002499FDB14DFAAC844ADFBFF5EF88320F148819D519A7250C7759540CFA1
                                                              Function 077A7A70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 528c073698138ef12af58f8956c1bd866338570737a2df77e9960c20ea13f943
                                                              • Instruction ID: 31e790468f2ea9d0832858613374518b827e2b2cf0b7d512250ca78885b62dba
                                                              • Opcode Fuzzy Hash: 528c073698138ef12af58f8956c1bd866338570737a2df77e9960c20ea13f943
                                                              • Instruction Fuzzy Hash: 9E1128B1D002499BDB14DFAAC4457AEFBF5EF88314F248819D519A7240CB79A544CFA1
                                                              Function 077ABD48 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 077ABDAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 3a2aa3b38057b849cbc95fa1e46c862529a56e5372b8faffefaae4a60cc3dfc8
                                                              • Instruction ID: b2ec40e77502c0257a1c9d161242132bc8aa5c219283b06333f8c3e47d61c4e4
                                                              • Opcode Fuzzy Hash: 3a2aa3b38057b849cbc95fa1e46c862529a56e5372b8faffefaae4a60cc3dfc8
                                                              • Instruction Fuzzy Hash: 9D11E3B58003499FDB10DF99C485BDEFBF8FB48324F108419E558A7210D379A984CFA5
                                                              Function 077A48B0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 077ABDAD
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: f208f909c9b05271860a4b6a25bb645e62643531cae36d03685cae049d14b2b5
                                                              • Instruction ID: 539077de4a94fc08a4efc0dcaa27d47fe0548ce4817139dad5db55c073e353b4
                                                              • Opcode Fuzzy Hash: f208f909c9b05271860a4b6a25bb645e62643531cae36d03685cae049d14b2b5
                                                              • Instruction Fuzzy Hash: D011F2B58003499FDB10DF9AD484BDEBBF8EB48320F108959E518A7210C379A954CFA1
                                                              Function 0304AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 0304AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: c7771f61b982de538a2ba4dd8a40545a980e845c405d7cb834638a8d88cb4215
                                                              • Instruction ID: fb3268d2e97ee1c84fbdf91c43e34eb2d5601c67dd2a88a253c02bce17808e80
                                                              • Opcode Fuzzy Hash: c7771f61b982de538a2ba4dd8a40545a980e845c405d7cb834638a8d88cb4215
                                                              • Instruction Fuzzy Hash: 2E11F2B5D003498FDB10DF9AC444ADEFBF4EF88314F14846AD819A7210C379A645CFA1
                                                              Function 0150D3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083198160.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_150d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49dabfa946e13fb86a77decc94f8bc8cfa966a31a5ad23754ec0063143f2e3b3
                                                              • Instruction ID: 5003e7208acec586fbc0311ba6f716be7b552760cbcb8c6333a2297109cc58c4
                                                              • Opcode Fuzzy Hash: 49dabfa946e13fb86a77decc94f8bc8cfa966a31a5ad23754ec0063143f2e3b3
                                                              • Instruction Fuzzy Hash: 30210671500204DFDB06DFD8D9C0B6ABFB5FB98324F21C569E9090F296C37AE456C6A2
                                                              Function 0171D1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083616777.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_171d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 83d383718827b9a07ba0f3fb64774a572774691596b9e73b5d1a0ccb641a0a43
                                                              • Instruction ID: 8f63bb6d025350274d99af6bbc6bf0cbf62122ac0a3c3628b556099fee07b8f2
                                                              • Opcode Fuzzy Hash: 83d383718827b9a07ba0f3fb64774a572774691596b9e73b5d1a0ccb641a0a43
                                                              • Instruction Fuzzy Hash: C321F571508204DFDB25DF9CD5C8B66FBA5FB88324F20C6ADD9194B25AC33AD406CE61
                                                              Function 0171D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083616777.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_171d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7099a698b11dfe698fd040c3a08c9c4261bee4312ab0fd29852d2124e7564ca6
                                                              • Instruction ID: 52ecc63635923c1034710b14363a241d3355cf97346242f7065a5a42a3830153
                                                              • Opcode Fuzzy Hash: 7099a698b11dfe698fd040c3a08c9c4261bee4312ab0fd29852d2124e7564ca6
                                                              • Instruction Fuzzy Hash: BA210075604204DFCB25DFACD988B26FF65EB88314F20C5ADD90A0B25AC33AD406CA62
                                                              Function 0150D3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083198160.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_150d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction ID: d50632490b8c6b943fa7fbd6f63387f2b179624aeefd74eb2309dca19e06a2c8
                                                              • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                              • Instruction Fuzzy Hash: FF11CD72404240CFDB02CF84D5C4B5ABF71FB84224F24C6A9D9090A256C33AE45ACBA2
                                                              Function 0171D017 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083616777.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_171d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 3aba8071f24cca0aef1f65aeafd2b11c0ebd9e933249de7f6c45df768e5d5bbf
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: 8B11BE75504280CFDB12CF58D5C8B15FF61FB48314F24C6A9D8494B65AC33AD44ACF62
                                                              Function 0171D1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083616777.000000000171D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0171D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_171d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction ID: 5f684b30b74dd1d3733efee2422e6acbc8f8b05a9061e8ae6bcee27b82d39750
                                                              • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                              • Instruction Fuzzy Hash: B611BB75508280DFDB12CF58C5C8B15FFA1FB84224F24C6A9D8494B69AC33AD40ACF62
                                                              Function 0150D759 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083198160.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_150d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ea9fa714ab8660e47a9cc23eef8408748a2e053f2ada138a333d0c19f27d3f81
                                                              • Instruction ID: 28904581158c124e253501361a622202da7f23fc8ebaa6139897eccd5e7fc8a7
                                                              • Opcode Fuzzy Hash: ea9fa714ab8660e47a9cc23eef8408748a2e053f2ada138a333d0c19f27d3f81
                                                              • Instruction Fuzzy Hash: 1001A7710043849AE7228AD9CD84B66FFECFF85320F18C82AED094E2C7C3799840CA71
                                                              Function 0150D758 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2083198160.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_150d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: fcd85eee70c30985f39b3f1daa6d0797908c90959bc771401c8026ce990cd8bd
                                                              • Instruction ID: cd9b79b508dbf68fc19bec823343d7117394bc23559726c99dc81e0fcd5fe6c5
                                                              • Opcode Fuzzy Hash: fcd85eee70c30985f39b3f1daa6d0797908c90959bc771401c8026ce990cd8bd
                                                              • Instruction Fuzzy Hash: D9F0C8710043449EE7118A4ACC84766FFA8FF45734F18C45AED080F287C3795840CA70

                                                              Non-executed Functions

                                                              Function 077A5738 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2d8a75db8e675074676829565713d01f52650f53e65b4efdadb4870309a0e769
                                                              • Instruction ID: 5cf56d39a9f09c281e12ccb0736f9a360dc4662bf82d40c7d91850478d59436d
                                                              • Opcode Fuzzy Hash: 2d8a75db8e675074676829565713d01f52650f53e65b4efdadb4870309a0e769
                                                              • Instruction Fuzzy Hash: DAE1F9B4E102199FDB14DFA9C5809AEBBF2FF89305F248269D414AB356D730AD81CF61
                                                              Function 077A6E10 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ec2d62bbf9b993ed6fb5ebb70ce8115a82b9c581c76089cd7967a899e36af93
                                                              • Instruction ID: 8423326c2c07f99998e2dbc0c889acc51f8fc2234d7c7abe6555cda24cf7c250
                                                              • Opcode Fuzzy Hash: 5ec2d62bbf9b993ed6fb5ebb70ce8115a82b9c581c76089cd7967a899e36af93
                                                              • Instruction Fuzzy Hash: 1EE107B4E101199FDB14DFA9C5809AEBBF2FF89305F248269D414AB356D730AD81CFA0
                                                              Function 077A5300 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: aad6db8aa002edcdb515dfe465e4415d23ccef9744ab84a929dea30a3835cf75
                                                              • Instruction ID: 12d7d751b39ff6fcfc301b37e9f193dae8bd1bc90e68cb6397a05f05b2148700
                                                              • Opcode Fuzzy Hash: aad6db8aa002edcdb515dfe465e4415d23ccef9744ab84a929dea30a3835cf75
                                                              • Instruction Fuzzy Hash: BCE1F8B4E101199FDB14DFA9C5809AEBBF2FF89305F248269D414AB356D730AD81CF61
                                                              Function 077A7248 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 69b35aa33695b24cc51ceea26ce1bcd19c203618cdce8b2ce26bb6cb3e97a879
                                                              • Instruction ID: 63315b445ca0d49e8c97e9aa54485fbdcd4b49625954194d46831b433c040a8b
                                                              • Opcode Fuzzy Hash: 69b35aa33695b24cc51ceea26ce1bcd19c203618cdce8b2ce26bb6cb3e97a879
                                                              • Instruction Fuzzy Hash: FFE1F8B4E001199FDB14DFA9C5809AEBBF2FF89305F648269D414AB356D730AD81CFA1
                                                              Function 077A69D8 Relevance: .3, Instructions: 312COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4c6d1f531baaffba9eb87b17273666bfb10e7e762d3dfbc031398888f0a538fd
                                                              • Instruction ID: 103177dd250fc03bd1b0b409083a945d5b5f5f52b9b58adf071123f671efd920
                                                              • Opcode Fuzzy Hash: 4c6d1f531baaffba9eb87b17273666bfb10e7e762d3dfbc031398888f0a538fd
                                                              • Instruction Fuzzy Hash: 77E119B4E002199FDB14DFA8C5809AEBBF2FF89345F248269D414AB356C730AD81CF61
                                                              Function 0304D51C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2084062236.0000000003040000.00000040.00000800.00020000.00000000.sdmp, Offset: 03040000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_3040000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 218ae43d883d8a175a4f6bc5c00acf4ee1326791e3021ce2cf9d0082929cae92
                                                              • Instruction ID: 943537e64cbc2868d9afeed4fe088a7ded1b691c67e8a491b6a68e1dc9f90f0b
                                                              • Opcode Fuzzy Hash: 218ae43d883d8a175a4f6bc5c00acf4ee1326791e3021ce2cf9d0082929cae92
                                                              • Instruction Fuzzy Hash: 0FA16A76A0120A8FCF05DFB5C9404DEBBF2FF85300B1585BAE905AB265DB75EA46CB40
                                                              Function 077A69C7 Relevance: .1, Instructions: 136COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ae0898948af844227756988626ab47165a8dc18a9ba4527674997985a6234e70
                                                              • Instruction ID: 8b2108e66efde45ec5f130d246aaac9a03b6972ba15f2091c343646297cbb950
                                                              • Opcode Fuzzy Hash: ae0898948af844227756988626ab47165a8dc18a9ba4527674997985a6234e70
                                                              • Instruction Fuzzy Hash: D5511AB4E102198FDB14CFA9C5805AEBBF2EF89300F24C16AD418A7256D730AE41CFA1
                                                              Function 077A7238 Relevance: .1, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b83b5c8782d88232ecb2d6ff0ff829deae52d506f2d518c681883c35ffb30782
                                                              • Instruction ID: 23f8cd36fdebc6b7649d980bc638d3c2a8b2c53b88af6fbe1fd1344973a49fd0
                                                              • Opcode Fuzzy Hash: b83b5c8782d88232ecb2d6ff0ff829deae52d506f2d518c681883c35ffb30782
                                                              • Instruction Fuzzy Hash: 2451FBB4E002199BDB18CFA9C5805AEBBF2FF89305F24C269D418A7356D731A941CFA1
                                                              Function 077AAECE Relevance: .0, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5c4c9f3a28f4245d14074d8722db410e644dd8f57878c3d5e4e222a7586825cc
                                                              • Instruction ID: c56e7c1dd69d93078ec77c904c1a0e80c023959924045c0e9b54862befa9d3c0
                                                              • Opcode Fuzzy Hash: 5c4c9f3a28f4245d14074d8722db410e644dd8f57878c3d5e4e222a7586825cc
                                                              • Instruction Fuzzy Hash: 1BE0E5F4959248EBDB108F94E4846F8B7FCE78B391F05A2A9C50EA3135D7305598CF40
                                                              Function 077AB770 Relevance: .0, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.2093373033.00000000077A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077A0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_77a0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dada00a02ed30ba668e4970894ce1e52217ac595ca7c9415043c11698672e2c7
                                                              • Instruction ID: f66128c198378fc48d47d0ed5a3259a30d817d1dfa95075ad7c7ad971c55aaac
                                                              • Opcode Fuzzy Hash: dada00a02ed30ba668e4970894ce1e52217ac595ca7c9415043c11698672e2c7
                                                              • Instruction Fuzzy Hash: F3C04CA599F548A9D510499C68880F4F768A7C7175F1573BDC97D630E14110451546C8

                                                              Execution Graph

                                                              Execution Coverage:9.8%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:65
                                                              Total number of Limit Nodes:6
                                                              execution_graph 26491 60bccea 26492 60bccf0 GetModuleHandleW 26491->26492 26494 60bcd65 26492->26494 26495 f70848 26497 f7084e 26495->26497 26496 f7091b 26497->26496 26499 f71380 26497->26499 26501 f71396 26499->26501 26500 f71488 26500->26497 26501->26500 26504 60bb0f8 26501->26504 26508 60bb0cf 26501->26508 26505 60bb10a 26504->26505 26507 60bb181 26505->26507 26513 60bae1c 26505->26513 26507->26501 26509 60bb06d 26508->26509 26510 60bb0da 26508->26510 26511 60bae1c 2 API calls 26510->26511 26512 60bb181 26510->26512 26511->26512 26512->26501 26514 60bae27 26513->26514 26518 60bc2b8 26514->26518 26527 60bc2a3 26514->26527 26515 60bb35a 26515->26507 26519 60bc2e3 26518->26519 26536 60bc831 26519->26536 26541 60bc840 26519->26541 26520 60bc366 26521 60bb810 GetModuleHandleW 26520->26521 26523 60bc392 26520->26523 26522 60bc3d6 26521->26522 26524 60bdd4d CreateWindowExW 26522->26524 26524->26523 26528 60bc2e3 26527->26528 26534 60bc831 GetModuleHandleW 26528->26534 26535 60bc840 GetModuleHandleW 26528->26535 26529 60bc366 26530 60bb810 GetModuleHandleW 26529->26530 26532 60bc392 26529->26532 26531 60bc3d6 26530->26531 26566 60bdd4d 26531->26566 26534->26529 26535->26529 26537 60bc86d 26536->26537 26538 60bc8ee 26537->26538 26546 60bca0f 26537->26546 26554 60bca9e 26537->26554 26542 60bc86d 26541->26542 26543 60bc8ee 26542->26543 26544 60bca0f GetModuleHandleW 26542->26544 26545 60bca9e GetModuleHandleW 26542->26545 26544->26543 26545->26543 26547 60bca1a 26546->26547 26562 60bb810 26547->26562 26549 60bcb3a 26550 60bb810 GetModuleHandleW 26549->26550 26553 60bcbb4 26549->26553 26551 60bcb88 26550->26551 26552 60bb810 GetModuleHandleW 26551->26552 26551->26553 26552->26553 26553->26538 26555 60bcaee 26554->26555 26556 60bb810 GetModuleHandleW 26555->26556 26557 60bcb3a 26556->26557 26558 60bb810 GetModuleHandleW 26557->26558 26559 60bcbb4 26557->26559 26560 60bcb88 26558->26560 26559->26538 26560->26559 26561 60bb810 GetModuleHandleW 26560->26561 26561->26559 26563 60bccf0 GetModuleHandleW 26562->26563 26565 60bcd65 26563->26565 26565->26549 26567 60bdd51 26566->26567 26568 60bdd85 CreateWindowExW 26566->26568 26567->26532 26570 60bdebc 26568->26570 26570->26570

                                                              Executed Functions

                                                              Function 00F79B48 Relevance: 3.1, Instructions: 3076COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e4b3d451a8c3e299cdd0d485f94040564e5df99de998d1324f9584b966b587e1
                                                              • Instruction ID: 6ad7785bd223f4407026aa863d57a7a09bc8f06413f1fdb6d710b7f070cd1969
                                                              • Opcode Fuzzy Hash: e4b3d451a8c3e299cdd0d485f94040564e5df99de998d1324f9584b966b587e1
                                                              • Instruction Fuzzy Hash: 00631831C10B1A8ADB51EF68C8906ADF7B1FF99310F15C79AE45877121EB70AAD4CB81
                                                              Function 00F79380 Relevance: .6, Instructions: 621COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c9fd92714dd5935472c66c199e1ac053bb17c0bd75c1740fb34df8ae346a18ce
                                                              • Instruction ID: 0e35b5d8d40c8e0a32e0e9932473c357bdbd2fde825dc9be14f9d9e33112407a
                                                              • Opcode Fuzzy Hash: c9fd92714dd5935472c66c199e1ac053bb17c0bd75c1740fb34df8ae346a18ce
                                                              • Instruction Fuzzy Hash: 1A329D35A042058FDB14DF68D984AADBBB6FF88320F24C56AE409EB395DB74DC42CB41
                                                              Function 00F74AA0 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 92e4e05f2eb6857b075ae31aa21a560f137313e0f1613aeec554c094c39c88c1
                                                              • Instruction ID: ce008494f060368a626a63548fddc494c81ba3128b2964dcfa6a3e58782ec4fe
                                                              • Opcode Fuzzy Hash: 92e4e05f2eb6857b075ae31aa21a560f137313e0f1613aeec554c094c39c88c1
                                                              • Instruction Fuzzy Hash: 0AB13D70E00209CFDF10CFA9D98579DBBF2AF88714F14C52AD459E7294EB74A885DB82
                                                              Function 00F73E88 Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 60cf3df4bb37b6643747f996633b06f9be06a93ba12425c4bb7a96fc2b24374f
                                                              • Instruction ID: 573b89816562db0c0da0754276f0755ade14c1c75a5eaf666acc537e29f2d807
                                                              • Opcode Fuzzy Hash: 60cf3df4bb37b6643747f996633b06f9be06a93ba12425c4bb7a96fc2b24374f
                                                              • Instruction Fuzzy Hash: 2B918F70E00209DFDF14DFA9C9817DDBBF2AF88314F14C12AE419A7294EB749985DB86
                                                              Function 00F76EE0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1597 f76ee0-f76f4a call f76c48 1606 f76f66-f76f94 1597->1606 1607 f76f4c-f76f65 call f7638c 1597->1607 1613 f76f96-f76f99 1606->1613 1614 f76f9b call f778f0 1613->1614 1615 f76fa9-f76fac 1613->1615 1618 f76fa1-f76fa4 1614->1618 1616 f76fc0-f76fc3 1615->1616 1617 f76fae-f76fb5 1615->1617 1621 f76fc5-f76ffa 1616->1621 1622 f76fff-f77002 1616->1622 1619 f770f3-f770f9 1617->1619 1620 f76fbb 1617->1620 1618->1615 1620->1616 1621->1622 1623 f77035-f77037 1622->1623 1624 f77004-f77018 1622->1624 1625 f7703e-f77041 1623->1625 1626 f77039 1623->1626 1629 f7701e 1624->1629 1630 f7701a-f7701c 1624->1630 1625->1613 1628 f77047-f77056 1625->1628 1626->1625 1633 f77080-f77096 1628->1633 1634 f77058-f7707e 1628->1634 1631 f77021-f77030 1629->1631 1630->1631 1631->1623 1633->1619 1634->1633
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q$LR]q
                                                              • API String ID: 0-3917262905
                                                              • Opcode ID: bed3df5637fd85c42b8090f778a83bbe518832e0e6010d91afb26796a2bae08b
                                                              • Instruction ID: fdb0c383bd53b9e2a97011f765bf1f92bf5e62c38fb0818172cc9dfef6d9d759
                                                              • Opcode Fuzzy Hash: bed3df5637fd85c42b8090f778a83bbe518832e0e6010d91afb26796a2bae08b
                                                              • Instruction Fuzzy Hash: 0B51B030E143059FDB15DF78C4506AEB7B2EF86314F24846AE409EB391EB759C428B92
                                                              Function 060BDD4D Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1834 60bdd4d-60bdd4f 1835 60bdd51-60bdd78 call 60bb91c 1834->1835 1836 60bdd85-60bddfe 1834->1836 1840 60bdd7d-60bdd7e 1835->1840 1838 60bde09-60bde10 1836->1838 1839 60bde00-60bde06 1836->1839 1841 60bde1b-60bdeba CreateWindowExW 1838->1841 1842 60bde12-60bde18 1838->1842 1839->1838 1844 60bdebc-60bdec2 1841->1844 1845 60bdec3-60bdefb 1841->1845 1842->1841 1844->1845 1849 60bdf08 1845->1849 1850 60bdefd-60bdf00 1845->1850 1851 60bdf09 1849->1851 1850->1849 1851->1851
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060BDEAA
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4530077792.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_60b0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: ed51db4149e64cbaee884915c4c8499c60908282392b5f25dca70360ed333c4a
                                                              • Instruction ID: 931c96d4987048683ff2e749945b73ba4ffa8eb8a91198393d53b254e713ea30
                                                              • Opcode Fuzzy Hash: ed51db4149e64cbaee884915c4c8499c60908282392b5f25dca70360ed333c4a
                                                              • Instruction Fuzzy Hash: BE51EEB1C00249AFDF55CF99C884ADEBFB2FF49300F24816AE818AB260D7759855CF90
                                                              Function 060BDD8E Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1852 60bdd8e-60bddfe 1853 60bde09-60bde10 1852->1853 1854 60bde00-60bde06 1852->1854 1855 60bde1b-60bde53 1853->1855 1856 60bde12-60bde18 1853->1856 1854->1853 1857 60bde5b-60bdeba CreateWindowExW 1855->1857 1856->1855 1858 60bdebc-60bdec2 1857->1858 1859 60bdec3-60bdefb 1857->1859 1858->1859 1863 60bdf08 1859->1863 1864 60bdefd-60bdf00 1859->1864 1865 60bdf09 1863->1865 1864->1863 1865->1865
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060BDEAA
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4530077792.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_60b0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 1564383ff505f59abc3a9c52ccda09125d1c46971517bf1e96b7bb15e1746ada
                                                              • Instruction ID: 0312b262427cdbd8f9521c596f67f8c8a70be3ea0c3e8fab11834c0b6b00ad0e
                                                              • Opcode Fuzzy Hash: 1564383ff505f59abc3a9c52ccda09125d1c46971517bf1e96b7bb15e1746ada
                                                              • Instruction Fuzzy Hash: D451BEB5D102099FDB54DF99C984ADEFFB1FF48310F24812AE819AB250D775A885CF90
                                                              Function 060BDD98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1866 60bdd98-60bddfe 1867 60bde09-60bde10 1866->1867 1868 60bde00-60bde06 1866->1868 1869 60bde1b-60bde53 1867->1869 1870 60bde12-60bde18 1867->1870 1868->1867 1871 60bde5b-60bdeba CreateWindowExW 1869->1871 1870->1869 1872 60bdebc-60bdec2 1871->1872 1873 60bdec3-60bdefb 1871->1873 1872->1873 1877 60bdf08 1873->1877 1878 60bdefd-60bdf00 1873->1878 1879 60bdf09 1877->1879 1878->1877 1879->1879
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 060BDEAA
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4530077792.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_60b0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: b746d01de353e4f76f5a111f8f7f6105aecabe33ca8516d3f3ff524db963ff5b
                                                              • Instruction ID: fc2bcb10f23430562e07ebb0894d4fea6b8f369e46b6fc693e70499cf6f31802
                                                              • Opcode Fuzzy Hash: b746d01de353e4f76f5a111f8f7f6105aecabe33ca8516d3f3ff524db963ff5b
                                                              • Instruction Fuzzy Hash: 21419DB1D002099FDB54DF9AC884ADEFFB5BF48310F24812AE419AB250D775A885CF90
                                                              Function 060BB810 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1880 60bb810-60bcd30 1882 60bcd38-60bcd63 GetModuleHandleW 1880->1882 1883 60bcd32-60bcd35 1880->1883 1884 60bcd6c-60bcd80 1882->1884 1885 60bcd65-60bcd6b 1882->1885 1883->1882 1885->1884
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 060BCD56
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4530077792.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_60b0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: d5cc60497f75212c8fa28d923a0c33b61eb812835ca66edb445d2f7a9a232768
                                                              • Instruction ID: c226642fb111ba983cd4612a10c9c3eaf706461ff607f50c6727e9cbf6549461
                                                              • Opcode Fuzzy Hash: d5cc60497f75212c8fa28d923a0c33b61eb812835ca66edb445d2f7a9a232768
                                                              • Instruction Fuzzy Hash: 51112DB6C002498FDB60DF9AD844ADEFFF4EF89610F10842AD829B7210C379A545CFA5
                                                              Function 060BCCEA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1887 60bccea-60bcd30 1889 60bcd38-60bcd63 GetModuleHandleW 1887->1889 1890 60bcd32-60bcd35 1887->1890 1891 60bcd6c-60bcd80 1889->1891 1892 60bcd65-60bcd6b 1889->1892 1890->1889 1892->1891
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 060BCD56
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4530077792.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_60b0000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 597888cf66fed84364afb3328fc63966306c11ca354e3747f56befa2852da35b
                                                              • Instruction ID: 852d7252dde6fcf0276c3bcf87454e1f863a0c778e067e6da0bb33139a0a17b7
                                                              • Opcode Fuzzy Hash: 597888cf66fed84364afb3328fc63966306c11ca354e3747f56befa2852da35b
                                                              • Instruction Fuzzy Hash: F411FDB6C002498BDB10DF9AD944ADEFFF4EF89320F10842AD829B7210C379A545CFA5
                                                              Function 00F7F325 Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH]q
                                                              • API String ID: 0-3168235125
                                                              • Opcode ID: fad49adee2655428eaca77c45dc8c83e75916627aa3a0b024f6ee88b5fbbc813
                                                              • Instruction ID: 1fdaaa6a4774746e57cc82f1b67fb356364d075d5ba4cdc300d0d28b2a2441d4
                                                              • Opcode Fuzzy Hash: fad49adee2655428eaca77c45dc8c83e75916627aa3a0b024f6ee88b5fbbc813
                                                              • Instruction Fuzzy Hash: 0631DF30B002018FDB599F74D95466E3BF6AF89310B24847AD40ADB396DF35DC4ADBA2
                                                              Function 00F7F338 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH]q
                                                              • API String ID: 0-3168235125
                                                              • Opcode ID: ea65ab1c87d2c0e3524395415c300900a9a9c7651e15c2194fd382a8fa1e7f89
                                                              • Instruction ID: ea4d885b0c6100bb20cc96bbf12f43f039f389f06ff463b5cc53d0d1fccef5fd
                                                              • Opcode Fuzzy Hash: ea65ab1c87d2c0e3524395415c300900a9a9c7651e15c2194fd382a8fa1e7f89
                                                              • Instruction Fuzzy Hash: A531EF30B002018FDB18AB34D55466F3BE6EF89350F208439D40AEB399DE35DD4AD7A6
                                                              Function 00F76F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: b21a8aa3266c10216c9f8d1dcddbcdec577d4500c02b0f6aa28405595a7771d1
                                                              • Instruction ID: 6cb91cc7a34e0437fe486b1926e1e7880068f6763eb27bc94dd84bd85805c179
                                                              • Opcode Fuzzy Hash: b21a8aa3266c10216c9f8d1dcddbcdec577d4500c02b0f6aa28405595a7771d1
                                                              • Instruction Fuzzy Hash: D8316F31E242099BDB14DFA4D4507DEB7B2FF85310F24852AE80AEB240EB71AD469B52
                                                              Function 00F76BA8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: b8983cd1e7b48d8d3835109f255bc16f0f294aff5163d844f4b378ca3b53ce82
                                                              • Instruction ID: d4018f5772f1be8b79143df75806e3c8a46db0d0e0604a1fdb9c164636ec7c12
                                                              • Opcode Fuzzy Hash: b8983cd1e7b48d8d3835109f255bc16f0f294aff5163d844f4b378ca3b53ce82
                                                              • Instruction Fuzzy Hash: E221C2316043119FC716AF79D0606AE7BF5EF86310B1088AED049DF396DB3A9C49DB92
                                                              Function 00F778F0 Relevance: .6, Instructions: 568COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2ec176df45cce6b16a18e0aff54d9d80a2ffde0d766a725ec4d7cb0630f98579
                                                              • Instruction ID: 93bbfae770d72c5eeabf4db3dde530b9e18f9c17f1d852be470a163159883df7
                                                              • Opcode Fuzzy Hash: 2ec176df45cce6b16a18e0aff54d9d80a2ffde0d766a725ec4d7cb0630f98579
                                                              • Instruction Fuzzy Hash: 6A2275357112028FCB25AB38E49562D37AAFF89364B10893EE045CB369CF76DC86D785
                                                              Function 00F7CDC8 Relevance: .3, Instructions: 343COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d308837b8ca1117aaf3004708de3098cd24192ef962aa79cbf435bd6caf54d4b
                                                              • Instruction ID: 04d47ed2814877237059080e692003e82699c0f7c00488db41716ec123d1cbe4
                                                              • Opcode Fuzzy Hash: d308837b8ca1117aaf3004708de3098cd24192ef962aa79cbf435bd6caf54d4b
                                                              • Instruction Fuzzy Hash: D0C1C031B002119FDB15DB78C840A6AB7BAEF85320F24C56AD409DB295DB35EC42C7D2
                                                              Function 00F74A94 Relevance: .3, Instructions: 261COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: faa0efa0be3f9873e58379b24cc2aa839b41e6aa3deb84f579a69f33d4efa449
                                                              • Instruction ID: 9e1e852439d695884d015634bce72a1b3e3fd79b6a6a4188b21c53b4e2376da4
                                                              • Opcode Fuzzy Hash: faa0efa0be3f9873e58379b24cc2aa839b41e6aa3deb84f579a69f33d4efa449
                                                              • Instruction Fuzzy Hash: 9EB13C70E00209DFDF10CFA9D98579DBBF2BF88714F24C12AD459A7254EB74A885DB82
                                                              Function 00F7936C Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22d4effeab485c8b8f68b20e537b06f270c7c1a35c3b6247415058ef4937b631
                                                              • Instruction ID: 16f81149d71909a8e809d10651cd120728be1054818212d386b3707d62327f4b
                                                              • Opcode Fuzzy Hash: 22d4effeab485c8b8f68b20e537b06f270c7c1a35c3b6247415058ef4937b631
                                                              • Instruction Fuzzy Hash: 3C914C35A042049FCB14DF64D984AADBBB6FF88320F24C52AE509E73A5DB74DD42DB41
                                                              Function 00F73E7C Relevance: .2, Instructions: 235COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76f7672dfe398f75f9b4230a8b8dd72574dbee72816753ad2eced09bf6529e50
                                                              • Instruction ID: d6112256ce0aef59db66d5bb8bb165ac03017d7afbd5047fad6f4525729db314
                                                              • Opcode Fuzzy Hash: 76f7672dfe398f75f9b4230a8b8dd72574dbee72816753ad2eced09bf6529e50
                                                              • Instruction Fuzzy Hash: C7918E70E00209DFDF15DFA8C9817DDBBF1AF88314F24C12AE419A7254DB749985DB86
                                                              Function 00F74818 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b3950b5fec7ba9e61a0ce4af2d6d86e0828440382ba465a965fe05cacc7ced5d
                                                              • Instruction ID: d5d77788214c86fc9276f1d0e52db449ea4d324d44d1b691201b989bef11f2e0
                                                              • Opcode Fuzzy Hash: b3950b5fec7ba9e61a0ce4af2d6d86e0828440382ba465a965fe05cacc7ced5d
                                                              • Instruction Fuzzy Hash: 34717F70E00259DFDF10CFA9C88179EBBF2BF88714F14C12AD419A7254DB74A841DB96
                                                              Function 00F74810 Relevance: .2, Instructions: 178COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76e390ea86939f8309c105c74248ad14f93f0135963f9b01d10c422863352b60
                                                              • Instruction ID: 3b9755f5cad9211b6a13e2a59553c5c5dcc149ab6470ea67becca10daeaf1074
                                                              • Opcode Fuzzy Hash: 76e390ea86939f8309c105c74248ad14f93f0135963f9b01d10c422863352b60
                                                              • Instruction Fuzzy Hash: 68717EB0E00259DFDF10CFA9C88179EBBF1BF88714F14C12AE419A7254DB74A845DB96
                                                              Function 00F76CE4 Relevance: .1, Instructions: 134COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bbac654804717c01ed7a900f277f6577901404c0ecf4b755ec909d62785ec607
                                                              • Instruction ID: a752a3027ac2e5451ce8f804c94ed952628154c0cdb0a94e147aa2b22d4d6dff
                                                              • Opcode Fuzzy Hash: bbac654804717c01ed7a900f277f6577901404c0ecf4b755ec909d62785ec607
                                                              • Instruction Fuzzy Hash: DA5104B4E106188FDB14CFA9C885B9DBBB1FF48314F14812AE819BB351D7749845CF96
                                                              Function 00F76CF0 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0eabdfaec5be5e8bcc2cba20ba22a0d668bd6a8c04824b3dda645e3450ea9dc1
                                                              • Instruction ID: b6debb010dcd52629d8af6ea1dec0722e0046ebcc854ff0d5eae3e079c0be89e
                                                              • Opcode Fuzzy Hash: 0eabdfaec5be5e8bcc2cba20ba22a0d668bd6a8c04824b3dda645e3450ea9dc1
                                                              • Instruction Fuzzy Hash: 6A510474E106188FDB14CFA9C845B9DBBB1FF48314F14812AE819BB391D774A844CF96
                                                              Function 00F726E4 Relevance: .1, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 78c2b9ed9c6f2739ea65314429272cc791f5bbff105fdbb7a4351be21392176e
                                                              • Instruction ID: 4b59e48809e963fe2bedd2359d6114027b319a33345cedd688bf39edb62cdf15
                                                              • Opcode Fuzzy Hash: 78c2b9ed9c6f2739ea65314429272cc791f5bbff105fdbb7a4351be21392176e
                                                              • Instruction Fuzzy Hash: 125102B0D002098FDB14DFA9C984ADEBFF1FF48314F24842AE419AB250DB75A945CF91
                                                              Function 00F71128 Relevance: .1, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f1f63408e0ed53b0eed9c05c9cae231b7a82a026f68a0d7dfa5ee012a833aca5
                                                              • Instruction ID: ad0992aa756a00bdae13e97de158ed9e006082ceb6ed692875dc3c7513eda738
                                                              • Opcode Fuzzy Hash: f1f63408e0ed53b0eed9c05c9cae231b7a82a026f68a0d7dfa5ee012a833aca5
                                                              • Instruction Fuzzy Hash: 13510CB821A1428FCB0AFF39F9C0A953F65FBD57043108969D0855F27EDBB46909DB90
                                                              Function 00F71138 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7249e6544dd5e4e08d38380ddb2699e63118ed059975716821c90506fb996dfa
                                                              • Instruction ID: 9fb1206d241c7d15347ec8a6da502536ec348f8015e813dfe2e492f2c51c0a8e
                                                              • Opcode Fuzzy Hash: 7249e6544dd5e4e08d38380ddb2699e63118ed059975716821c90506fb996dfa
                                                              • Instruction Fuzzy Hash: 2551E9B821A1428FCB0AFF29F9C0A593F65FBD5B043108969D0855F27EDBA46909DB90
                                                              Function 00F7F1E9 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: be376658ad56c0820fd9fd3db70abf17ad14cdc8fc80e76e262fe5cad501d801
                                                              • Instruction ID: 5126fa92da515f1916810c564dd1ab5ec55a4a150090f53e8d65f2a5d2f55d47
                                                              • Opcode Fuzzy Hash: be376658ad56c0820fd9fd3db70abf17ad14cdc8fc80e76e262fe5cad501d801
                                                              • Instruction Fuzzy Hash: 03317035E10605CBCB19CFA4E49469EB7B2FF89310F10C52AE80AEB395DB70AC46CB51
                                                              Function 00F7F1F8 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 039809a541fa0d7991674b4f12a766a928613b6434616238219153b086d1e9f1
                                                              • Instruction ID: 8b6a0527c738663fc4577a18fdd59c3eec17c20697190cf8fcdd18fdf59135f9
                                                              • Opcode Fuzzy Hash: 039809a541fa0d7991674b4f12a766a928613b6434616238219153b086d1e9f1
                                                              • Instruction Fuzzy Hash: 7D318135E10605DBCB19CFA8E45469EB7B2FF89310F10C52AE80AEB395DB70AC46CB51
                                                              Function 00F750A1 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94465766e502c5d3ea7d369435df589fe830239e6cc3e1e4b6f46ed9a6e1c96a
                                                              • Instruction ID: 31d89f0c0e28a36073c265e6ef46d02f62344625920002d0a17f5d23b19aca76
                                                              • Opcode Fuzzy Hash: 94465766e502c5d3ea7d369435df589fe830239e6cc3e1e4b6f46ed9a6e1c96a
                                                              • Instruction Fuzzy Hash: A7319E34A00611CFCB14EB78C95079D33B2EF48715B60446DD40AAB390DBB69C46DB92
                                                              Function 00F726F0 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1e8d67338e7221f5a61afa3999068dd2735dec1702de86afa900c0d31eca1d75
                                                              • Instruction ID: 613e0cc61edc56a267eca7e43a90af28efdf690f1266f7599abf5ce8a5ff9d14
                                                              • Opcode Fuzzy Hash: 1e8d67338e7221f5a61afa3999068dd2735dec1702de86afa900c0d31eca1d75
                                                              • Instruction Fuzzy Hash: 2041DFB0D002499FDB14DFA9C584ADEBFF5FF48310F24842AE809AB254DB75A945CB91
                                                              Function 00F750B0 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e2a3711cf7ab1deca1e140d7c88513c847bb18a5ac886691664c8bb76146218d
                                                              • Instruction ID: 828de40fae63b8618db17934230e77eac987231cff4fcd1c17b3a6a964351029
                                                              • Opcode Fuzzy Hash: e2a3711cf7ab1deca1e140d7c88513c847bb18a5ac886691664c8bb76146218d
                                                              • Instruction Fuzzy Hash: 9831AE34B00615CFCB14EB78C91079D33B6EF48B51F604869D40AAB390DBB6DC46DB92
                                                              Function 00F796E8 Relevance: .1, Instructions: 86COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7bf6eea173aa225f8c0759a3d03254f4f8215572cb2c6a111cec5a3f4c7cc4a9
                                                              • Instruction ID: 5fd8f52c753de4884827271f1681a37b8c7849b672a4cb995188d1f99c221000
                                                              • Opcode Fuzzy Hash: 7bf6eea173aa225f8c0759a3d03254f4f8215572cb2c6a111cec5a3f4c7cc4a9
                                                              • Instruction Fuzzy Hash: 18218034F0420A8BDB689EA9D48066FB7B6FB85320F60882AD41DE7340C674DD429B83
                                                              Function 00F79259 Relevance: .1, Instructions: 83COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ccfc5493a5336849eea6dbd9cc00ca75709f96631a2d738be2ed8bcd0145af58
                                                              • Instruction ID: 3f1da85a7fec36539977d4bf6fbb8811e0d08da0c640c131fe517f7580819268
                                                              • Opcode Fuzzy Hash: ccfc5493a5336849eea6dbd9cc00ca75709f96631a2d738be2ed8bcd0145af58
                                                              • Instruction Fuzzy Hash: A2318231E142059BDB45DF64D88479EB7B6FF89310F14C61AE809EB385E7B09946CB81
                                                              Function 00F79268 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 307d54f57e02cb75017886dfd36de88045f0008e6bc2bf305e8e18098ee13a5e
                                                              • Instruction ID: ee07a6969065e6b836ef9de265c3b0306ccaff61aa422805bf3c7d5232c21cd0
                                                              • Opcode Fuzzy Hash: 307d54f57e02cb75017886dfd36de88045f0008e6bc2bf305e8e18098ee13a5e
                                                              • Instruction Fuzzy Hash: 3B215131E1420A9BDB05DFA5D48469EF7B6FF85310F10C51AE809AB295DBB09C46CB92
                                                              Function 00F79159 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: abe07dfebdf43ccaf99443c7b4e5b64ad761d1a0e90a607364f9875c11fe1a5d
                                                              • Instruction ID: d3c614f09df15f3e04ac53a568334fd9b97524942a5dbd40a12ab9e800eb1ea7
                                                              • Opcode Fuzzy Hash: abe07dfebdf43ccaf99443c7b4e5b64ad761d1a0e90a607364f9875c11fe1a5d
                                                              • Instruction Fuzzy Hash: AA219231E042069BCB14DF64D85469EF7B2AF89310F61C52AE819B7251DBB0AD46CB52
                                                              Function 00F71380 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3cf28eec163dac6bf63ff6794cfab6569ab4edbb6bcf8b52f9de3d47ec722d0
                                                              • Instruction ID: fc215662926e8fe04386b5dc3946f87dfe23ae18e9e3cc95db32c635e8bf27ed
                                                              • Opcode Fuzzy Hash: e3cf28eec163dac6bf63ff6794cfab6569ab4edbb6bcf8b52f9de3d47ec722d0
                                                              • Instruction Fuzzy Hash: 15218E70A042008FDB719B38E4853A93766FB57325F10886FE44ECB695DA2E9C8DC743
                                                              Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4524915205.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_e1d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9352cd7562529abb79b0eae492eb26c04e37f58cbca5bdd73d201c7b69a837c2
                                                              • Instruction ID: 3fad05c32c95b8c4c62e3ec9ba20d14e9dd39db1cf533fabf344aae1897e3f0d
                                                              • Opcode Fuzzy Hash: 9352cd7562529abb79b0eae492eb26c04e37f58cbca5bdd73d201c7b69a837c2
                                                              • Instruction Fuzzy Hash: D521F275608204DFCB15DF24D984B66BF66FB88318F20C56DD90A5B296C33AD887CA62
                                                              Function 00F716B0 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8d2a23c9d2a0b49e6b0a3ad2eb0da3e41dd89ece9af76afff84466e4fd10337c
                                                              • Instruction ID: 72c795696d2c841b9f576aa379f4a6895baa903078f6724a5e7c22bff044f407
                                                              • Opcode Fuzzy Hash: 8d2a23c9d2a0b49e6b0a3ad2eb0da3e41dd89ece9af76afff84466e4fd10337c
                                                              • Instruction Fuzzy Hash: EE216578A041014FDF26AB38E984B693769FB85324F108936D00DCF659EB3DDD4ACB92
                                                              Function 00F79A40 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2651411f5e885fbd256317d887f8565bf2b928204f39eb4d253fe5cead8fcac8
                                                              • Instruction ID: 4578c987a1f5b344a67b91180de6a989b69bcdedcf8af81b602e212adcc6fb81
                                                              • Opcode Fuzzy Hash: 2651411f5e885fbd256317d887f8565bf2b928204f39eb4d253fe5cead8fcac8
                                                              • Instruction Fuzzy Hash: F2219F31B042058FEB14DB69C955BAE7BF6EF88710F208066E509EB3A0DAB5DD008B91
                                                              Function 00F74F91 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 76e4c77083bd8f01d44a1ae6285a2b9cb79de695f4d0547e0ff84a1a29c4a35a
                                                              • Instruction ID: 23c92625a30854e6111d3e55d2fb89d66cbfa35dfae37db3e301db173d396c70
                                                              • Opcode Fuzzy Hash: 76e4c77083bd8f01d44a1ae6285a2b9cb79de695f4d0547e0ff84a1a29c4a35a
                                                              • Instruction Fuzzy Hash: AB214834A00205CFDB14EB78C959B9DB7F2FF49714B2044A9E40AEB3A1DB729D05DB91
                                                              Function 00F79168 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9cf39e0b315446f367c765f6d6c9346ad4681873e9a395da16c926ce9e472c61
                                                              • Instruction ID: 2e459fc7529880743a7487bd5039b1e614589d1207253b2c5a30fdbdd118cd9c
                                                              • Opcode Fuzzy Hash: 9cf39e0b315446f367c765f6d6c9346ad4681873e9a395da16c926ce9e472c61
                                                              • Instruction Fuzzy Hash: 41216531E042069BCB15DFA4D85469EF7B2AF89310F60C51AE819F7351DBB0AD45CB52
                                                              Function 00F71890 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6ebf8913d3a6b0a40977c48a4c04405942ced1632c11ab8a648bf0cd1a5053e4
                                                              • Instruction ID: f608a934a5f4bc53abf749c6fa18aaf5dffe5b84a9accb65975a8976c092dd78
                                                              • Opcode Fuzzy Hash: 6ebf8913d3a6b0a40977c48a4c04405942ced1632c11ab8a648bf0cd1a5053e4
                                                              • Instruction Fuzzy Hash: FE219034B00215CFDB14EB68C5247AE77F6BF49700F204469C10AEB250DB368C4AEBA2
                                                              Function 00F716B8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e22c4bff4459bb0e4724b4f9a7aa0887f84ed8a038ddea52466ef59854f80407
                                                              • Instruction ID: d491658ad74e01499916fef96e15cd58374e667fb3361a0bde25e153140acb35
                                                              • Opcode Fuzzy Hash: e22c4bff4459bb0e4724b4f9a7aa0887f84ed8a038ddea52466ef59854f80407
                                                              • Instruction Fuzzy Hash: 2A2162786041014FDB25AB38E984B693769FB84324F108A26D00DCF258EB2CDC4ACB92
                                                              Function 00F71888 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d28691ff2b57088665ab49f3ff754c4d59faf879b66adac3bc310751aa8d0a7c
                                                              • Instruction ID: 7064f0fcdb53450d96b8f9e3f77aee4f86f58b349dccf5caee1669a053af2bac
                                                              • Opcode Fuzzy Hash: d28691ff2b57088665ab49f3ff754c4d59faf879b66adac3bc310751aa8d0a7c
                                                              • Instruction Fuzzy Hash: AD217134B00205CFDB14EB78C5157AD77F2BF49710F204469D10AEB290DB369D4AEB92
                                                              Function 00F74FA0 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2bc2853bc69e5d8936b697002ba410a5dc15c52f3d048a97599a87a8fd963903
                                                              • Instruction ID: 46722f28b028eeb68df4df60217e106ca7085886ed21bd849ee5662c6c2dc5fe
                                                              • Opcode Fuzzy Hash: 2bc2853bc69e5d8936b697002ba410a5dc15c52f3d048a97599a87a8fd963903
                                                              • Instruction Fuzzy Hash: 9A211974B00205CFDB14EB78C959B9DB7F2EF49710B104469E40AEB3A1DB719D05DB91
                                                              Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4524915205.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_e1d000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0854fa62ded36cce229456babfd229077738df46b1b160b8ca59dfa5b5b036a8
                                                              • Instruction ID: 97293a164d14958c2aa13fb396d92ff0e414b951a058da3145aae8ddc3c1f18d
                                                              • Opcode Fuzzy Hash: 0854fa62ded36cce229456babfd229077738df46b1b160b8ca59dfa5b5b036a8
                                                              • Instruction Fuzzy Hash: 7621837550D3808FC702CF24D994755BF71EB46314F28C5DAD8498B2A7C33A984ACB62
                                                              Function 00F71490 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4841edff7e0484b641022e1b4c9aaf5e4c767aa18da767f6bca111f2c147679
                                                              • Instruction ID: 382c79737e85fb6a88a0ca927d0d4bfc02252678b6c4c1e82925a748df11c09c
                                                              • Opcode Fuzzy Hash: a4841edff7e0484b641022e1b4c9aaf5e4c767aa18da767f6bca111f2c147679
                                                              • Instruction Fuzzy Hash: 85116071E003158BCB65EFB888415ADB7F4FF89320B1585BAE809EB241EB35DC45DB92
                                                              Function 00F70848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e51c0721b20742f73f20f6ef83db60fc5982df7b04090dda5e18834511cca667
                                                              • Instruction ID: e9dc818159ae1fdc073bfca01394d9f3767645077be406a60d282fc5891691ec
                                                              • Opcode Fuzzy Hash: e51c0721b20742f73f20f6ef83db60fc5982df7b04090dda5e18834511cca667
                                                              • Instruction Fuzzy Hash: 5C11B230F00208CFDF64AA79D44472A3299EF85320F20897BD01ACF295DE29CC45ABD3
                                                              Function 00F70838 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9a073b6cfacc83ed12edd486e3f7e8a70e2d78bfd600e0638a81bd1468011b87
                                                              • Instruction ID: 70ec22311b88ae847d4c9937498cf65a796e63cf86a2a9d1fb7b4fe23a91a48f
                                                              • Opcode Fuzzy Hash: 9a073b6cfacc83ed12edd486e3f7e8a70e2d78bfd600e0638a81bd1468011b87
                                                              • Instruction Fuzzy Hash: 0911C430E01204DBDF255AB5980077A36A5DF81320F10C97BD55ECF286ED69CC44ABD3
                                                              Function 00F717D0 Relevance: .1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5a5fd2fafb557377fab9013d4e9de25e4f5f6ddc4fa68cf66b092bd748914924
                                                              • Instruction ID: b42d40abe7abecc48ead47672fa29b8e8142ed9f2131e636cea976577efbd856
                                                              • Opcode Fuzzy Hash: 5a5fd2fafb557377fab9013d4e9de25e4f5f6ddc4fa68cf66b092bd748914924
                                                              • Instruction Fuzzy Hash: E811A575F002159FCF20AB78980479F7BF6FB88750F20852BE94AD7344EB3589029B92
                                                              Function 00F714A0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e628ac38040f69df2bbcee2b80106adb95c1e2997be8874a3eef6c586934469f
                                                              • Instruction ID: a035effbb683a88fb0d254569a33563a4e9ded18afdbac190aca624187949120
                                                              • Opcode Fuzzy Hash: e628ac38040f69df2bbcee2b80106adb95c1e2997be8874a3eef6c586934469f
                                                              • Instruction Fuzzy Hash: 70012171E002158FCB25EFB8885119DB7E5FF49320B15447AE809EB201EB35DD45DB96
                                                              Function 00F798A8 Relevance: .0, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 808798c650667500e490222646378900bdc93436a1a6b319b428a27ceff1da50
                                                              • Instruction ID: 19227c11d81426d7ed5f26b747803b1a08c226473ad68579b1d85d98d34633f2
                                                              • Opcode Fuzzy Hash: 808798c650667500e490222646378900bdc93436a1a6b319b428a27ceff1da50
                                                              • Instruction Fuzzy Hash: 5801B930A001048BDB14DF95E984B8ABBB9FF84310F54C179D80C5B29ADBB4ED45C791
                                                              Function 00F780F8 Relevance: .0, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: da4b6d372220c131f928405cc84d5e5a7d11eec1c45a8bba1e87474c2ac6e788
                                                              • Instruction ID: 83edf4d74b78ae3052735ac70e01d382b0eacf72b3491ee7c48376ab12362e16
                                                              • Opcode Fuzzy Hash: da4b6d372220c131f928405cc84d5e5a7d11eec1c45a8bba1e87474c2ac6e788
                                                              • Instruction Fuzzy Hash: 09014F709141099FCB0AEFB8F991A9D7BB9EF80304F504278C409DB255EB759A49CB51
                                                              Function 00F7152C Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e48e2c71e38c0bf3c2082eb9fb04a0304e21ad1a87623faeaefc652e176d5198
                                                              • Instruction ID: 4800ca1e5d485751dccf98d3e8795c86e4d52688292dd574315330d1082aad76
                                                              • Opcode Fuzzy Hash: e48e2c71e38c0bf3c2082eb9fb04a0304e21ad1a87623faeaefc652e176d5198
                                                              • Instruction Fuzzy Hash: 5DF0F673A04150CBDB368FAC98911ECBBA0FE8932171D80D7D84ADB652D724D80AE753
                                                              Function 00F78108 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000007.00000002.4525366221.0000000000F70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F70000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_7_2_f70000_Q7bAgeTZB8vmku7.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b20b83d905bd1f7dce16c8606643626f4384df3f0fb0001e8b8390f03f861f24
                                                              • Instruction ID: 00914cda14f10463c32ee64e62c3fb7d922ed79587a4ddd2b876d4df42deeecd
                                                              • Opcode Fuzzy Hash: b20b83d905bd1f7dce16c8606643626f4384df3f0fb0001e8b8390f03f861f24
                                                              • Instruction Fuzzy Hash: 90F019709141099FCB09EFB8F981A9D7BB9EF80304F504678C4099B269EB75AA49DB81

                                                              Execution Graph

                                                              Execution Coverage:7.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:189
                                                              Total number of Limit Nodes:9
                                                              execution_graph 23615 b0d5f0 DuplicateHandle 23616 b0d686 23615->23616 23776 b0cfa0 23777 b0cfe6 GetCurrentProcess 23776->23777 23779 b0d031 23777->23779 23780 b0d038 GetCurrentThread 23777->23780 23779->23780 23781 b0d075 GetCurrentProcess 23780->23781 23782 b0d06e 23780->23782 23783 b0d0ab 23781->23783 23782->23781 23784 b0d0d3 GetCurrentThreadId 23783->23784 23785 b0d104 23784->23785 23617 4f8aa70 23618 4f8abfb 23617->23618 23620 4f8aa96 23617->23620 23620->23618 23621 4f84918 23620->23621 23622 4f8acf0 PostMessageW 23621->23622 23623 4f8ad5c 23622->23623 23623->23620 23786 b04668 23787 b04672 23786->23787 23791 b04758 23786->23791 23796 b03e28 23787->23796 23789 b0468d 23792 b0477d 23791->23792 23800 b04868 23792->23800 23804 b04858 23792->23804 23797 b03e33 23796->23797 23812 b05c24 23797->23812 23799 b06faf 23799->23789 23802 b0488f 23800->23802 23801 b0496c 23801->23801 23802->23801 23808 b044b0 23802->23808 23806 b0488f 23804->23806 23805 b0496c 23805->23805 23806->23805 23807 b044b0 CreateActCtxA 23806->23807 23807->23805 23809 b058f8 CreateActCtxA 23808->23809 23811 b059bb 23809->23811 23813 b05c2f 23812->23813 23816 b05c44 23813->23816 23815 b07055 23815->23799 23817 b05c4f 23816->23817 23820 b05c74 23817->23820 23819 b0713a 23819->23815 23821 b05c7f 23820->23821 23824 b05ca4 23821->23824 23823 b0722d 23823->23819 23825 b05caf 23824->23825 23827 b0852b 23825->23827 23830 b0abdb 23825->23830 23826 b08569 23826->23823 23827->23826 23834 b0ccdc 23827->23834 23839 b0ac10 23830->23839 23842 b0abff 23830->23842 23831 b0abee 23831->23827 23835 b0ccf9 23834->23835 23836 b0cd1d 23835->23836 23851 b0ceb4 23835->23851 23855 b0ce88 23835->23855 23836->23826 23846 b0ad08 23839->23846 23840 b0ac1f 23840->23831 23843 b0ac10 23842->23843 23845 b0ad08 GetModuleHandleW 23843->23845 23844 b0ac1f 23844->23831 23845->23844 23847 b0ad3c 23846->23847 23848 b0ad19 23846->23848 23847->23840 23848->23847 23849 b0af40 GetModuleHandleW 23848->23849 23850 b0af6d 23849->23850 23850->23840 23852 b0cebe 23851->23852 23853 b0cecf 23852->23853 23859 b0ba40 23852->23859 23853->23836 23856 b0ce95 23855->23856 23857 b0cecf 23856->23857 23858 b0ba40 GetModuleHandleW 23856->23858 23857->23836 23858->23857 23860 b0ba45 23859->23860 23862 b0dbe8 23860->23862 23863 b0d23c 23860->23863 23862->23862 23864 b0d247 23863->23864 23865 b05ca4 GetModuleHandleW 23864->23865 23866 b0dc57 23865->23866 23866->23862 23624 4f88554 23625 4f883ac 23624->23625 23630 4f89798 23625->23630 23635 4f897f6 23625->23635 23641 4f89788 23625->23641 23626 4f88780 23631 4f897b2 23630->23631 23646 4f89ab0 23631->23646 23660 4f89aa0 23631->23660 23632 4f897d6 23632->23626 23636 4f89784 23635->23636 23638 4f897f9 23635->23638 23639 4f89ab0 12 API calls 23636->23639 23640 4f89aa0 12 API calls 23636->23640 23637 4f897d6 23637->23626 23638->23626 23639->23637 23640->23637 23642 4f897b2 23641->23642 23644 4f89ab0 12 API calls 23642->23644 23645 4f89aa0 12 API calls 23642->23645 23643 4f897d6 23643->23626 23644->23643 23645->23643 23647 4f89ac5 23646->23647 23648 4f89ad7 23647->23648 23674 4f8a0b8 23647->23674 23678 4f89b96 23647->23678 23682 4f8a072 23647->23682 23687 4f89ff2 23647->23687 23692 4f89d21 23647->23692 23696 4f89d81 23647->23696 23703 4f8a43e 23647->23703 23708 4f89e9e 23647->23708 23713 4f89c3c 23647->23713 23718 4f89c6b 23647->23718 23723 4f89fb9 23647->23723 23648->23632 23661 4f89ac5 23660->23661 23662 4f8a0b8 2 API calls 23661->23662 23663 4f89fb9 2 API calls 23661->23663 23664 4f89c6b 2 API calls 23661->23664 23665 4f89c3c 2 API calls 23661->23665 23666 4f89e9e 2 API calls 23661->23666 23667 4f8a43e 2 API calls 23661->23667 23668 4f89ad7 23661->23668 23669 4f89d81 4 API calls 23661->23669 23670 4f89d21 2 API calls 23661->23670 23671 4f89ff2 2 API calls 23661->23671 23672 4f8a072 2 API calls 23661->23672 23673 4f89b96 2 API calls 23661->23673 23662->23668 23663->23668 23664->23668 23665->23668 23666->23668 23667->23668 23668->23632 23669->23668 23670->23668 23671->23668 23672->23668 23673->23668 23728 4f87b18 23674->23728 23732 4f87b20 23674->23732 23675 4f8a0d2 23736 4f87f40 23678->23736 23740 4f87f34 23678->23740 23683 4f8a445 23682->23683 23684 4f89c14 23683->23684 23744 4f87da8 23683->23744 23748 4f87da1 23683->23748 23684->23648 23688 4f8a265 23687->23688 23752 4f87cb8 23688->23752 23756 4f87cb0 23688->23756 23689 4f8a289 23694 4f87cb8 WriteProcessMemory 23692->23694 23695 4f87cb0 WriteProcessMemory 23692->23695 23693 4f89c2c 23693->23648 23694->23693 23695->23693 23760 4f87bf8 23696->23760 23764 4f87bf0 23696->23764 23697 4f89d9f 23698 4f89c14 23697->23698 23699 4f87cb8 WriteProcessMemory 23697->23699 23700 4f87cb0 WriteProcessMemory 23697->23700 23698->23648 23699->23697 23700->23697 23704 4f8a444 23703->23704 23706 4f87da8 ReadProcessMemory 23704->23706 23707 4f87da1 ReadProcessMemory 23704->23707 23705 4f89c14 23705->23648 23706->23705 23707->23705 23709 4f89ea4 23708->23709 23710 4f89c14 23709->23710 23711 4f87cb8 WriteProcessMemory 23709->23711 23712 4f87cb0 WriteProcessMemory 23709->23712 23710->23648 23711->23709 23712->23709 23714 4f89c56 23713->23714 23715 4f8a2d2 23714->23715 23768 4f87a68 23714->23768 23772 4f87a70 23714->23772 23715->23648 23719 4f89e44 23718->23719 23721 4f87b18 Wow64SetThreadContext 23719->23721 23722 4f87b20 Wow64SetThreadContext 23719->23722 23720 4f89e5f 23720->23648 23721->23720 23722->23720 23724 4f89fc6 23723->23724 23725 4f8a2d2 23724->23725 23726 4f87a68 ResumeThread 23724->23726 23727 4f87a70 ResumeThread 23724->23727 23725->23648 23726->23724 23727->23724 23729 4f87b65 Wow64SetThreadContext 23728->23729 23731 4f87bad 23729->23731 23731->23675 23733 4f87b65 Wow64SetThreadContext 23732->23733 23735 4f87bad 23733->23735 23735->23675 23737 4f87fc9 CreateProcessA 23736->23737 23739 4f8818b 23737->23739 23739->23739 23741 4f87f40 CreateProcessA 23740->23741 23743 4f8818b 23741->23743 23745 4f87df3 ReadProcessMemory 23744->23745 23747 4f87e37 23745->23747 23747->23684 23749 4f87da8 ReadProcessMemory 23748->23749 23751 4f87e37 23749->23751 23751->23684 23753 4f87d00 WriteProcessMemory 23752->23753 23755 4f87d57 23753->23755 23755->23689 23757 4f87d00 WriteProcessMemory 23756->23757 23759 4f87d57 23757->23759 23759->23689 23761 4f87c38 VirtualAllocEx 23760->23761 23763 4f87c75 23761->23763 23763->23697 23765 4f87c38 VirtualAllocEx 23764->23765 23767 4f87c75 23765->23767 23767->23697 23769 4f87a70 ResumeThread 23768->23769 23771 4f87ae1 23769->23771 23771->23714 23773 4f87ab0 ResumeThread 23772->23773 23775 4f87ae1 23773->23775 23775->23714

                                                              Executed Functions

                                                              Function 00B0CF90 Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 786 b0cf90-b0d02f GetCurrentProcess 791 b0d031-b0d037 786->791 792 b0d038-b0d06c GetCurrentThread 786->792 791->792 793 b0d075-b0d0a9 GetCurrentProcess 792->793 794 b0d06e-b0d074 792->794 796 b0d0b2-b0d0cd call b0d578 793->796 797 b0d0ab-b0d0b1 793->797 794->793 800 b0d0d3-b0d102 GetCurrentThreadId 796->800 797->796 801 b0d104-b0d10a 800->801 802 b0d10b-b0d16d 800->802 801->802
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00B0D01E
                                                              • GetCurrentThread.KERNEL32 ref: 00B0D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 00B0D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 00B0D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: c7572874fbd5608c5d343013c0d1a9360b5504c7b9fb3a6415b88b1bf6d40433
                                                              • Instruction ID: 9839d94d3e8f79572cca850e855251a93f629c4654362c2c1c8dc5a5f9610828
                                                              • Opcode Fuzzy Hash: c7572874fbd5608c5d343013c0d1a9360b5504c7b9fb3a6415b88b1bf6d40433
                                                              • Instruction Fuzzy Hash: B85146B0901349CFDB14DFA9D548B9EBBF5EF48304F208499D409A72A0D7789985CB65
                                                              Function 00B0CFA0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 809 b0cfa0-b0d02f GetCurrentProcess 813 b0d031-b0d037 809->813 814 b0d038-b0d06c GetCurrentThread 809->814 813->814 815 b0d075-b0d0a9 GetCurrentProcess 814->815 816 b0d06e-b0d074 814->816 818 b0d0b2-b0d0cd call b0d578 815->818 819 b0d0ab-b0d0b1 815->819 816->815 822 b0d0d3-b0d102 GetCurrentThreadId 818->822 819->818 823 b0d104-b0d10a 822->823 824 b0d10b-b0d16d 822->824 823->824
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32 ref: 00B0D01E
                                                              • GetCurrentThread.KERNEL32 ref: 00B0D05B
                                                              • GetCurrentProcess.KERNEL32 ref: 00B0D098
                                                              • GetCurrentThreadId.KERNEL32 ref: 00B0D0F1
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: Current$ProcessThread
                                                              • String ID:
                                                              • API String ID: 2063062207-0
                                                              • Opcode ID: 1e30288f25f5cf23e681f2e3d4128ee1717714f657de922b440d7ee2c87fbfdc
                                                              • Instruction ID: 63d1e5de7c0e3a68fe237e9bc7968b18110a50239769e91238ee2c4074d480d9
                                                              • Opcode Fuzzy Hash: 1e30288f25f5cf23e681f2e3d4128ee1717714f657de922b440d7ee2c87fbfdc
                                                              • Instruction Fuzzy Hash: 7D5137B09013098FDB14DFA9D548B9EBFF5EF88314F208499E409A73A0D7789985CB65
                                                              Function 04F87F34 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 905 4f87f34-4f87fd5 908 4f8800e-4f8802e 905->908 909 4f87fd7-4f87fe1 905->909 916 4f88030-4f8803a 908->916 917 4f88067-4f88096 908->917 909->908 910 4f87fe3-4f87fe5 909->910 911 4f88008-4f8800b 910->911 912 4f87fe7-4f87ff1 910->912 911->908 914 4f87ff3 912->914 915 4f87ff5-4f88004 912->915 914->915 915->915 918 4f88006 915->918 916->917 919 4f8803c-4f8803e 916->919 923 4f88098-4f880a2 917->923 924 4f880cf-4f88189 CreateProcessA 917->924 918->911 921 4f88040-4f8804a 919->921 922 4f88061-4f88064 919->922 925 4f8804c 921->925 926 4f8804e-4f8805d 921->926 922->917 923->924 927 4f880a4-4f880a6 923->927 937 4f8818b-4f88191 924->937 938 4f88192-4f88218 924->938 925->926 926->926 928 4f8805f 926->928 929 4f880a8-4f880b2 927->929 930 4f880c9-4f880cc 927->930 928->922 932 4f880b4 929->932 933 4f880b6-4f880c5 929->933 930->924 932->933 933->933 934 4f880c7 933->934 934->930 937->938 948 4f88228-4f8822c 938->948 949 4f8821a-4f8821e 938->949 951 4f8823c-4f88240 948->951 952 4f8822e-4f88232 948->952 949->948 950 4f88220 949->950 950->948 954 4f88250-4f88254 951->954 955 4f88242-4f88246 951->955 952->951 953 4f88234 952->953 953->951 957 4f88266-4f8826d 954->957 958 4f88256-4f8825c 954->958 955->954 956 4f88248 955->956 956->954 959 4f8826f-4f8827e 957->959 960 4f88284 957->960 958->957 959->960 962 4f88285 960->962 962->962
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04F88176
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: bf818a4062d3c1caf0ba0bbea8e733a991879a8da35b7bb9ea12e8c47a9e22a0
                                                              • Instruction ID: f4f1e5687687545dc31e7471b2782b5b43f35ef4909a66537bcbb74068cac761
                                                              • Opcode Fuzzy Hash: bf818a4062d3c1caf0ba0bbea8e733a991879a8da35b7bb9ea12e8c47a9e22a0
                                                              • Instruction Fuzzy Hash: 7CA17D71D00619DFEB20EF68C8407DDBBB2FF44314F148569E858AB250DB75A986CF91
                                                              Function 04F87F40 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 963 4f87f40-4f87fd5 965 4f8800e-4f8802e 963->965 966 4f87fd7-4f87fe1 963->966 973 4f88030-4f8803a 965->973 974 4f88067-4f88096 965->974 966->965 967 4f87fe3-4f87fe5 966->967 968 4f88008-4f8800b 967->968 969 4f87fe7-4f87ff1 967->969 968->965 971 4f87ff3 969->971 972 4f87ff5-4f88004 969->972 971->972 972->972 975 4f88006 972->975 973->974 976 4f8803c-4f8803e 973->976 980 4f88098-4f880a2 974->980 981 4f880cf-4f88189 CreateProcessA 974->981 975->968 978 4f88040-4f8804a 976->978 979 4f88061-4f88064 976->979 982 4f8804c 978->982 983 4f8804e-4f8805d 978->983 979->974 980->981 984 4f880a4-4f880a6 980->984 994 4f8818b-4f88191 981->994 995 4f88192-4f88218 981->995 982->983 983->983 985 4f8805f 983->985 986 4f880a8-4f880b2 984->986 987 4f880c9-4f880cc 984->987 985->979 989 4f880b4 986->989 990 4f880b6-4f880c5 986->990 987->981 989->990 990->990 991 4f880c7 990->991 991->987 994->995 1005 4f88228-4f8822c 995->1005 1006 4f8821a-4f8821e 995->1006 1008 4f8823c-4f88240 1005->1008 1009 4f8822e-4f88232 1005->1009 1006->1005 1007 4f88220 1006->1007 1007->1005 1011 4f88250-4f88254 1008->1011 1012 4f88242-4f88246 1008->1012 1009->1008 1010 4f88234 1009->1010 1010->1008 1014 4f88266-4f8826d 1011->1014 1015 4f88256-4f8825c 1011->1015 1012->1011 1013 4f88248 1012->1013 1013->1011 1016 4f8826f-4f8827e 1014->1016 1017 4f88284 1014->1017 1015->1014 1016->1017 1019 4f88285 1017->1019 1019->1019
                                                              APIs
                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 04F88176
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: CreateProcess
                                                              • String ID:
                                                              • API String ID: 963392458-0
                                                              • Opcode ID: 3935cc54ea2cd7b1416fc3c10fa358d748b43d987f2c113da5c9a2bf4b93535e
                                                              • Instruction ID: 066e87a9a9bc127764b74f0de322d95d671ee721cbfe97ab0c52f84f9bf03aff
                                                              • Opcode Fuzzy Hash: 3935cc54ea2cd7b1416fc3c10fa358d748b43d987f2c113da5c9a2bf4b93535e
                                                              • Instruction Fuzzy Hash: 0D916C71D00619DFEB24EFA8C8407EDBBB2FF44314F148569E818AB250DB75A986CF91
                                                              Function 00B0AD08 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1020 b0ad08-b0ad17 1021 b0ad43-b0ad47 1020->1021 1022 b0ad19-b0ad26 call b0a02c 1020->1022 1023 b0ad49-b0ad53 1021->1023 1024 b0ad5b-b0ad9c 1021->1024 1027 b0ad28 1022->1027 1028 b0ad3c 1022->1028 1023->1024 1031 b0ada9-b0adb7 1024->1031 1032 b0ad9e-b0ada6 1024->1032 1076 b0ad2e call b0afa0 1027->1076 1077 b0ad2e call b0af90 1027->1077 1028->1021 1034 b0adb9-b0adbe 1031->1034 1035 b0addb-b0addd 1031->1035 1032->1031 1033 b0ad34-b0ad36 1033->1028 1038 b0ae78-b0af38 1033->1038 1036 b0adc0-b0adc7 call b0a038 1034->1036 1037 b0adc9 1034->1037 1039 b0ade0-b0ade7 1035->1039 1041 b0adcb-b0add9 1036->1041 1037->1041 1071 b0af40-b0af6b GetModuleHandleW 1038->1071 1072 b0af3a-b0af3d 1038->1072 1042 b0adf4-b0adfb 1039->1042 1043 b0ade9-b0adf1 1039->1043 1041->1039 1045 b0ae08-b0ae11 call b0a048 1042->1045 1046 b0adfd-b0ae05 1042->1046 1043->1042 1051 b0ae13-b0ae1b 1045->1051 1052 b0ae1e-b0ae23 1045->1052 1046->1045 1051->1052 1054 b0ae41-b0ae45 1052->1054 1055 b0ae25-b0ae2c 1052->1055 1078 b0ae48 call b0b2a0 1054->1078 1079 b0ae48 call b0b290 1054->1079 1055->1054 1056 b0ae2e-b0ae3e call b0a058 call b0a068 1055->1056 1056->1054 1059 b0ae4b-b0ae4e 1061 b0ae50-b0ae6e 1059->1061 1062 b0ae71-b0ae77 1059->1062 1061->1062 1073 b0af74-b0af88 1071->1073 1074 b0af6d-b0af73 1071->1074 1072->1071 1074->1073 1076->1033 1077->1033 1078->1059 1079->1059
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: afe29d3f1aabeffecfc1f551cee571f1e2b519da8598fd1df976047619061257
                                                              • Instruction ID: 47860e16a67bc96c89f0a1b9ce8ddc015fbb94738ebdfac2ff7d3d7efd368a59
                                                              • Opcode Fuzzy Hash: afe29d3f1aabeffecfc1f551cee571f1e2b519da8598fd1df976047619061257
                                                              • Instruction Fuzzy Hash: 24714570A00B058FDB24DF29D14175ABBF5FF88704F108A6ED48AD7A90DB74E949CB92
                                                              Function 00B058EC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1080 b058ec-b058f4 1081 b058fc-b059b9 CreateActCtxA 1080->1081 1083 b059c2-b05a1c 1081->1083 1084 b059bb-b059c1 1081->1084 1091 b05a2b-b05a2f 1083->1091 1092 b05a1e-b05a21 1083->1092 1084->1083 1093 b05a40 1091->1093 1094 b05a31-b05a3d 1091->1094 1092->1091 1096 b05a41 1093->1096 1094->1093 1096->1096
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00B059A9
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 5a616960adec69c797777c492cfa1844834c67018db7d4ad7d9e01caa1fe53bd
                                                              • Instruction ID: cd8ab1553cfb778f029606f0b27151ac5a805e1bc001db859004203467455071
                                                              • Opcode Fuzzy Hash: 5a616960adec69c797777c492cfa1844834c67018db7d4ad7d9e01caa1fe53bd
                                                              • Instruction Fuzzy Hash: 3A41F2B0D0071DCADB24DFA9C884BDEBBF5BF48304F20816AD418AB295DB756946CF90
                                                              Function 00B044B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1097 b044b0-b059b9 CreateActCtxA 1100 b059c2-b05a1c 1097->1100 1101 b059bb-b059c1 1097->1101 1108 b05a2b-b05a2f 1100->1108 1109 b05a1e-b05a21 1100->1109 1101->1100 1110 b05a40 1108->1110 1111 b05a31-b05a3d 1108->1111 1109->1108 1113 b05a41 1110->1113 1111->1110 1113->1113
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00B059A9
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 5ff3a53735033e099b913372d515922b547b5863eed3bc62d792ef27038f8fea
                                                              • Instruction ID: 4df0168826dc243d8d760b8a231bba3d5774472637d1f374c625554113c7f01c
                                                              • Opcode Fuzzy Hash: 5ff3a53735033e099b913372d515922b547b5863eed3bc62d792ef27038f8fea
                                                              • Instruction Fuzzy Hash: 7741E0B0C0071DCADB24DFA9C884B9EBBF5FF48304F20806AD409AB255DB756946CF90
                                                              Function 04F87CB8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1124 4f87cb8-4f87d06 1126 4f87d08-4f87d14 1124->1126 1127 4f87d16-4f87d55 WriteProcessMemory 1124->1127 1126->1127 1129 4f87d5e-4f87d8e 1127->1129 1130 4f87d57-4f87d5d 1127->1130 1130->1129
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04F87D48
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: aafdfc7ea15dbe785878cfad1296d7ec58d35d219676f8af18369ac77bbfae95
                                                              • Instruction ID: 693790bfb2aba45911247b62d81827157928bf891d6a1dc520b3553c78efe981
                                                              • Opcode Fuzzy Hash: aafdfc7ea15dbe785878cfad1296d7ec58d35d219676f8af18369ac77bbfae95
                                                              • Instruction Fuzzy Hash: 8F213B71D003099FCB10DFA9C845BEEBBF5FF48310F10842AE919A7250D778A945CBA5
                                                              Function 04F87CB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1114 4f87cb0-4f87d06 1116 4f87d08-4f87d14 1114->1116 1117 4f87d16-4f87d55 WriteProcessMemory 1114->1117 1116->1117 1119 4f87d5e-4f87d8e 1117->1119 1120 4f87d57-4f87d5d 1117->1120 1120->1119
                                                              APIs
                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04F87D48
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessWrite
                                                              • String ID:
                                                              • API String ID: 3559483778-0
                                                              • Opcode ID: fc26ce2717d95d59fe3bb1b82cee8e3f318045e3f04063b0a6ccb5553c2250ba
                                                              • Instruction ID: 4cbd0c56f70da63d8adc196d08e707cd022429f5aba15551243f010e63f7f491
                                                              • Opcode Fuzzy Hash: fc26ce2717d95d59fe3bb1b82cee8e3f318045e3f04063b0a6ccb5553c2250ba
                                                              • Instruction Fuzzy Hash: EA212B75D003198FDB10DFA9C985BEEBBF5FF48310F10842AE919A7250D7789545CBA0
                                                              Function 04F87DA1 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04F87E28
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: d68267ed26d4001e9b16bc9afbcb78a6c8aaa872c083f839f5f9cdee3e4052fa
                                                              • Instruction ID: f751a52249551d0a4cd344d24ae5cf036fa8b9b933f0abe2cd8660a3a14f5451
                                                              • Opcode Fuzzy Hash: d68267ed26d4001e9b16bc9afbcb78a6c8aaa872c083f839f5f9cdee3e4052fa
                                                              • Instruction Fuzzy Hash: 97212AB1C002599FDB10DFAAC881AEEFBF5FF48310F508429E919A7250D7389945DBA1
                                                              Function 04F87B18 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F87B9E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: f4ea4d5e5be9aeec014eda209023029fe1ae2c2c68860b0dfd2747e70b5af290
                                                              • Instruction ID: 898ab38dc941cce69664f9848e3dde71cb953683a8745aa9776349de98951187
                                                              • Opcode Fuzzy Hash: f4ea4d5e5be9aeec014eda209023029fe1ae2c2c68860b0dfd2747e70b5af290
                                                              • Instruction Fuzzy Hash: 06213A71D002098FDB10EFA9C4857EEBBF5FF88314F248429D959A7244D778A945CFA1
                                                              Function 04F87DA8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04F87E28
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MemoryProcessRead
                                                              • String ID:
                                                              • API String ID: 1726664587-0
                                                              • Opcode ID: 9dc768ac0beb1f45b8732fd4dd2d7f68cd8152f46c600c5eb18643ce96e946f3
                                                              • Instruction ID: dadb5f03dbf39f0b5240bf083de0334b2c5a2d1c6070262b4aa92e74d43f4387
                                                              • Opcode Fuzzy Hash: 9dc768ac0beb1f45b8732fd4dd2d7f68cd8152f46c600c5eb18643ce96e946f3
                                                              • Instruction Fuzzy Hash: 372139B1C003499FCB10DFAAC840AEEFBF5FF48310F108429E919A7250D738A941DBA1
                                                              Function 04F87B20 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04F87B9E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: ContextThreadWow64
                                                              • String ID:
                                                              • API String ID: 983334009-0
                                                              • Opcode ID: 1e45840305bb7b4918f3b4a0693fb6354852f10a2fab1d4b60e0342440eab90d
                                                              • Instruction ID: 7d646c02f60c9734f2a727dc160d6f8169aaa97b153e73e31a5a1746a5dfa0f9
                                                              • Opcode Fuzzy Hash: 1e45840305bb7b4918f3b4a0693fb6354852f10a2fab1d4b60e0342440eab90d
                                                              • Instruction Fuzzy Hash: 72213871D002098FDB10EFAAC4857EEBBF5FF88314F108429D419A7240CB78A945CFA1
                                                              Function 00B0D5F0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D677
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 95170aaff940f77e5e676e9790406abe46dd5ff22943ec6335f42eae0c9010c9
                                                              • Instruction ID: 8159a85e9b0e349c0f5a3b4646ba543df0aaeefc9b38b93a236e1742d5a8d3e1
                                                              • Opcode Fuzzy Hash: 95170aaff940f77e5e676e9790406abe46dd5ff22943ec6335f42eae0c9010c9
                                                              • Instruction Fuzzy Hash: 6E21C2B59002489FDB10CFAAD984ADEBFF9FB48310F14845AE918A7350D379A944CFA5
                                                              Function 00B0D5E9 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0D677
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 5c82adaa62f95f9a406b5a4e95001c1b7a0ba101c68babea229e8fb1a6ecc19b
                                                              • Instruction ID: 786b29dcf6d6f37e1f443e7529cbad5ba7ae6cf3bcd9741a0c13ea826150d55a
                                                              • Opcode Fuzzy Hash: 5c82adaa62f95f9a406b5a4e95001c1b7a0ba101c68babea229e8fb1a6ecc19b
                                                              • Instruction Fuzzy Hash: 7421EFB5900209DFDB10CFAAD584AEEBBF5FB48310F14845AE918B7360C379A940CFA5
                                                              Function 04F87BF0 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04F87C66
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 35c2d7d55ada7a3b6bce92e1f3118b08d23842798ff8f568af3cb00dc517c448
                                                              • Instruction ID: 1081895c05b0f1e7b5be438a6cf17f4613d88c6346531f8165596ba5ada96664
                                                              • Opcode Fuzzy Hash: 35c2d7d55ada7a3b6bce92e1f3118b08d23842798ff8f568af3cb00dc517c448
                                                              • Instruction Fuzzy Hash: 6C1129768002098FDB24EFA9C985AEFBBF5EF48314F208419D519A7250CB75A545CFA1
                                                              Function 04F87BF8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04F87C66
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: AllocVirtual
                                                              • String ID:
                                                              • API String ID: 4275171209-0
                                                              • Opcode ID: 67b79ec7a6d8ac9a89bb9240e3587759f62a7672e80663af385f1c552ed29e69
                                                              • Instruction ID: 5bef70f13e43a5c8867c1269ae28b3f54df56a89857953090b77a49b938f720a
                                                              • Opcode Fuzzy Hash: 67b79ec7a6d8ac9a89bb9240e3587759f62a7672e80663af385f1c552ed29e69
                                                              • Instruction Fuzzy Hash: 741137718002499FCB10EFAAC844BEFBFF5EF89310F208419E519A7250CB79A941CFA1
                                                              Function 04F87A68 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: 329afbe7a9c29fd637ce1f7d747ae2d7ede2ba35fbae3aeb513dd1e860a99815
                                                              • Instruction ID: fc20c2758270e05cc2314efb15a0d645efcfd24e7bc2484fb9f9276bd8d2c70e
                                                              • Opcode Fuzzy Hash: 329afbe7a9c29fd637ce1f7d747ae2d7ede2ba35fbae3aeb513dd1e860a99815
                                                              • Instruction Fuzzy Hash: 5B1134B59003488ADB20EFAAC4457AEFBF4EF88314F20841AD459A7250CB79A941CBA5
                                                              Function 04F87A70 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: ResumeThread
                                                              • String ID:
                                                              • API String ID: 947044025-0
                                                              • Opcode ID: fa4ec52325cbf994587c6c972dd95d27c8b73d55d5eb5d2678e04d763c6c1542
                                                              • Instruction ID: 2a03bccf0cf8655afe904c0fcae8c88114d5fb3691854bfc95edf71abc4d8cc7
                                                              • Opcode Fuzzy Hash: fa4ec52325cbf994587c6c972dd95d27c8b73d55d5eb5d2678e04d763c6c1542
                                                              • Instruction Fuzzy Hash: B6113AB5D002488FDB10EFAAC4457EFFBF5EF88314F208419D519A7250CB79A945CBA5
                                                              Function 00B0AEF8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0AF5E
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2123685110.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_b00000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 90639e2b81c70d9a0c6d5c9208a5696e599049c1d0d52197d45185dc102ec98c
                                                              • Instruction ID: d4446d6203159f663b09925d070788158cb3f26cc5ba8765c3232fbd8d9bf8d3
                                                              • Opcode Fuzzy Hash: 90639e2b81c70d9a0c6d5c9208a5696e599049c1d0d52197d45185dc102ec98c
                                                              • Instruction Fuzzy Hash: A911E0B6C003498FCB10DF9AC444ADEFBF8EF88714F10845AD919A7254C379A545CFA5
                                                              Function 04F8ACE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 04F8AD4D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: 62579eb405826831d064b99fceb77aa5ee59323af4d49670a5dc394b04bf9f56
                                                              • Instruction ID: 1c90374763d70c04ae0a6d576a3efa7c88792924cf9a371adb97834dc1a13be8
                                                              • Opcode Fuzzy Hash: 62579eb405826831d064b99fceb77aa5ee59323af4d49670a5dc394b04bf9f56
                                                              • Instruction Fuzzy Hash: 3811E3B58003499FDB20DF99D445BDEBBF8EF48310F10841AE958A7250C379A584CFA5
                                                              Function 04F84918 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 04F8AD4D
                                                              Memory Dump Source
                                                              • Source File: 00000008.00000002.2130486192.0000000004F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F80000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_8_2_4f80000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: MessagePost
                                                              • String ID:
                                                              • API String ID: 410705778-0
                                                              • Opcode ID: fa010e51630d131ed643cd630c0294dcc515dda6aced80637f1d9a33d321db91
                                                              • Instruction ID: 8f5112a96a876b1e6d3dc9e0351da1085b990e3fcc6ed98e7d1e09a3890f0ba9
                                                              • Opcode Fuzzy Hash: fa010e51630d131ed643cd630c0294dcc515dda6aced80637f1d9a33d321db91
                                                              • Instruction Fuzzy Hash: D61106B5C00349DFDB10DF99C445BDEBBF8EB48710F10841AE918A7210D3B9A944CFA5

                                                              Execution Graph

                                                              Execution Coverage:12.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:23
                                                              Total number of Limit Nodes:4
                                                              execution_graph 24302 2d20848 24304 2d2084e 24302->24304 24303 2d2091b 24304->24303 24307 2d21380 24304->24307 24312 2d21490 24304->24312 24309 2d21396 24307->24309 24308 2d21488 24308->24304 24309->24308 24310 2d21490 GlobalMemoryStatusEx 24309->24310 24317 2d27098 24309->24317 24310->24309 24314 2d21396 24312->24314 24313 2d21488 24313->24304 24314->24313 24315 2d27098 GlobalMemoryStatusEx 24314->24315 24316 2d21490 GlobalMemoryStatusEx 24314->24316 24315->24314 24316->24314 24318 2d270a2 24317->24318 24319 2d270bc 24318->24319 24322 60fd35e 24318->24322 24326 60fd390 24318->24326 24319->24309 24323 60fd368 24322->24323 24324 60fd5ba 24323->24324 24325 60fd5d0 GlobalMemoryStatusEx 24323->24325 24324->24319 24325->24323 24327 60fd3a5 24326->24327 24328 60fd5ba 24327->24328 24329 60fd5d0 GlobalMemoryStatusEx 24327->24329 24328->24319 24329->24327

                                                              Executed Functions

                                                              Function 02D2CDC8 Relevance: 2.3, Instructions: 2300COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: adb4cc94f7be29ccab16bfb57915af90c83569855e0f96f13093683402a3ab04
                                                              • Instruction ID: aa23a83d001d2c5543c99d76f74c2f9f68238b01ac37e1fd532ece1ec2258c9b
                                                              • Opcode Fuzzy Hash: adb4cc94f7be29ccab16bfb57915af90c83569855e0f96f13093683402a3ab04
                                                              • Instruction Fuzzy Hash: E8333D31D107198EDB11EF68C8906ADF7B1FF99304F15C79AE449A7221EB70AAC5CB81
                                                              Function 02D24AA0 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94ca988a63b4f444c366caf4e6efe7e39bc69e5266b6dab1c852bc70e15e68b3
                                                              • Instruction ID: d83f50a565a7f94985cd049d521d73363ce917ef26d8480f52daf6d6ad43fd42
                                                              • Opcode Fuzzy Hash: 94ca988a63b4f444c366caf4e6efe7e39bc69e5266b6dab1c852bc70e15e68b3
                                                              • Instruction Fuzzy Hash: 33B16E70E00219CFDF10CFA9D98579DBBF2EF98718F148129D819A7354EB749889CB91
                                                              Function 02D23E88 Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 14e23c74a75b7be7c347027689f77ecaec98629c78737d2f433f9cbce3d5f766
                                                              • Instruction ID: d018d03de270200772afefad4f8c74ba6897b7adc4d44959eb75abf29f0bb171
                                                              • Opcode Fuzzy Hash: 14e23c74a75b7be7c347027689f77ecaec98629c78737d2f433f9cbce3d5f766
                                                              • Instruction Fuzzy Hash: D3917070E00229DFDF14CFA9D98179DBBF2AF98708F148129E815A7394DB749C89CB81
                                                              Function 02D26EE0 Relevance: 2.6, Strings: 2, Instructions: 145COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1474 2d26ee0-2d26f4a call 2d26c48 1483 2d26f66-2d26f94 1474->1483 1484 2d26f4c-2d26f65 call 2d2638c 1474->1484 1490 2d26f96-2d26f99 1483->1490 1491 2d26f9b call 2d27910 1490->1491 1492 2d26fa9-2d26fac 1490->1492 1495 2d26fa1-2d26fa4 1491->1495 1493 2d26fc0-2d26fc3 1492->1493 1494 2d26fae-2d26fb5 1492->1494 1498 2d26fc5-2d26ffa 1493->1498 1499 2d26fff-2d27002 1493->1499 1496 2d270f3-2d270f9 1494->1496 1497 2d26fbb 1494->1497 1495->1492 1497->1493 1498->1499 1500 2d27004-2d27018 1499->1500 1501 2d27035-2d27037 1499->1501 1506 2d2701a-2d2701c 1500->1506 1507 2d2701e 1500->1507 1502 2d27039 1501->1502 1503 2d2703e-2d27041 1501->1503 1502->1503 1503->1490 1505 2d27047-2d27056 1503->1505 1510 2d27080-2d27096 1505->1510 1511 2d27058-2d2705b 1505->1511 1508 2d27021-2d27030 1506->1508 1507->1508 1508->1501 1510->1496 1514 2d27063-2d2707e 1511->1514 1514->1510 1514->1511
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q$LR]q
                                                              • API String ID: 0-3917262905
                                                              • Opcode ID: 34dd7b2d085b1fbbbaf98cd021f480211d5d55b186eca601fafbcdc0a0c87237
                                                              • Instruction ID: 571fbb91865bc1f95311d71f7e7307fda9b8835283a87d6ccae313cb96ca84d2
                                                              • Opcode Fuzzy Hash: 34dd7b2d085b1fbbbaf98cd021f480211d5d55b186eca601fafbcdc0a0c87237
                                                              • Instruction Fuzzy Hash: C551F230A043599FDB25DF79C4507AEB7B2EF86308F20846AE405EB390DB759C4ACB91
                                                              Function 060FE190 Relevance: 1.6, APIs: 1, Instructions: 133COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2323 60fe190-60fe1ab 2324 60fe1ad-60fe1d4 call 60fd350 2323->2324 2325 60fe1d5-60fe1f4 call 60fd35c 2323->2325 2331 60fe1fa-60fe259 2325->2331 2332 60fe1f6-60fe1f9 2325->2332 2339 60fe25f-60fe2ec GlobalMemoryStatusEx 2331->2339 2340 60fe25b-60fe25e 2331->2340 2343 60fe2ee-60fe2f4 2339->2343 2344 60fe2f5-60fe31d 2339->2344 2343->2344
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4535162706.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_60f0000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d8fa24e17957ca17d1361e4d88506967700144d9efd85dbffffaaaa09e499df
                                                              • Instruction ID: d622962236da7da85aa8dbb48aad6cbf96ec442375774b2235e3f93e814b6b3d
                                                              • Opcode Fuzzy Hash: 9d8fa24e17957ca17d1361e4d88506967700144d9efd85dbffffaaaa09e499df
                                                              • Instruction Fuzzy Hash: D2411072D143569FCB14DFA9D8442EABFF1AF89310F08856BD508E7691EB789844CBE0
                                                              Function 060FE278 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2347 60fe278-60fe2b6 2348 60fe2be-60fe2ec GlobalMemoryStatusEx 2347->2348 2349 60fe2ee-60fe2f4 2348->2349 2350 60fe2f5-60fe31d 2348->2350 2349->2350
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE(8B550528), ref: 060FE2DF
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4535162706.00000000060F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060F0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_60f0000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: c4eceed3e45fc62704e14fba198af0293eea55dc5e29d47a3e0585f6b3e512c8
                                                              • Instruction ID: 4223fac61d0bde69883c5fed0ee30f2a4a3718e2e7ac8c3565f296808c5dce77
                                                              • Opcode Fuzzy Hash: c4eceed3e45fc62704e14fba198af0293eea55dc5e29d47a3e0585f6b3e512c8
                                                              • Instruction Fuzzy Hash: 921112B1C0066A9BCB10DF9AC444B9EFBF4BF48320F10812AE918A7640D778A944CFE5
                                                              Function 02D2F325 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PH]q
                                                              • API String ID: 0-3168235125
                                                              • Opcode ID: 819b9841d7d17e13707bcbdaa0bbd52db9348c6134e817edd2f038e2057deec4
                                                              • Instruction ID: 18c36a75cfcbe1f5f74999d58c18333131336df2451bb8a0dca32d7911ba5762
                                                              • Opcode Fuzzy Hash: 819b9841d7d17e13707bcbdaa0bbd52db9348c6134e817edd2f038e2057deec4
                                                              • Instruction Fuzzy Hash: E14120307002158FCB08AB34DA5476E3BF2EF89248B248978D046DB395DF78CD4ACBA0
                                                              Function 02D26F80 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: 589f62f841169fca172dd699883be10a2c06d56ddcfee1d864df62e1af4f11f6
                                                              • Instruction ID: c48e4bcae3b414f3a23e035cb49c4047f22f40d59a83f87ce146206142cafd2d
                                                              • Opcode Fuzzy Hash: 589f62f841169fca172dd699883be10a2c06d56ddcfee1d864df62e1af4f11f6
                                                              • Instruction Fuzzy Hash: 5F315E30E102199BEF24CFA5C55479EF7B6EF95308F208525E806E7380DB71AD4ACB91
                                                              Function 02D26BA8 Relevance: 1.3, Strings: 1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LR]q
                                                              • API String ID: 0-3081347316
                                                              • Opcode ID: ecb6f716986690c6d8b4fd5361d43a79a56ebedf2e2743ff6b7a3a112bec00a4
                                                              • Instruction ID: a9c18449916e78588dd689d557a3c20efe170d1ce70c620751a073c3e09550c1
                                                              • Opcode Fuzzy Hash: ecb6f716986690c6d8b4fd5361d43a79a56ebedf2e2743ff6b7a3a112bec00a4
                                                              • Instruction Fuzzy Hash: B62104303082944FCB06AB7D90646EE3FF6DF86214B0449AAD085CB75ADE2A8C4AC7D1
                                                              Function 02D27910 Relevance: .6, Instructions: 557COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2f8a55af7e138218b782376198e8f75f0aa1059db2f5b392607ef4867557096b
                                                              • Instruction ID: 7e1e62f70942a9e3a6b4195b6eadf3689eed6c9649f0277df048023942c74d19
                                                              • Opcode Fuzzy Hash: 2f8a55af7e138218b782376198e8f75f0aa1059db2f5b392607ef4867557096b
                                                              • Instruction Fuzzy Hash: BB1272307012168FDB29AB79F49862D73A6EF85318B205D39E105DB365CF76EC9AC780
                                                              Function 02D296E8 Relevance: .4, Instructions: 358COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b43a9e2a57b5d66690664ad1484192c31846a6189415f4a68332606ab6a2fbef
                                                              • Instruction ID: 3f73d1fa314909043785e19ae7ee8936e7249c96afb45c1348c9a090153de3d0
                                                              • Opcode Fuzzy Hash: b43a9e2a57b5d66690664ad1484192c31846a6189415f4a68332606ab6a2fbef
                                                              • Instruction Fuzzy Hash: E0D1BF71A002158FDB14CFA9D8907AEBBB2FF88314F24856AE509EB395D770DC49CB91
                                                              Function 02D2936C Relevance: .4, Instructions: 350COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 26559c1abeb294e7b50b3c6dcec9348dac14cdf5934872d7aed0c5d2f6b65b5a
                                                              • Instruction ID: cd0341a6c367fda0feae246faf0e8168fc4362506971509727cdaa5f100b8ba3
                                                              • Opcode Fuzzy Hash: 26559c1abeb294e7b50b3c6dcec9348dac14cdf5934872d7aed0c5d2f6b65b5a
                                                              • Instruction Fuzzy Hash: 25D17C34A002158FCB14DFA8D5A4AAEBBF2EF88318F248569E406E7395DB34DD46CB51
                                                              Function 02D24A94 Relevance: .3, Instructions: 262COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3beac481d05334c60195db0e4f98a142723b3ddcdd719719746d316a6ebd5277
                                                              • Instruction ID: 81da00d34d8f6a508c8274dc6bd26a4b9a4e6e6771de860179d8e665aae3b73b
                                                              • Opcode Fuzzy Hash: 3beac481d05334c60195db0e4f98a142723b3ddcdd719719746d316a6ebd5277
                                                              • Instruction Fuzzy Hash: 6CB15D70E00229CFDB10CFA9D98579DBBF1EF98718F148129D819A7354EB749889CB91
                                                              Function 02D23E7C Relevance: .2, Instructions: 236COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5446dca7b2a4e5036bb7c19940357d0bb10e6554623085812027f6839fce728a
                                                              • Instruction ID: db91539800a44807f642fa09c087deaed5727f083398d7f428acfb8c78c87300
                                                              • Opcode Fuzzy Hash: 5446dca7b2a4e5036bb7c19940357d0bb10e6554623085812027f6839fce728a
                                                              • Instruction Fuzzy Hash: 99A17E70E00229DFDF10CFA9D9817DDBBF1AF58308F248129E815A7394DB749889CB91
                                                              Function 02D24818 Relevance: .2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d70ee2109a7060d356aa11f189c3c5e2e2fc02bb6e82244bed294bea4f0e7bfa
                                                              • Instruction ID: 73deccddf200ca9388d911f0274db5422a1e506fefa1a04eb48950d26596f1ca
                                                              • Opcode Fuzzy Hash: d70ee2109a7060d356aa11f189c3c5e2e2fc02bb6e82244bed294bea4f0e7bfa
                                                              • Instruction Fuzzy Hash: 71716CB0E00269CFDF14DFA9C88079EBBF2BF98718F148129E815A7354DB749849CB95
                                                              Function 02D2480D Relevance: .2, Instructions: 179COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b85a4ab5e14e8941e942d7e2368ac127284a69f8ab56c960e656e08a8e38fc28
                                                              • Instruction ID: 6407b2181d8bfec0314dba466da78134cad4547264ab7d7510ea4a65bc552cb9
                                                              • Opcode Fuzzy Hash: b85a4ab5e14e8941e942d7e2368ac127284a69f8ab56c960e656e08a8e38fc28
                                                              • Instruction Fuzzy Hash: F1716BB0E00269CFDF10CFA9C88079EBBF2BF98718F148129E815A7354DB749849CB95
                                                              Function 02D26CE4 Relevance: .1, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f6e7a2ad3011a3c939a4a4bba7e04d190a75bf52c13fa6f7a378f9cb2b69982c
                                                              • Instruction ID: 0ae0240b08731407800c5ccb4766d4721869bbe525f18e5c92c30cf0399016e5
                                                              • Opcode Fuzzy Hash: f6e7a2ad3011a3c939a4a4bba7e04d190a75bf52c13fa6f7a378f9cb2b69982c
                                                              • Instruction Fuzzy Hash: 7351F2B4D003288FDB14CFA9C885B9DBBB5FF58318F148129E819AB394D774A848CB95
                                                              Function 02D26CF0 Relevance: .1, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1373503e2b4208b391e11935d0ff69ac41d8e44e1772918a582f68c75bb63073
                                                              • Instruction ID: 9df60aded1137ea22854930bbb1246a0aa840b9d5c5c9817c30c689585f5ecd4
                                                              • Opcode Fuzzy Hash: 1373503e2b4208b391e11935d0ff69ac41d8e44e1772918a582f68c75bb63073
                                                              • Instruction Fuzzy Hash: 5E51E4B4D003288FDB14CFA9C845B9DBBF5FF58318F148519E819AB354D774A848CB95
                                                              Function 02D226E4 Relevance: .1, Instructions: 128COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a7a3b3aa818db67e2c00489218743a367dd16f10afbe5dc48556481e3441f4e
                                                              • Instruction ID: 1092bf5af6471408b9ba16280c843bf659fa034416227da999043b0f22a0a136
                                                              • Opcode Fuzzy Hash: 2a7a3b3aa818db67e2c00489218743a367dd16f10afbe5dc48556481e3441f4e
                                                              • Instruction Fuzzy Hash: A45102B1D002499FDB14DFA9C488ADEBFF1FF48314F108429E819AB250DB79A949CF90
                                                              Function 02D21128 Relevance: .1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8dacff96e8dbf9a0ff7d09645c04b19a112f932f0f826ed30b256e14f90bf143
                                                              • Instruction ID: de6420cd5906507dafcd0b1464c4dc0f1b86c5af787ff173fb14c0310c7890db
                                                              • Opcode Fuzzy Hash: 8dacff96e8dbf9a0ff7d09645c04b19a112f932f0f826ed30b256e14f90bf143
                                                              • Instruction Fuzzy Hash: 26512E706021668FCB09FF7AF9849453FA5FB553083008B79D2405B27ED73A7989DB90
                                                              Function 02D21138 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 49f88ee15da466a03bc2dd932e68ca65a11ed184a5a596d03e4781e6f0ea1d31
                                                              • Instruction ID: 6fba1c97ba7c205b0d011fc6e00ceccef31705961e93370ef47ea41483306279
                                                              • Opcode Fuzzy Hash: 49f88ee15da466a03bc2dd932e68ca65a11ed184a5a596d03e4781e6f0ea1d31
                                                              • Instruction Fuzzy Hash: 16510B706121668FCB09FF7AFA849453FA5FB553083008B79D2015B27EDB3A7989DB90
                                                              Function 02D2F1E9 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7e539605be5d2b7475e587b2f0334e47f1c1bff28784bf6aac0541066f4fac95
                                                              • Instruction ID: bd19e85e9f0877e5783688a8e4c9bd385297c7c26ab85df5321ed4253cf64a70
                                                              • Opcode Fuzzy Hash: 7e539605be5d2b7475e587b2f0334e47f1c1bff28784bf6aac0541066f4fac95
                                                              • Instruction Fuzzy Hash: 5431B035E10215CFDB19DFA5D4946AEB7B2EF8A304F10C919E846E7794DB70AC46CB80
                                                              Function 02D2F1F8 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc0b03ddc5f91989a5ae91fd3be3970a20004f2974902a0757062af89a38fb54
                                                              • Instruction ID: b182bad2b0da9eab9eac93f6b51c382ed37bf2b39afd6606b6c366f6ba2b10a9
                                                              • Opcode Fuzzy Hash: dc0b03ddc5f91989a5ae91fd3be3970a20004f2974902a0757062af89a38fb54
                                                              • Instruction Fuzzy Hash: C7317E35E102158FCB18DFA5D4546AEB7B2EF8A304F10C929E806E7794DB70AC46CB80
                                                              Function 02D250A1 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4ee42713cda7f3a4bad1c74595439e2ace06fd35afc273d39a00a0ef360c821d
                                                              • Instruction ID: 426806cf59836a4990bcb5c10d0d0bedf90831aa6eee5af727069c9ddfb62b30
                                                              • Opcode Fuzzy Hash: 4ee42713cda7f3a4bad1c74595439e2ace06fd35afc273d39a00a0ef360c821d
                                                              • Instruction Fuzzy Hash: F1315E30A00235CFDB19EB74D654A9D73F2EF59348F600568D506AB394DB36DC4ACB91
                                                              Function 02D226F0 Relevance: .1, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cd716ae93c841e505ad8818c1fd9ab17874711e1628f4c94dcfc55626c5f48e2
                                                              • Instruction ID: 554049816349bc3b956660f2c7847dff4f76a776bb3a18cc6d839fb474b2ebef
                                                              • Opcode Fuzzy Hash: cd716ae93c841e505ad8818c1fd9ab17874711e1628f4c94dcfc55626c5f48e2
                                                              • Instruction Fuzzy Hash: A341EFB0D002499FDB10DFA9C584ADEBFF5FF48314F108429E809AB254DB75A949CB90
                                                              Function 02D250B0 Relevance: .1, Instructions: 89COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e89bc0aa729fce0d7d0f3eeb96b91f8ac01617680bca5785b40b069e0ecceebf
                                                              • Instruction ID: 33f5859716b2ce629b1a1f4317f892c084fdde3e1c8c2b1e7030e6485c847088
                                                              • Opcode Fuzzy Hash: e89bc0aa729fce0d7d0f3eeb96b91f8ac01617680bca5785b40b069e0ecceebf
                                                              • Instruction Fuzzy Hash: 02316B30A00235CFDB19EB74DA14A9D73F6AF58348F600568D506AB394DB36DC8ACBA1
                                                              Function 02D29259 Relevance: .1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 104ae4de4ecd07fd537b01ebe76033a5d6192bf0cc5b5cd7d6a316a199c2cc6a
                                                              • Instruction ID: fc923ea0141ac42a629e4bda4cb529daf455000556ad68f7b59006c16bd122a1
                                                              • Opcode Fuzzy Hash: 104ae4de4ecd07fd537b01ebe76033a5d6192bf0cc5b5cd7d6a316a199c2cc6a
                                                              • Instruction Fuzzy Hash: 6F31D130E002158BDB09DFA4D5907DEB7B2FF99304F20C61AE845AB384DB709D4ACB80
                                                              Function 02D29268 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 979476268e359ac22516eccbdf4bf5ece3be00ff471cc9429e16464405bdd6fd
                                                              • Instruction ID: e18512ea8cb0e6419cd1ef74b164697dc3038964f5f9304b9d52b81b615e1a23
                                                              • Opcode Fuzzy Hash: 979476268e359ac22516eccbdf4bf5ece3be00ff471cc9429e16464405bdd6fd
                                                              • Instruction Fuzzy Hash: CA216F30E102199BDB05CFA5D5946DEB7B2BF89304F20C619E845AB394DB719C46CB91
                                                              Function 02D21380 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ff1db8cc5cdf970b8fe69d36bcddcd4f0be313df9bab2b38aa9c7a6c37a09bec
                                                              • Instruction ID: a1931456d9e431022ddd4b5cb7e510be59de083b032a744a78abf976e62abe2e
                                                              • Opcode Fuzzy Hash: ff1db8cc5cdf970b8fe69d36bcddcd4f0be313df9bab2b38aa9c7a6c37a09bec
                                                              • Instruction Fuzzy Hash: B221D570A002614BEF312B65E5883293B26EB1331DF104975F54ECB392DB2ACC8AC782
                                                              Function 02D29159 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cf22d5b8bef30e32a332910ec5144b7b89bf27fcf7dba90eb942e9b0892a92a6
                                                              • Instruction ID: 88d55cd659a450ee3aa7bc24c13381b4824e0cfb1af205b0badc0731f883d1d4
                                                              • Opcode Fuzzy Hash: cf22d5b8bef30e32a332910ec5144b7b89bf27fcf7dba90eb942e9b0892a92a6
                                                              • Instruction Fuzzy Hash: 2021C430E042259BDB15CFA4D8646DEFBB2AF99304F60C519E815B7381DB709D4ACB51
                                                              Function 02D216AB Relevance: .1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5886916ff50ae4aaf70688368883e8af474e9e6db08de86b7a6f4bda5f5d0311
                                                              • Instruction ID: a8e5bf2d98fa5922d0e80084e680842394a445a4774442b9c71237c51544829f
                                                              • Opcode Fuzzy Hash: 5886916ff50ae4aaf70688368883e8af474e9e6db08de86b7a6f4bda5f5d0311
                                                              • Instruction Fuzzy Hash: 2B21C5346001219FDF22AB75E944B19376AEB9131DF108A75D009CB3BADB35DD89CB91
                                                              Function 00F0D030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4525170943.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_f0d000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e8a30c3b0faf88a2f135c2f5db2b262f592ad679a6fabecc646c3265eec19e56
                                                              • Instruction ID: 151771456da49892dd856b03a6aeae6c63eafb4da0ecfe842264b08d22ff3b74
                                                              • Opcode Fuzzy Hash: e8a30c3b0faf88a2f135c2f5db2b262f592ad679a6fabecc646c3265eec19e56
                                                              • Instruction Fuzzy Hash: 61212271604204DFDB14DF94D980B26BBA5FB84324F20C569E80E0B29AC33AD806EA62
                                                              Function 00F0D005 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4525170943.0000000000F0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F0D000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_f0d000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9989d26b5f584db9ea258f8a0b4b7effe76cba8b6ecc5248327eb4743cf534ed
                                                              • Instruction ID: c1a23d2e186738d1f34bfc7272d1118ec39fe09752a8464fe60aa6a4aba1d0dc
                                                              • Opcode Fuzzy Hash: 9989d26b5f584db9ea258f8a0b4b7effe76cba8b6ecc5248327eb4743cf534ed
                                                              • Instruction Fuzzy Hash: C0215C7150D3C09FC703CB64D994711BF71EB46224F29C5EBD8898F2A7C23A980ADB62
                                                              Function 02D24F91 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2345ab21b483844547def1c53050d1931a09ce4a4d2c61efac19d778ec5d4598
                                                              • Instruction ID: 5d6c53235c5bc97d41d2236023edb21ca59b6f086afabacc14089add9fde2090
                                                              • Opcode Fuzzy Hash: 2345ab21b483844547def1c53050d1931a09ce4a4d2c61efac19d778ec5d4598
                                                              • Instruction Fuzzy Hash: 4F212B346002198FDB18EB78DA58B9D7BF1EF8D308B2144A8E506EB360DB36DD45DB90
                                                              Function 02D29168 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 973d41f61c4753305e0690661987dccb44d5e8849714049322f83bee3769d081
                                                              • Instruction ID: 3c403facfcad648c0bcb2bf5078f0b61f9942075c129883d1b923856c2ec0fd2
                                                              • Opcode Fuzzy Hash: 973d41f61c4753305e0690661987dccb44d5e8849714049322f83bee3769d081
                                                              • Instruction Fuzzy Hash: D7218330E002299BDB15CFA5C8546DEB7B2EF99304F60C519E815B7380DB70AD46CB51
                                                              Function 02D217CB Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3355b2d9aef6ee1b68c094d71b47ab1a443d481fd0088b73a30afd9ccc299ed
                                                              • Instruction ID: 6785539a7cc024c2a9aeeade2b781875ee809d37485d890e2eff3c5798ab4724
                                                              • Opcode Fuzzy Hash: a3355b2d9aef6ee1b68c094d71b47ab1a443d481fd0088b73a30afd9ccc299ed
                                                              • Instruction Fuzzy Hash: 60113835F002629FCF206B7998043AE7BE6EB88614F108966E90EC3345EB35CC56C780
                                                              Function 02D21490 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0cc626765f095fda36cc8c1f99a15f4acb9396bdb95a23fb678a3f7552632a6b
                                                              • Instruction ID: 851678b7f91550863ba99349e28c150a8acf14ea25796f5e1c44d8faa73757f0
                                                              • Opcode Fuzzy Hash: 0cc626765f095fda36cc8c1f99a15f4acb9396bdb95a23fb678a3f7552632a6b
                                                              • Instruction Fuzzy Hash: 76216071A002648FCB259F7884502AD7BF5EB69319F1484B9D94DEB342E735CC46CBA1
                                                              Function 02D21890 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 77091dbfc1fa7e2ef0ae035832b2763098bc1ded504c84aa66a4f2dc572d0623
                                                              • Instruction ID: a071b21de3fe75d1aa53908022f1d64d3b409c3c8c9c7c54871afbdf74968c53
                                                              • Opcode Fuzzy Hash: 77091dbfc1fa7e2ef0ae035832b2763098bc1ded504c84aa66a4f2dc572d0623
                                                              • Instruction Fuzzy Hash: A1213B34B00229CFDB14EB68C6546AD77F6AB99308F204468C10AFB351DB36DD49CBA1
                                                              Function 02D21881 Relevance: .1, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7d866b8be0c1078b4bc655e91a2a95884b4ebebe38bba480a2da91f0a2e8285a
                                                              • Instruction ID: 2c2de147af0974fbc06fe6c5df66a44d3151013c6f9659148738c0eb65691796
                                                              • Opcode Fuzzy Hash: 7d866b8be0c1078b4bc655e91a2a95884b4ebebe38bba480a2da91f0a2e8285a
                                                              • Instruction Fuzzy Hash: 30210C34A00225CFDB24DB74C5597AD77B2AB59708F204568C10AEB392DB36DD49CBA1
                                                              Function 02D216B8 Relevance: .1, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d7ee4111dad6e569a6cf0e8900177ba221274cac216e855063ca5a80f73aad5b
                                                              • Instruction ID: f0e1e3e7e704ce3c027e1f379d469af97769be6076515c3d90198fe0496a9363
                                                              • Opcode Fuzzy Hash: d7ee4111dad6e569a6cf0e8900177ba221274cac216e855063ca5a80f73aad5b
                                                              • Instruction Fuzzy Hash: 6721A4346001219FDF15EB75F944B19375AEB9131DF108A21E009C7369EB25DD89CB91
                                                              Function 02D24FA0 Relevance: .1, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 22a87661bbc8463f2a1e4b64c09bcaa66e79f4e5187c64c82e676a9fab6c327a
                                                              • Instruction ID: 75a8aa5c5aace284fad2b7bb4c3be40efcea47d9a844a5f49f3f030e33c667a9
                                                              • Opcode Fuzzy Hash: 22a87661bbc8463f2a1e4b64c09bcaa66e79f4e5187c64c82e676a9fab6c327a
                                                              • Instruction Fuzzy Hash: A5210A346001198FDB18EB78DA59B9D77F1EB8D308F204468E506E73A0DB36DD44DB90
                                                              Function 02D20848 Relevance: .1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d69046d7efdccdaccb3aa0bcaa506cb6eab6ec99e21897ec471a2a0f1dbbfd0
                                                              • Instruction ID: 39253191f18956c494ba50e616b4ca8186a270b51da551578767bf5801732b48
                                                              • Opcode Fuzzy Hash: 3d69046d7efdccdaccb3aa0bcaa506cb6eab6ec99e21897ec471a2a0f1dbbfd0
                                                              • Instruction Fuzzy Hash: 87118230B002248BDF54AA7AD51472BB699EBA531AF104979E006DB355DB25CC89CBD1
                                                              Function 02D20838 Relevance: .1, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 481e7d5f74d72f7e1a2f1f24f27938850879d6f916cec7c72dfd17a7ea0d1b4e
                                                              • Instruction ID: 540dc1746221d19aafbb9391b978f68cf06b144ad878758ec33c78d34ade5440
                                                              • Opcode Fuzzy Hash: 481e7d5f74d72f7e1a2f1f24f27938850879d6f916cec7c72dfd17a7ea0d1b4e
                                                              • Instruction Fuzzy Hash: 3A112730B042248FDF256AB5A40472FB795EBB131EF10497AD046DB381DB25CC89CBD1
                                                              Function 02D2FEF8 Relevance: .1, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 34f7f010e8aeae453071d5fa0163dadce6db436bc85f8fc33b7b88988820687f
                                                              • Instruction ID: 02b7ee34c146cb2ac1980209b9aaed8b631f839bee77e0d24567c278c355819e
                                                              • Opcode Fuzzy Hash: 34f7f010e8aeae453071d5fa0163dadce6db436bc85f8fc33b7b88988820687f
                                                              • Instruction Fuzzy Hash: F011E330A002A69FDB41DB38C85479ABBB5AF06348F0481D9E444DB7A2D770DA4ECB91
                                                              Function 02D214A0 Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c3e48b05bc58c866914243dcd79d57a80a13e30d0bce616538b5f17319a1d000
                                                              • Instruction ID: 8191e910245af0f860f519b1374ad785507e450867c81779068ade879e8395bc
                                                              • Opcode Fuzzy Hash: c3e48b05bc58c866914243dcd79d57a80a13e30d0bce616538b5f17319a1d000
                                                              • Instruction Fuzzy Hash: 20014071A002248FCF25EFB884502AD7BF9EF68219F1554B9D80AE7341E735DD46CBA1
                                                              Function 02D2FF08 Relevance: .0, Instructions: 40COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b43b29e7472a676c3566738d4f72754128819546c882cc3b6c4fc830d4df411
                                                              • Instruction ID: 6e7772d1f04f673e12908f75b94abeeea81589c14c2ceed72e57b1ebe1c22761
                                                              • Opcode Fuzzy Hash: 0b43b29e7472a676c3566738d4f72754128819546c882cc3b6c4fc830d4df411
                                                              • Instruction Fuzzy Hash: 3501AD34A102299FDB40EF79C844BAAB7F5BF05308F0080A9E844C73A0DB70DE49CB40
                                                              Function 02D280F8 Relevance: .0, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ba3ad600d1a181d0b651fa71ac44a7e0d31b7637f17d8086766dc989e331b3a5
                                                              • Instruction ID: 53880afff43a43e52942c8ea6bef865e7b7eba3627f6e2fa303b9405a09c5249
                                                              • Opcode Fuzzy Hash: ba3ad600d1a181d0b651fa71ac44a7e0d31b7637f17d8086766dc989e331b3a5
                                                              • Instruction Fuzzy Hash: E80121709002099FDB0AEFF9F95495D7BB9DF40304F404675C0059B2A9DB359E49C751
                                                              Function 02D2152C Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3d11f20691008f75de2253b9b9ade91e97b5a290c711a26b36a9f1528827117c
                                                              • Instruction ID: 53fc442c5b359b8ceb00d33a67c6fd53d913f8be0ac0bc4da24b942184c73ce4
                                                              • Opcode Fuzzy Hash: 3d11f20691008f75de2253b9b9ade91e97b5a290c711a26b36a9f1528827117c
                                                              • Instruction Fuzzy Hash: EBF02B33A041B08BCB22CBA484901AC7BB5EE79219B1980D7D84EDF352D320DD4ACB51
                                                              Function 02D27098 Relevance: .0, Instructions: 34COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d848f626837ac51867848c1f42261fbe1cd738ed80e80efd98c0f43871220e48
                                                              • Instruction ID: 30bbfa04a55541a2aa8f8243cf07ead98a58785731111db2c46097c0288bcf12
                                                              • Opcode Fuzzy Hash: d848f626837ac51867848c1f42261fbe1cd738ed80e80efd98c0f43871220e48
                                                              • Instruction Fuzzy Hash: 27F0C435B40118CFDB14EB74D598A6CB7B2EF88319F6044A8E50ADB3A0DB35AD56CB40
                                                              Function 02D28108 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 0000000D.00000002.4527004641.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_13_2_2d20000_ODIlHgaFNJ.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0b90d8d912810beca2adb2eaee1bf4f798bf2212fa72b3b6f2d48ac2440aee0b
                                                              • Instruction ID: 41cc3419968e9bd62efa3606dcf73fd277ee9863903e33396d73a3496e31c8b1
                                                              • Opcode Fuzzy Hash: 0b90d8d912810beca2adb2eaee1bf4f798bf2212fa72b3b6f2d48ac2440aee0b
                                                              • Instruction Fuzzy Hash: 3BF01D309001199FCB09FFF9F94599D7BB9EF40308F504679C0059B2A9DB766A49CB81