Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z81zEuzkJPHHV3KYua.exe

Overview

General Information

Sample name:z81zEuzkJPHHV3KYua.exe
Analysis ID:1560298
MD5:1b4a6383c2a9b4fd9d1c2ba270800a49
SHA1:ae5c4b7b0a37b4d1c8b65d13417257b29cd2188e
SHA256:cd60ea86b574b6b511ce6a6aff1314ce71b1953e169792e3e76a36913e85ea23
Tags:exeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z81zEuzkJPHHV3KYua.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe" MD5: 1B4A6383C2A9B4FD9D1C2BA270800A49)
    • powershell.exe (PID: 7468 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7736 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • z81zEuzkJPHHV3KYua.exe (PID: 7476 cmdline: "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe" MD5: 1B4A6383C2A9B4FD9D1C2BA270800A49)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000002.00000002.2938171995.0000000002E51000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 8 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x32363:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x323d5:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3245f:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x324f1:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3255b:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x325cd:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x32663:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x326f3:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ParentImage: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe, ParentProcessId: 7404, ParentProcessName: z81zEuzkJPHHV3KYua.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ProcessId: 7468, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ParentImage: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe, ParentProcessId: 7404, ParentProcessName: z81zEuzkJPHHV3KYua.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ProcessId: 7468, ProcessName: powershell.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 185.196.9.150, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe, Initiated: true, ProcessId: 7476, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49731
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ParentImage: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe, ParentProcessId: 7404, ParentProcessName: z81zEuzkJPHHV3KYua.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe", ProcessId: 7468, ProcessName: powershell.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.apexrnun.com", "Username": "testlab@apexrnun.com", "Password": "%qroUozO;(C2Rlyb"}
                    Multi AV Scanner detection for submitted file
                    Source: z81zEuzkJPHHV3KYua.exeReversingLabs: Detection: 42%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for sample
                    Source: z81zEuzkJPHHV3KYua.exeJoe Sandbox ML: detected
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: jflX.pdbSHA256 source: z81zEuzkJPHHV3KYua.exe
                    Source: Binary string: jflX.pdb source: z81zEuzkJPHHV3KYua.exe

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.196.9.150:587
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 185.196.9.150 185.196.9.150
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficTCP traffic: 192.168.2.4:49731 -> 185.196.9.150:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: mail.apexrnun.com
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.apexrnun.com
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/02
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1697345336.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, SKTzxzsJw.cs.Net Code: _17HhIAJY
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, SKTzxzsJw.cs.Net Code: _17HhIAJY

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_00C9D55C0_2_00C9D55C
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04EC67E00_2_04EC67E0
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04EC67D30_2_04EC67D3
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04ECD7890_2_04ECD789
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04EC00400_2_04EC0040
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04EC001F0_2_04EC001F
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04ECC1540_2_04ECC154
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 0_2_04ECEC400_2_04ECEC40
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BF4AC02_2_02BF4AC0
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BFA8A82_2_02BFA8A8
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BF3EA82_2_02BF3EA8
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BFEC182_2_02BFEC18
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BFAD002_2_02BFAD00
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BF41F02_2_02BF41F0
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0694C2F82_2_0694C2F8
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0694A8542_2_0694A854
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069565C02_2_069565C0
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069555682_2_06955568
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0695B2082_2_0695B208
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069523502_2_06952350
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0695C1482_2_0695C148
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06957D502_2_06957D50
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069576702_2_06957670
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0695E3782_2_0695E378
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069500402_2_06950040
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06955CC82_2_06955CC8
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_069500062_2_06950006
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1709916605.00000000053D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1696176273.0000000000CAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1709429831.0000000004FB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1710849746.0000000005F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1697345336.0000000002A03000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000000.1684187952.000000000064E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamejflX.exe: vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1697345336.0000000002991000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenamec8656b0c-2aa3-4d56-9386-3f68d83183ee.exe4 vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936117288.0000000000EF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exeBinary or memory string: OriginalFilenamejflX.exe: vs z81zEuzkJPHHV3KYua.exe
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, GyoxbTL0R84sRAmXa1.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, PkbD1yF27iOcdZlfR9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, PkbD1yF27iOcdZlfR9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, PkbD1yF27iOcdZlfR9.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, PkbD1yF27iOcdZlfR9.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@2/2
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z81zEuzkJPHHV3KYua.exe.logJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7484:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgzowy5q.hul.ps1Jump to behavior
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: z81zEuzkJPHHV3KYua.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: z81zEuzkJPHHV3KYua.exeReversingLabs: Detection: 42%
                    Source: unknownProcess created: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: jflX.pdbSHA256 source: z81zEuzkJPHHV3KYua.exe
                    Source: Binary string: jflX.pdb source: z81zEuzkJPHHV3KYua.exe

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, GyoxbTL0R84sRAmXa1.cs.Net Code: WeNBI59F1e System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, GyoxbTL0R84sRAmXa1.cs.Net Code: WeNBI59F1e System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06945C95 push esp; retf 2_2_06945CB4
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06945C88 push esp; retf 2_2_06945C94
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06945C60 push esp; retf 2_2_06945C74
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_06943D70 push ebp; retf 2_2_06943DDD
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_071227CD push dword ptr [ecx+ecx-75h]; iretd 2_2_071227D3
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_0712297E push esi; retf 2_2_0712297F
                    Source: z81zEuzkJPHHV3KYua.exeStatic PE information: section name: .text entropy: 7.836147110785658
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, EgjJWuawUV8VIQli6e.csHigh entropy of concatenated method names: 'ToString', 'Be1AimkqOZ', 'p9fAhOOqdF', 'JWaAvaXGQY', 'PfFA63IAsf', 'SFmAJbtWDm', 'dANApQRgCl', 'LscAwp0lEu', 'fOHA8kCyuI', 'GeqAmSmD7D'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, TCYKLZmB9cy4gbvfkU.csHigh entropy of concatenated method names: 'KTZgsb7RYg', 'wRlgrBY7ZY', 'abFgIxrLMH', 'iuOg0jQpGJ', 'x6lgc5LeDD', 'is8gGFteFP', 'd4QgOMCKaU', 'CQ5gFa3JFh', 'F2qgYeArKB', 'BrIglrNdvH'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, WHeJVtWHd25a3jo1ZT.csHigh entropy of concatenated method names: 'Dispose', 'mPVPQHFjsZ', 'uvXEhJHj2K', 'x1DcPif94i', 'nK4PMgq3pe', 'QBXPzj9wbP', 'ProcessDialogKey', 'W7AEVaPiR9', 'nyMEPh6cZ7', 'AVyEEcFXeY'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, N2BexxPBx348bC9BET6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WqQHfIvClV', 'vW4HSvtZgh', 'u1vHjGh3RX', 'pjsHHGRyTP', 'G18HTbwQq1', 'qO5H4eUbgV', 'JgPH2QdBt3'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, xFMHSNtZposDeqssmL.csHigh entropy of concatenated method names: 'JDTDywNCwV', 'xllDMqN44p', 'irhdVGawiu', 'wUqdPjFDTg', 'AodDi3SOfP', 'BLPDnIFwZQ', 'djkDUSBUSD', 'vlADZh42g6', 'MWFDoZsTNB', 'oHtDaaWvv6'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, PkbD1yF27iOcdZlfR9.csHigh entropy of concatenated method names: 'molWZkwBEg', 'PhNWoUO2l6', 'gaAWaAdCWm', 'hfCWCMRySO', 'r5tWqIiMyR', 'NYBWtf3ePs', 'M7RWNby2QN', 'SKAWyyMIhZ', 'sU9WQOward', 'ANCWMngjM9'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, P2L4oBNXs9PVHFjsZ9.csHigh entropy of concatenated method names: 'BfSf15DM0F', 'tFsfDD0MRu', 'akCffUUH7y', 'txcfjEXQRF', 'DUhfTBrpcb', 'Fhpf2GWb0G', 'Dispose', 'i4ud7ORBy3', 'MTldWHp9NE', 'XqEd3CqstS'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, fO1oFSKTWOXP51qUpW.csHigh entropy of concatenated method names: 'eGxexlYwIh', 'VLTeWYLUv6', 'PQFe5kpt4X', 'CrMegvuXLo', 'hQGeLPE5En', 'qGo5q6vrwF', 'yIj5tpZnjU', 'WPv5NaNSR4', 'w815yRLQKY', 'jW35QT18un'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, JW0klpPPgdnUeqsFK6t.csHigh entropy of concatenated method names: 'gHYSMKW87Q', 'S1ySzKLpkW', 'bPejVEvUnZ', 'o5ojPN85M4', 'KkYjEEnLXB', 'XCajbu6WZV', 'E2mjBXTVQP', 'rkZjxYE6Kq', 'B8Cj7IPaaW', 'BndjWWKayV'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, OgeqsaUZ6PTppij1Gt.csHigh entropy of concatenated method names: 'a92XFW0Zra', 'ViNXY2OGjL', 'mAoXK6USFo', 'jtLXha4JZw', 'maTX6bxNcg', 'XJDXJn33sf', 'uBmXw2pmRW', 'fR2X8JBGDh', 'C6QXR9xVW4', 'QmQXi1rOX3'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, zh22NKzsIUSB6yRCT4.csHigh entropy of concatenated method names: 'lqmSGdGfYG', 'SQsSFldY2B', 'fLBSYxeajx', 'H8LSKtgOQ2', 'nDQSh8AS8g', 'gDdS6LAj57', 'tGlSJBm59i', 'TjhS2PqmEb', 'XlySsBEQTg', 'V5KSr7bT4M'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, fu2cAZE15HapJxOXFl.csHigh entropy of concatenated method names: 'aNaIqht85', 'fYW01PF7n', 'KLwGZCCu0', 'zjGOQiOdu', 'j6EYqDR9I', 'pselhQDH4', 'zDOlGBb6lcbcxJYv03', 'uPW0o1iednuAUgQElc', 'xhMdaQnkc', 'hcdSOlL1p'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, AFXeYmMRES0FjcYCY4.csHigh entropy of concatenated method names: 'Y2KS3FXSHd', 'WfUS5ub68T', 'xEGSeqcNFf', 'f2xSgEtm9w', 'Oo7SfVn7p0', 'QfqSLbDqxJ', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, qn9GZHwXA1UA5E0qFA.csHigh entropy of concatenated method names: 'yqcg7B4Tgw', 'Tlkg3XgsEv', 'f1IgeYS5HX', 'HhMeM7Ii3f', 'jZsezLnD1m', 'NG2gV64BIH', 'stngPcVWiH', 'cPtgE4iwKo', 'zqxgbiqbHd', 'uXhgBgGkK5'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, paPiR9Q9yMh6cZ70Vy.csHigh entropy of concatenated method names: 'nOGfKReCHp', 'PKcfha5wxb', 'pyvfv74qjs', 'gaXf6nIff0', 'cGafJgGRa6', 'zJ7fpZCtam', 'VfnfwKHgRg', 'EXnf8yojQV', 'BHZfmAe5q3', 'rj1fRAJe9k'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, GyoxbTL0R84sRAmXa1.csHigh entropy of concatenated method names: 'I53bxvSS7Y', 'b5Bb74L4eu', 'jGwbWF2SOu', 'NEHb3vPTiZ', 'HiQb5IcCHt', 'zmpbebJV6g', 'V5obgRWT4b', 'beubLk8ZrZ', 'q60buG55cg', 'i6pbkbabcW'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, rqAGhtBXPQH2N5PTAg.csHigh entropy of concatenated method names: 'AKnPgkbD1y', 'x7iPLOcdZl', 'ipUPk9VGVE', 'd62P9YQyfQ', 'tswP1qN7O1', 'SFSPATWOXP', 'UOEEYQE2mCuDv70uls', 'eiyxJfZBxHqLnoH0Ct', 'FgvPPjvGgK', 'tKTPbmJrCL'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.5f20000.5.raw.unpack, pGmfDeYpU9VGVEb62Y.csHigh entropy of concatenated method names: 'AjQ30V7ofl', 'MHY3GUc5vE', 'VvG3FYAagm', 'glo3Y8SPjW', 'PyH31RJUme', 'pgt3A0RRNm', 'hVG3DI8sIU', 'sW13dDykCL', 'xiV3fDAoJ5', 'f7M3SZRT4C'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, EgjJWuawUV8VIQli6e.csHigh entropy of concatenated method names: 'ToString', 'Be1AimkqOZ', 'p9fAhOOqdF', 'JWaAvaXGQY', 'PfFA63IAsf', 'SFmAJbtWDm', 'dANApQRgCl', 'LscAwp0lEu', 'fOHA8kCyuI', 'GeqAmSmD7D'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, TCYKLZmB9cy4gbvfkU.csHigh entropy of concatenated method names: 'KTZgsb7RYg', 'wRlgrBY7ZY', 'abFgIxrLMH', 'iuOg0jQpGJ', 'x6lgc5LeDD', 'is8gGFteFP', 'd4QgOMCKaU', 'CQ5gFa3JFh', 'F2qgYeArKB', 'BrIglrNdvH'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, WHeJVtWHd25a3jo1ZT.csHigh entropy of concatenated method names: 'Dispose', 'mPVPQHFjsZ', 'uvXEhJHj2K', 'x1DcPif94i', 'nK4PMgq3pe', 'QBXPzj9wbP', 'ProcessDialogKey', 'W7AEVaPiR9', 'nyMEPh6cZ7', 'AVyEEcFXeY'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, N2BexxPBx348bC9BET6.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'WqQHfIvClV', 'vW4HSvtZgh', 'u1vHjGh3RX', 'pjsHHGRyTP', 'G18HTbwQq1', 'qO5H4eUbgV', 'JgPH2QdBt3'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, xFMHSNtZposDeqssmL.csHigh entropy of concatenated method names: 'JDTDywNCwV', 'xllDMqN44p', 'irhdVGawiu', 'wUqdPjFDTg', 'AodDi3SOfP', 'BLPDnIFwZQ', 'djkDUSBUSD', 'vlADZh42g6', 'MWFDoZsTNB', 'oHtDaaWvv6'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, PkbD1yF27iOcdZlfR9.csHigh entropy of concatenated method names: 'molWZkwBEg', 'PhNWoUO2l6', 'gaAWaAdCWm', 'hfCWCMRySO', 'r5tWqIiMyR', 'NYBWtf3ePs', 'M7RWNby2QN', 'SKAWyyMIhZ', 'sU9WQOward', 'ANCWMngjM9'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, P2L4oBNXs9PVHFjsZ9.csHigh entropy of concatenated method names: 'BfSf15DM0F', 'tFsfDD0MRu', 'akCffUUH7y', 'txcfjEXQRF', 'DUhfTBrpcb', 'Fhpf2GWb0G', 'Dispose', 'i4ud7ORBy3', 'MTldWHp9NE', 'XqEd3CqstS'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, fO1oFSKTWOXP51qUpW.csHigh entropy of concatenated method names: 'eGxexlYwIh', 'VLTeWYLUv6', 'PQFe5kpt4X', 'CrMegvuXLo', 'hQGeLPE5En', 'qGo5q6vrwF', 'yIj5tpZnjU', 'WPv5NaNSR4', 'w815yRLQKY', 'jW35QT18un'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, JW0klpPPgdnUeqsFK6t.csHigh entropy of concatenated method names: 'gHYSMKW87Q', 'S1ySzKLpkW', 'bPejVEvUnZ', 'o5ojPN85M4', 'KkYjEEnLXB', 'XCajbu6WZV', 'E2mjBXTVQP', 'rkZjxYE6Kq', 'B8Cj7IPaaW', 'BndjWWKayV'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, OgeqsaUZ6PTppij1Gt.csHigh entropy of concatenated method names: 'a92XFW0Zra', 'ViNXY2OGjL', 'mAoXK6USFo', 'jtLXha4JZw', 'maTX6bxNcg', 'XJDXJn33sf', 'uBmXw2pmRW', 'fR2X8JBGDh', 'C6QXR9xVW4', 'QmQXi1rOX3'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, zh22NKzsIUSB6yRCT4.csHigh entropy of concatenated method names: 'lqmSGdGfYG', 'SQsSFldY2B', 'fLBSYxeajx', 'H8LSKtgOQ2', 'nDQSh8AS8g', 'gDdS6LAj57', 'tGlSJBm59i', 'TjhS2PqmEb', 'XlySsBEQTg', 'V5KSr7bT4M'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, fu2cAZE15HapJxOXFl.csHigh entropy of concatenated method names: 'aNaIqht85', 'fYW01PF7n', 'KLwGZCCu0', 'zjGOQiOdu', 'j6EYqDR9I', 'pselhQDH4', 'zDOlGBb6lcbcxJYv03', 'uPW0o1iednuAUgQElc', 'xhMdaQnkc', 'hcdSOlL1p'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, AFXeYmMRES0FjcYCY4.csHigh entropy of concatenated method names: 'Y2KS3FXSHd', 'WfUS5ub68T', 'xEGSeqcNFf', 'f2xSgEtm9w', 'Oo7SfVn7p0', 'QfqSLbDqxJ', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, qn9GZHwXA1UA5E0qFA.csHigh entropy of concatenated method names: 'yqcg7B4Tgw', 'Tlkg3XgsEv', 'f1IgeYS5HX', 'HhMeM7Ii3f', 'jZsezLnD1m', 'NG2gV64BIH', 'stngPcVWiH', 'cPtgE4iwKo', 'zqxgbiqbHd', 'uXhgBgGkK5'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, paPiR9Q9yMh6cZ70Vy.csHigh entropy of concatenated method names: 'nOGfKReCHp', 'PKcfha5wxb', 'pyvfv74qjs', 'gaXf6nIff0', 'cGafJgGRa6', 'zJ7fpZCtam', 'VfnfwKHgRg', 'EXnf8yojQV', 'BHZfmAe5q3', 'rj1fRAJe9k'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, GyoxbTL0R84sRAmXa1.csHigh entropy of concatenated method names: 'I53bxvSS7Y', 'b5Bb74L4eu', 'jGwbWF2SOu', 'NEHb3vPTiZ', 'HiQb5IcCHt', 'zmpbebJV6g', 'V5obgRWT4b', 'beubLk8ZrZ', 'q60buG55cg', 'i6pbkbabcW'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, rqAGhtBXPQH2N5PTAg.csHigh entropy of concatenated method names: 'AKnPgkbD1y', 'x7iPLOcdZl', 'ipUPk9VGVE', 'd62P9YQyfQ', 'tswP1qN7O1', 'SFSPATWOXP', 'UOEEYQE2mCuDv70uls', 'eiyxJfZBxHqLnoH0Ct', 'FgvPPjvGgK', 'tKTPbmJrCL'
                    Source: 0.2.z81zEuzkJPHHV3KYua.exe.3c2ccc0.1.raw.unpack, pGmfDeYpU9VGVEb62Y.csHigh entropy of concatenated method names: 'AjQ30V7ofl', 'MHY3GUc5vE', 'VvG3FYAagm', 'glo3Y8SPjW', 'PyH31RJUme', 'pgt3A0RRNm', 'hVG3DI8sIU', 'sW13dDykCL', 'xiV3fDAoJ5', 'f7M3SZRT4C'

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7404, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: C90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 2790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 60A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 70A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 71E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 81E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 2BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: 4DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6442Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3244Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWindow / User API: threadDelayed 2017Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWindow / User API: threadDelayed 7817Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7424Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7684Thread sleep time: -8301034833169293s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep count: 42 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -38738162554790034s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7824Thread sleep count: 2017 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7824Thread sleep count: 7817 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99560s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99451s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99275s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99164s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -99053s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98813s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98469s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -98110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97610s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97485s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97360s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97235s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -97110s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96985s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96860s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96735s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96545s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96323s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96210s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -96094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95313s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -95094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94536s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe TID: 7820Thread sleep time: -94062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99781Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99672Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99560Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99451Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99275Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99164Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 99053Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98922Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98360Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98235Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 98110Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97985Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97860Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97735Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97610Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97485Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97360Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97235Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 97110Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96985Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96860Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96735Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96545Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96323Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96210Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 96094Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95984Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95875Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95765Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95641Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95531Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95422Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95313Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95203Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 95094Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94984Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94875Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94766Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94656Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94536Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94406Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94297Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94172Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeThread delayed: delay time: 94062Jump to behavior
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1710849746.0000000005F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: jkQEmuRFhg
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeCode function: 2_2_02BF70A0 CheckRemoteDebuggerPresent,2_2_02BF70A0
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeProcess created: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7476, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7476, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.z81zEuzkJPHHV3KYua.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3be88c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z81zEuzkJPHHV3KYua.exe.3bad2a0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7404, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z81zEuzkJPHHV3KYua.exe PID: 7476, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS531
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeylogging12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials261
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items261
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1560298 Sample: z81zEuzkJPHHV3KYua.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 24 mail.apexrnun.com 2->24 26 ip-api.com 2->26 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 9 other signatures 2->38 8 z81zEuzkJPHHV3KYua.exe 4 2->8         started        signatures3 process4 file5 22 C:\Users\user\...\z81zEuzkJPHHV3KYua.exe.log, ASCII 8->22 dropped 40 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->40 42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->42 44 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->44 46 2 other signatures 8->46 12 z81zEuzkJPHHV3KYua.exe 15 2 8->12         started        16 powershell.exe 23 8->16         started        signatures6 process7 dnsIp8 28 ip-api.com 208.95.112.1, 49730, 80 TUT-ASUS United States 12->28 30 mail.apexrnun.com 185.196.9.150, 49731, 587 SIMPLECARRIERCH Switzerland 12->30 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file / registry access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 Tries to harvest and steal browser information (history, passwords, etc) 12->54 56 Loading BitLocker PowerShell Module 16->56 18 WmiPrvSE.exe 16->18         started        20 conhost.exe 16->20         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z81zEuzkJPHHV3KYua.exe42%ReversingLabsByteCode-MSIL.Trojan.GenSteal
                    z81zEuzkJPHHV3KYua.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.apexrnun.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high
                      mail.apexrnun.com
                      		185.196.9.150
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/z81zEuzkJPHHV3KYua.exe, 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://mail.apexrnun.comz81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://r11.o.lencr.org0#z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez81zEuzkJPHHV3KYua.exe, 00000000.00000002.1697345336.0000000002A03000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://x1.c.lencr.org/0z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://x1.i.lencr.org/0z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://r11.i.lencr.org/02z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000101D000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2942075233.0000000006468000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.000000000102E000.00000004.00000020.00020000.00000000.sdmp, z81zEuzkJPHHV3KYua.exe, 00000002.00000002.2936275430.0000000001060000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://ip-api.comz81zEuzkJPHHV3KYua.exe, 00000002.00000002.2938171995.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.95.112.1
                                        		ip-api.comUnited States
                                        		53334TUT-ASUSfalse
                                        185.196.9.150
                                        		mail.apexrnun.comSwitzerland
                                        		42624SIMPLECARRIERCHfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1560298
                                        Start date and time:2024-11-21 16:31:05 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 5s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:9
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:z81zEuzkJPHHV3KYua.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@7/6@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 84
                                        • Number of non-executed functions: 12
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtCreateKey calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • VT rate limit hit for: z81zEuzkJPHHV3KYua.exe

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        10:31:57API Interceptor62x Sleep call for process: z81zEuzkJPHHV3KYua.exe modified
                                        10:31:58API Interceptor15x Sleep call for process: powershell.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.95.112.1Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • ip-api.com/json/
                                        Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • ip-api.com/json/
                                        NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                        • ip-api.com/json/
                                        Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                        • ip-api.com/line/
                                        file.exeGet hashmaliciousJasonRATBrowse
                                        • ip-api.com/json/?fields=11827
                                        Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        BoostFPS.exeGet hashmaliciousXWormBrowse
                                        • ip-api.com/line/?fields=hosting
                                        New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        seethebestthingswithgreatsituationshandletotheprogress.htaGet hashmaliciousCobalt Strike, AgentTesla, HTMLPhisherBrowse
                                        • ip-api.com/line/?fields=hosting
                                        185.196.9.150paket teklif.exeGet hashmaliciousAgentTeslaBrowse
                                          Sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                            IgTdifcj7HukYrd.exeGet hashmaliciousAgentTeslaBrowse
                                              202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                Dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                  4tuMnSBgXFwIxMP.exeGet hashmaliciousAgentTeslaBrowse
                                                    tfz7ikR76n.exeGet hashmaliciousAgentTeslaBrowse
                                                      sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                        fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
                                                          PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse

                                                            Domains

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            ip-api.comListing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                            • 208.95.112.2
                                                            HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                            • 208.95.112.1
                                                            file.exeGet hashmaliciousJasonRATBrowse
                                                            • 208.95.112.1
                                                            Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            BoostFPS.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            mail.apexrnun.compaket teklif.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            Sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            IgTdifcj7HukYrd.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            Dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            4tuMnSBgXFwIxMP.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            tfz7ikR76n.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            fEv4R2ahiLCQa5O.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            PW68YarHboeikgM.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150

                                                            ASNs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            TUT-ASUSListing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            Listing_error_15_code_file-002.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            NeftPaymentError_details__Emdtd22102024_jpg.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                            • 208.95.112.1
                                                            Wire slip account payable.pif.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            http://christians-google-sh-97m2.glide.page/dl/d0a5f4Get hashmaliciousUnknownBrowse
                                                            • 208.95.112.2
                                                            HnJdZm51Xl.exeGet hashmaliciousAmadey, Clipboard HijackerBrowse
                                                            • 208.95.112.1
                                                            file.exeGet hashmaliciousJasonRATBrowse
                                                            • 208.95.112.1
                                                            Fulloption_V2.1.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            BoostFPS.exeGet hashmaliciousXWormBrowse
                                                            • 208.95.112.1
                                                            New_Order_Inquiry.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 208.95.112.1
                                                            SIMPLECARRIERCHj4LR4vQhNn.exeGet hashmaliciousPureCrypterBrowse
                                                            • 185.196.9.94
                                                            j4LR4vQhNn.exeGet hashmaliciousPureCrypterBrowse
                                                            • 185.196.9.94
                                                            paket teklif.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            0a0#U00a0.jsGet hashmaliciousRHADAMANTHYSBrowse
                                                            • 185.196.11.18
                                                            Sipari_.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            PO9927574.png.lnkGet hashmaliciousUnknownBrowse
                                                            • 185.196.11.151
                                                            IgTdifcj7HukYrd.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            NizYVB7pgj.lnkGet hashmaliciousUnknownBrowse
                                                            • 185.196.11.151
                                                            202411070105F02558.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150
                                                            Dekont.exeGet hashmaliciousAgentTeslaBrowse
                                                            • 185.196.9.150

                                                            JA3 Fingerprints

                                                            No context

                                                            Dropped Files

                                                            No context

                                                            Created / dropped Files

                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z81zEuzkJPHHV3KYua.exe.log

                                                            Download File
                                                            Process:C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
                                                            File Type:ASCII text, with CRLF line terminators
                                                            Category:dropped
                                                            Size (bytes):1216
                                                            Entropy (8bit):5.34331486778365
                                                            Encrypted:false
                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                            Malicious:true
                                                            Reputation:high, very likely benign file
                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:data
                                                            Category:dropped
                                                            Size (bytes):2232
                                                            Entropy (8bit):5.378486415808052
                                                            Encrypted:false
                                                            SSDEEP:48:fWSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:fLHxcIalLgZ2KRHWLOug0s
                                                            MD5:DF8A61AAA69C509EDF9D6ED37FE5F653
                                                            SHA1:20675930F6DBD3A94FEB0DB772556A6DE71EB810
                                                            SHA-256:41A60C51357812DAE797A2DE8EFA4F2F32BBD7AA3D52C2BE0B1B4DAE5D8FEB04
                                                            SHA-512:A87FE08C009A59F31A86D18E1618B1F4848E153D4110EC1D7522B0E75DBC9F54E72A5355A464680E7D1730289C2CAC2CEAA51025A37FFE64EEB2C0B903427FB4
                                                            Malicious:false
                                                            Reputation:low
                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_d0dbsulo.u3m.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qsxq2hny.2fm.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Reputation:high, very likely benign file
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sgzowy5q.hul.ps1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y42fq5rc.dbl.psm1

                                                            Download File
                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            File Type:ASCII text, with no line terminators
                                                            Category:dropped
                                                            Size (bytes):60
                                                            Entropy (8bit):4.038920595031593
                                                            Encrypted:false
                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                            Malicious:false
                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                            Static File Info

                                                            General

                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                            Entropy (8bit):7.829230310237872
                                                            TrID:
                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                            • Win32 Executable (generic) a (10002005/4) 49.78%
                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                            File name:z81zEuzkJPHHV3KYua.exe
                                                            File size:768'000 bytes
                                                            MD5:1b4a6383c2a9b4fd9d1c2ba270800a49
                                                            SHA1:ae5c4b7b0a37b4d1c8b65d13417257b29cd2188e
                                                            SHA256:cd60ea86b574b6b511ce6a6aff1314ce71b1953e169792e3e76a36913e85ea23
                                                            SHA512:7374bff7a913c972156a802096c57b91be8072362dc150dfb0e0e6ad3c0808774a029f1f98f0004c86b0d4b2b76e95fce6811579b67c03cc15f5bee1b004ce6b
                                                            SSDEEP:12288:Wq3wtfRzxWW8wNaTP+/CsM/b63zsWhvb2QlT1u3UqOsOJZUowJ9oIfSF:WqMpzxWnXPWCsM/bCXhvSQ3JZUjwIfS
                                                            TLSH:A5F40111F6682BE2E42747FBEC21F2040B76BB5E986CEA092CB2B5C724717C26551D1F
                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....>g..............0.................. ........@.. ....................... ............@................................

                                                            File Icon

                                                            Icon Hash:90cececece8e8eb0

                                                            Static PE Info

                                                            General

                                                            Entrypoint:0x4bccca
                                                            Entrypoint Section:.text
                                                            Digitally signed:false
                                                            Imagebase:0x400000
                                                            Subsystem:windows gui
                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                            Time Stamp:0x673EF5B9 [Thu Nov 21 08:56:25 2024 UTC]
                                                            TLS Callbacks:
                                                            CLR (.Net) Version:
                                                            OS Version Major:4
                                                            OS Version Minor:0
                                                            File Version Major:4
                                                            File Version Minor:0
                                                            Subsystem Version Major:4
                                                            Subsystem Version Minor:0
                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                            Entrypoint Preview

                                                            Instruction
                                                            jmp dword ptr [00402000h]
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al
                                                            add byte ptr [eax], al

                                                            Data Directories

                                                            NameVirtual AddressVirtual Size Is in Section
                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbcc780x4f.text
                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xbe0000x5f4.rsrc
                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xbb3980x54.text
                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                            Sections

                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                            .text0x20000xbacd00xbae00eccb3c2e7edfdd259ee24e0551ea57baFalse0.8896242683946488data7.836147110785658IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                            .rsrc0xbe0000x5f40x600fa33e8dce3faaa152e2b361b1ccc2ea6False0.4388020833333333data4.179702165309303IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                            .reloc0xc00000xc0x200fa061bbcc6f118d7e1cbe72603736907False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                            Resources

                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                            RT_VERSION0xbe0900x364data0.4308755760368664
                                                            RT_MANIFEST0xbe4040x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                            Imports

                                                            DLLImport
                                                            mscoree.dll_CorExeMain

                                                            Network Behavior

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 21, 2024 16:32:00.179482937 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:32:00.299408913 CET8049730208.95.112.1192.168.2.4
                                                            Nov 21, 2024 16:32:00.299532890 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:32:00.313143969 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:32:00.432797909 CET8049730208.95.112.1192.168.2.4
                                                            Nov 21, 2024 16:32:01.442471027 CET8049730208.95.112.1192.168.2.4
                                                            Nov 21, 2024 16:32:01.493016958 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:32:02.456996918 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:02.576649904 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:02.576728106 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:04.345866919 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:04.346059084 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:04.465820074 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:04.764287949 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:04.768018007 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:04.887665033 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.200898886 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.213627100 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:05.333206892 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.660715103 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.660761118 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.660810947 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.660851955 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:05.660851002 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:05.660901070 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:05.873431921 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:05.993218899 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:06.300076962 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:06.319760084 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:06.439683914 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:06.741228104 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:06.747594118 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:06.867398024 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:07.168379068 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:07.168816090 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:07.288722038 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:07.590013981 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:07.590339899 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:07.710128069 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.008692026 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.009001970 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.128716946 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.431169033 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.432933092 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.552661896 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.865885973 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.866421938 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.866502047 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.866502047 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.866502047 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:08.986164093 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.986180067 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.986210108 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:08.986274958 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:09.399231911 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:32:09.446223974 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:32:52.196597099 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:32:52.318279982 CET8049730208.95.112.1192.168.2.4
                                                            Nov 21, 2024 16:32:52.318356991 CET4973080192.168.2.4208.95.112.1
                                                            Nov 21, 2024 16:33:42.212449074 CET49731587192.168.2.4185.196.9.150
                                                            Nov 21, 2024 16:33:42.333004951 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:33:42.999906063 CET58749731185.196.9.150192.168.2.4
                                                            Nov 21, 2024 16:33:43.004627943 CET49731587192.168.2.4185.196.9.150

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Nov 21, 2024 16:31:59.982880116 CET4944253192.168.2.41.1.1.1
                                                            Nov 21, 2024 16:32:00.119865894 CET53494421.1.1.1192.168.2.4
                                                            Nov 21, 2024 16:32:02.188668966 CET5986353192.168.2.41.1.1.1
                                                            Nov 21, 2024 16:32:02.456295013 CET53598631.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Nov 21, 2024 16:31:59.982880116 CET192.168.2.41.1.1.10x4c78Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                            Nov 21, 2024 16:32:02.188668966 CET192.168.2.41.1.1.10x94b2Standard query (0)mail.apexrnun.comA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Nov 21, 2024 16:32:00.119865894 CET1.1.1.1192.168.2.40x4c78No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                            Nov 21, 2024 16:32:02.456295013 CET1.1.1.1192.168.2.40x94b2No error (0)mail.apexrnun.com185.196.9.150A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • ip-api.com

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449730208.95.112.1807476C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
                                                            TimestampBytes transferredDirectionData
                                                            Nov 21, 2024 16:32:00.313143969 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                                            Host: ip-api.com
                                                            Connection: Keep-Alive
                                                            Nov 21, 2024 16:32:01.442471027 CET175INHTTP/1.1 200 OK
                                                            Date: Thu, 21 Nov 2024 15:32:00 GMT
                                                            Content-Type: text/plain; charset=utf-8
                                                            Content-Length: 6
                                                            Access-Control-Allow-Origin: *
                                                            X-Ttl: 60
                                                            X-Rl: 44
                                                            Data Raw: 66 61 6c 73 65 0a
                                                            Data Ascii: false


                                                            SMTP Packets

                                                            TimestampSource PortDest PortSource IPDest IPCommands
                                                            Nov 21, 2024 16:32:04.345866919 CET58749731185.196.9.150192.168.2.4220 cp.apexrnun.com
                                                            Nov 21, 2024 16:32:04.346059084 CET49731587192.168.2.4185.196.9.150EHLO 618321
                                                            Nov 21, 2024 16:32:04.764287949 CET58749731185.196.9.150192.168.2.4250-cp.apexrnun.com Hello 618321 [8.46.123.75]
                                                            250-SIZE 52428800
                                                            250-8BITMIME
                                                            250-PIPELINING
                                                            250-PIPE_CONNECT
                                                            250-CHUNKING
                                                            250-STARTTLS
                                                            250 HELP
                                                            Nov 21, 2024 16:32:04.768018007 CET49731587192.168.2.4185.196.9.150STARTTLS
                                                            Nov 21, 2024 16:32:05.200898886 CET58749731185.196.9.150192.168.2.4220 TLS go ahead

                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:10:31:57
                                                            Start date:21/11/2024
                                                            Path:C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                                                            Imagebase:0x590000
                                                            File size:768'000 bytes
                                                            MD5 hash:1B4A6383C2A9B4FD9D1C2BA270800A49
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1698165840.0000000003999000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:10:31:58
                                                            Start date:21/11/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                                                            Imagebase:0x210000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:10:31:58
                                                            Start date:21/11/2024
                                                            Path:C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Users\user\Desktop\z81zEuzkJPHHV3KYua.exe"
                                                            Imagebase:0xa10000
                                                            File size:768'000 bytes
                                                            MD5 hash:1B4A6383C2A9B4FD9D1C2BA270800A49
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2938171995.0000000002E2D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2938171995.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2935688677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2938171995.0000000002E01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:low
                                                            Has exited:false

                                                            General

                                                            Target ID:3
                                                            Start time:10:31:58
                                                            Start date:21/11/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:10:32:00
                                                            Start date:21/11/2024
                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                            Imagebase:0x7ff693ab0000
                                                            File size:496'640 bytes
                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                            Has elevated privileges:true
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Execution Graph

                                                              Execution Coverage:8.7%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:0%
                                                              Total number of Nodes:42
                                                              Total number of Limit Nodes:1
                                                              execution_graph 27973 c94668 27974 c9467a 27973->27974 27975 c94686 27974->27975 27977 c94779 27974->27977 27978 c9477c 27977->27978 27982 c94879 27978->27982 27986 c94888 27978->27986 27983 c9487c 27982->27983 27985 c9498c 27983->27985 27990 c944b0 27983->27990 27988 c948af 27986->27988 27987 c9498c 27987->27987 27988->27987 27989 c944b0 CreateActCtxA 27988->27989 27989->27987 27991 c95918 CreateActCtxA 27990->27991 27993 c959db 27991->27993 27993->27993 27994 c9cfe0 27995 c9d026 27994->27995 27999 c9d5c8 27995->27999 28002 c9d5b8 27995->28002 27996 c9d113 28006 c9d21c 27999->28006 28003 c9d5bc 28002->28003 28004 c9d21c DuplicateHandle 28003->28004 28005 c9d5f6 28004->28005 28005->27996 28007 c9d630 DuplicateHandle 28006->28007 28008 c9d5f6 28007->28008 28008->27996 28013 c9ac50 28017 c9ad38 28013->28017 28022 c9ad48 28013->28022 28014 c9ac5f 28019 c9ad3c 28017->28019 28018 c9ace0 28018->28014 28019->28018 28020 c9af80 GetModuleHandleW 28019->28020 28021 c9afad 28020->28021 28021->28014 28024 c9ad4c 28022->28024 28023 c9ad7c 28023->28014 28024->28023 28025 c9af80 GetModuleHandleW 28024->28025 28026 c9afad 28025->28026 28026->28014 28009 4ec4040 28010 4ec4082 28009->28010 28012 4ec4089 28009->28012 28011 4ec40da CallWindowProcW 28010->28011 28010->28012 28011->28012

                                                              Executed Functions

                                                              Function 04EC67E0 Relevance: .7, Instructions: 653COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1d3a732f28fa52c753db54cdfbab681b5c3edb4e76b9656e0234dd7fadcb77e3
                                                              • Instruction ID: 22fa157eac9553a732472fc07e540e733bb05cc469307d01220b9bd33ac2cee4
                                                              • Opcode Fuzzy Hash: 1d3a732f28fa52c753db54cdfbab681b5c3edb4e76b9656e0234dd7fadcb77e3
                                                              • Instruction Fuzzy Hash: 4962C774A00218CFDB14DF79C984A9EBBB2FF89304F2195A9D409AB365DB30AD85CF51
                                                              Function 04EC67D3 Relevance: .6, Instructions: 600COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac981ac1f2742fe71e6eca6e6a588858142eb66d406cc6a8ed5f4b60c3538558
                                                              • Instruction ID: 8ffb0c4751b771ed0b0e692547012c0c1b192d3f908d6dcea90eea08695230e6
                                                              • Opcode Fuzzy Hash: ac981ac1f2742fe71e6eca6e6a588858142eb66d406cc6a8ed5f4b60c3538558
                                                              • Instruction Fuzzy Hash: 8B52B574A00218CFDB24DF79C994A9EBBB2FF89304F1095A9D409AB365DB30AD85CF41
                                                              Function 00C9AD48 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 319 c9ad48-c9ad57 321 c9ad59-c9ad66 call c9a06c 319->321 322 c9ad83-c9ad87 319->322 329 c9ad68 321->329 330 c9ad7c 321->330 324 c9ad89-c9ad93 322->324 325 c9ad9b-c9addc 322->325 324->325 331 c9ade9-c9adf7 325->331 332 c9adde-c9ade6 325->332 379 c9ad6e call c9afd0 329->379 380 c9ad6e call c9afe0 329->380 330->322 333 c9adf9-c9adfe 331->333 334 c9ae1b-c9ae1d 331->334 332->331 336 c9ae09 333->336 337 c9ae00-c9ae07 call c9a078 333->337 339 c9ae20-c9ae27 334->339 335 c9ad74-c9ad76 335->330 338 c9aeb8-c9af32 335->338 343 c9ae0b-c9ae19 336->343 337->343 370 c9af38-c9af5e 338->370 371 c9af34 338->371 340 c9ae29-c9ae31 339->340 341 c9ae34-c9ae3b 339->341 340->341 344 c9ae48-c9ae51 call c9a088 341->344 345 c9ae3d-c9ae45 341->345 343->339 351 c9ae5e-c9ae63 344->351 352 c9ae53-c9ae5b 344->352 345->344 353 c9ae81-c9ae85 351->353 354 c9ae65-c9ae6c 351->354 352->351 357 c9ae8b-c9ae8e 353->357 354->353 356 c9ae6e-c9ae7e call c9a098 call c9a0a8 354->356 356->353 360 c9aeb1-c9aeb7 357->360 361 c9ae90-c9aeae 357->361 361->360 372 c9af60-c9af78 370->372 371->372 373 c9af36 371->373 374 c9af7a-c9af7d 372->374 375 c9af80-c9afab GetModuleHandleW 372->375 373->370 374->375 376 c9afad-c9afb3 375->376 377 c9afb4-c9afc8 375->377 376->377 379->335 380->335
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00C9AF9E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: 4fb28cabee308bc5efe92a87e8b38510876d8e482c792673b70a0324aecc375b
                                                              • Instruction ID: db94681f780f4e055abc2aa8d1db8a3a5bc7fccec276891227be7dd6faebc2c2
                                                              • Opcode Fuzzy Hash: 4fb28cabee308bc5efe92a87e8b38510876d8e482c792673b70a0324aecc375b
                                                              • Instruction Fuzzy Hash: AB818870A00B458FDB24DF2AD04975ABBF1FF88304F10892ED09ADBA51D735E949CB91
                                                              Function 00C944B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 381 c944b0-c959d9 CreateActCtxA 384 c959db-c959e1 381->384 385 c959e2-c95a3c 381->385 384->385 392 c95a4b-c95a4f 385->392 393 c95a3e-c95a41 385->393 394 c95a51-c95a5d 392->394 395 c95a60 392->395 393->392 394->395 397 c95a61 395->397 397->397
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00C959C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 1cedb095c6499c69e4639e2d2aed076e9ac28071b3af6ed0f9113b4aa08830c7
                                                              • Instruction ID: 2b8fdf37e56b770cb1b6155edbc2ed1620a3633ab5afb8c93ed807b44f026d7d
                                                              • Opcode Fuzzy Hash: 1cedb095c6499c69e4639e2d2aed076e9ac28071b3af6ed0f9113b4aa08830c7
                                                              • Instruction Fuzzy Hash: 6041E2B0C0065DCBDF24DFAAC885B9DBBF5BF89304F20816AD409AB251DB756945CF90
                                                              Function 00C9590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 398 c9590c-c9590e 399 c95910 398->399 400 c95914 398->400 399->400 401 c9591c-c959d9 CreateActCtxA 400->401 403 c959db-c959e1 401->403 404 c959e2-c95a3c 401->404 403->404 411 c95a4b-c95a4f 404->411 412 c95a3e-c95a41 404->412 413 c95a51-c95a5d 411->413 414 c95a60 411->414 412->411 413->414 416 c95a61 414->416 416->416
                                                              APIs
                                                              • CreateActCtxA.KERNEL32(?), ref: 00C959C9
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: Create
                                                              • String ID:
                                                              • API String ID: 2289755597-0
                                                              • Opcode ID: 392ce7d9540d326f121931761699f510211073deca21b14596633549d3a9a31b
                                                              • Instruction ID: c7aceba4574ecc83bc746d4f26068dfe2d0515928b4d5c31aa369d6d7e6369b5
                                                              • Opcode Fuzzy Hash: 392ce7d9540d326f121931761699f510211073deca21b14596633549d3a9a31b
                                                              • Instruction Fuzzy Hash: 3941F3B0C00619CBDF24DFAAC884BDDBBB1BF88314F20816AD419AB251DB756945CF50
                                                              Function 04EC4040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 417 4ec4040-4ec407c 418 4ec412c-4ec414c 417->418 419 4ec4082-4ec4087 417->419 425 4ec414f-4ec415c 418->425 420 4ec4089-4ec40c0 419->420 421 4ec40da-4ec4112 CallWindowProcW 419->421 428 4ec40c9-4ec40d8 420->428 429 4ec40c2-4ec40c8 420->429 422 4ec411b-4ec412a 421->422 423 4ec4114-4ec411a 421->423 422->425 423->422 428->425 429->428
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 04EC4101
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: daa48ef31ab3927c7649c34375de5f100fd0db3761d3ef1c75e96ae07a35e48e
                                                              • Instruction ID: 9a993334f0c378f5d6226da7eb26780504851f74d678c3677e7791ab84864118
                                                              • Opcode Fuzzy Hash: daa48ef31ab3927c7649c34375de5f100fd0db3761d3ef1c75e96ae07a35e48e
                                                              • Instruction Fuzzy Hash: C14157B4A00309DFDB14CF89C949AAABBF5FF88314F24855CD519AB361D334A841CFA1
                                                              Function 00C9D628 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 431 c9d628-c9d62a 432 c9d62c-c9d62e 431->432 433 c9d630-c9d6c4 DuplicateHandle 431->433 432->433 434 c9d6cd-c9d6ea 433->434 435 c9d6c6-c9d6cc 433->435 435->434
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C9D5F6,?,?,?,?,?), ref: 00C9D6B7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 1f4ed72f4a42f8d621814b793550c32a48191dabf07fa3ef3353cb28776f4495
                                                              • Instruction ID: 7f2e936f411ed507c9b96595708890e4899dc70703d099fe57456d9d7359a1d6
                                                              • Opcode Fuzzy Hash: 1f4ed72f4a42f8d621814b793550c32a48191dabf07fa3ef3353cb28776f4495
                                                              • Instruction Fuzzy Hash: 102157B58002499FDB10CFAAD944ADEFFF4EB49320F14851AE959A7250C378A940CFA0
                                                              Function 00C9D21C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 439 c9d21c-c9d6c4 DuplicateHandle 441 c9d6cd-c9d6ea 439->441 442 c9d6c6-c9d6cc 439->442 442->441
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C9D5F6,?,?,?,?,?), ref: 00C9D6B7
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 5d0c85abb4c572dd57ea9c02a78f6d5596c885b2bd5360deb11e9b8bc4d8b189
                                                              • Instruction ID: 8cc15db7c67c92a785d8a07590db46b5b01b92da1016c0cf9373395d10ae66b4
                                                              • Opcode Fuzzy Hash: 5d0c85abb4c572dd57ea9c02a78f6d5596c885b2bd5360deb11e9b8bc4d8b189
                                                              • Instruction Fuzzy Hash: BB2105B5900248DFDB10CF9AD984AEEFBF4EB48320F14841AE919B7310D374A940CFA4
                                                              Function 00C9AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 445 c9af38-c9af78 447 c9af7a-c9af7d 445->447 448 c9af80-c9afab GetModuleHandleW 445->448 447->448 449 c9afad-c9afb3 448->449 450 c9afb4-c9afc8 448->450 449->450
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 00C9AF9E
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: e2ee08af7cd6af329933975661c7d8d918dca438e450fd3ad6eaad6361404f80
                                                              • Instruction ID: 78348be8a8bfed38f725296feeb503d93aa82905935f30bf276ade3bc182a5c2
                                                              • Opcode Fuzzy Hash: e2ee08af7cd6af329933975661c7d8d918dca438e450fd3ad6eaad6361404f80
                                                              • Instruction Fuzzy Hash: DD11E0B6C006498FDB10CF9AD944ADEFBF4EF88324F14845AD829A7210D379A545CFA1
                                                              Function 00BED3D8 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c4c315dc579dbac1243fd8a174cb861289beb42a6236edf5823c72e007ed5ff8
                                                              • Instruction ID: a2e00a5d847812ffbffef8702873a6f71d301d0217b3b7380e505f22f65b3f50
                                                              • Opcode Fuzzy Hash: c4c315dc579dbac1243fd8a174cb861289beb42a6236edf5823c72e007ed5ff8
                                                              • Instruction Fuzzy Hash: 822136B1500284DFDB01DF05C9C0B16BFF5FBA8314F24C6A8E9090B396C376E806C6A2
                                                              Function 00BED110 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 225ac8680ea9d22038ab2aa7370f3ee1a7198e4fa00a60de84feee316da13f77
                                                              • Instruction ID: 9411d247a65b9f297febccf77e1f700e8d7f734662c3d8d365ade3e907f603a3
                                                              • Opcode Fuzzy Hash: 225ac8680ea9d22038ab2aa7370f3ee1a7198e4fa00a60de84feee316da13f77
                                                              • Instruction Fuzzy Hash: 85212571504280DFDB05DF15D9C0B26BFA6FB98310F2485ADE9091B256C376D816C6A2
                                                              Function 00BFD01C Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695769010.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bfd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 94e188d2daafe2876d291f21b7141faf0ede03da5e7dadc505ac2d433229684c
                                                              • Instruction ID: 933e5bad3e405fb6e22fff9f56896c325f5bfeed4c9a9b3e5b432ee5ad8152d6
                                                              • Opcode Fuzzy Hash: 94e188d2daafe2876d291f21b7141faf0ede03da5e7dadc505ac2d433229684c
                                                              • Instruction Fuzzy Hash: 53210771504248DFDB14DF24D5D0B26BBE6FB88314F24C5ADEA094B256CB36D80BCA61
                                                              Function 00BFD1D4 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695769010.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bfd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 53c1ef54d9623ee2bf74317c554c7fbbfbd4f5e7e4c36261eae05a4d691be910
                                                              • Instruction ID: 17e406f3236f3b5bbe21a68067a0857ece2e527c4431a04724ad536d10333411
                                                              • Opcode Fuzzy Hash: 53c1ef54d9623ee2bf74317c554c7fbbfbd4f5e7e4c36261eae05a4d691be910
                                                              • Instruction Fuzzy Hash: C9212971604208DFDB05DF14D5C0B36BBE6FB88314F24C9ADEA094B255C336D80ACAA1
                                                              Function 00BFD006 Relevance: .1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695769010.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bfd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c8b3e3e2158356c8b6cc89bea4056bad1333851170a289c5ab15570cbd2eec9
                                                              • Instruction ID: 8fe24c5ee6d1dfdc95ea9cfc884dbf382bfecf5cb6ec5be8c96c547f3b436203
                                                              • Opcode Fuzzy Hash: 6c8b3e3e2158356c8b6cc89bea4056bad1333851170a289c5ab15570cbd2eec9
                                                              • Instruction Fuzzy Hash: 3D21C675509384CFDB16CF20D590B15BFB2EB45314F28C5EAD9498B297C33AD80ACB62
                                                              Function 00BED3D3 Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                              • Instruction ID: c552d5902361cdc45bfb43761d31dd253942fa1adb8168ac0e760c590e6df632
                                                              • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                              • Instruction Fuzzy Hash: 25110376504280CFDB12CF00D5C0B16BFB1FBA4324F24C2A9D9090B356C33AE85ACBA1
                                                              Function 00BED10B Relevance: .1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                              • Instruction ID: 7af6ffd0c04015fcda62fb2c75a6c711f85ccb8012293ae0a0f6ed49af65d45d
                                                              • Opcode Fuzzy Hash: 555e834afbd1c2fd5414379b306259fbfd17fcb6917d78cd3ce2a61b5f371944
                                                              • Instruction Fuzzy Hash: 4D11D376504280CFDB16CF10D9C4B16BFB2FB94314F24C6A9DD094B256C37AD85ACBA2
                                                              Function 00BFD1CF Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695769010.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bfd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                              • Instruction ID: 2f2071383be799c768400c3d0e53fb4ec7fe7fc90d2d5c7ff07a404862873e71
                                                              • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                              • Instruction Fuzzy Hash: A211DD75504284DFDB12CF10C5C0B25FBB2FB84314F24C6AED9494B296C33AD80ACBA1
                                                              Function 00BED759 Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9c5f2f2fea78d314ce857ca599d2ce301c4446e84b067de398b3db7abbea1710
                                                              • Instruction ID: fcc6bde87d3064c4eaeff5e1ec9ca4f0053754b3264a9948ca001accb920a3a7
                                                              • Opcode Fuzzy Hash: 9c5f2f2fea78d314ce857ca599d2ce301c4446e84b067de398b3db7abbea1710
                                                              • Instruction Fuzzy Hash: 9501DB715043809AE7209B17DCC4B67FFE8DF55720F18C99AED094E286C3B99C40C671
                                                              Function 00BED758 Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1695702061.0000000000BED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BED000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_bed000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 394d23e30356f8ce141fa5c2574319ab23eb75cbb5bc8f56e4ca4bc40225330e
                                                              • Instruction ID: 96589e9bdd0c5ed16a981662dcc0b8aaad9c75e94af17e6114ddf2c1d4b1c44b
                                                              • Opcode Fuzzy Hash: 394d23e30356f8ce141fa5c2574319ab23eb75cbb5bc8f56e4ca4bc40225330e
                                                              • Instruction Fuzzy Hash: 7EF06272404384AEE7208B16DD84B66FFE8EF51734F18C55AED084F286C379AC44CAB1

                                                              Non-executed Functions

                                                              Function 04ECEC40 Relevance: 6.7, Strings: 5, Instructions: 453COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: (otq$(otq$,xq$,xq$Hxq
                                                              • API String ID: 0-2200704163
                                                              • Opcode ID: 99175b2c6dc12f7bcccd301fe48216731b3142a64328d50abaff118cd735aa15
                                                              • Instruction ID: 611f40f515c7e5a509e7cf257559074f91c9a58561a66a3cbfa53f5518ea8dca
                                                              • Opcode Fuzzy Hash: 99175b2c6dc12f7bcccd301fe48216731b3142a64328d50abaff118cd735aa15
                                                              • Instruction Fuzzy Hash: AF025974A00114CFDB58CF69C689AADBBB2BF88754B159169E8169B3B1DB31FC02CB50
                                                              Function 04EC0040 Relevance: .3, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d505044cf24a9a9b18008dcc18dbdb46ffce37a4b48888edd9a99ab08a481379
                                                              • Instruction ID: 4a38ec2a5a49c31cdab4331152fb7c25d82c715c4668fd758876c5b610998790
                                                              • Opcode Fuzzy Hash: d505044cf24a9a9b18008dcc18dbdb46ffce37a4b48888edd9a99ab08a481379
                                                              • Instruction Fuzzy Hash: D11285F0481785AAE710CF66E84D18A7BB1F7C531AF904649D2612F2F9DBBC198ACF44
                                                              Function 00C9D55C Relevance: .3, Instructions: 264COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1696142959.0000000000C90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C90000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_c90000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 280f02ed3cc4ae1319b7513ca951cb8519d9fa5110a401f90233593509e36cae
                                                              • Instruction ID: e32d58eac7d602eecdd307f457faaa3fca84cb8abf1c69f72ce18e103c4779bb
                                                              • Opcode Fuzzy Hash: 280f02ed3cc4ae1319b7513ca951cb8519d9fa5110a401f90233593509e36cae
                                                              • Instruction Fuzzy Hash: 7AA13C32A00205CFCF05DFA5C84499EB7B2FF85301B25857EE816EB265DB75EA56CB80
                                                              Function 04EC001F Relevance: .2, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a8eb9f1a1ff7925d0563861d153fc883bdd5ffcef706e1c05d26fc46c535af2
                                                              • Instruction ID: 51af30f1ba832062ce845a6238febb53da4e9d51d65de8b2ab234327591914d0
                                                              • Opcode Fuzzy Hash: 2a8eb9f1a1ff7925d0563861d153fc883bdd5ffcef706e1c05d26fc46c535af2
                                                              • Instruction Fuzzy Hash: FBC1F8F0880785ABD714CF66E84818A7BB1FBC5316F614649D1616F2F9DBBC188ACF44
                                                              Function 04ECC154 Relevance: .1, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a4c308c9d87d1127a326b8a435d33a5863abea584d84cedfd913d56f0904198b
                                                              • Instruction ID: 8b4e61f3768f552c1173a88dc582b464cfd19105952d186a4fc3948a9342bdb5
                                                              • Opcode Fuzzy Hash: a4c308c9d87d1127a326b8a435d33a5863abea584d84cedfd913d56f0904198b
                                                              • Instruction Fuzzy Hash: 0D51DAB5E002099FDB04DFADC980AAEBBF2FF88310F14D569E518E7254D734A941CB60
                                                              Function 04ECD789 Relevance: .1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000000.00000002.1709291240.0000000004EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04EC0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_0_2_4ec0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 35737348fa2e0fe9d337e5069ceb04921e76376566f4a306383099d233657438
                                                              • Instruction ID: 256989892c2799b195576338b3a6927fee644de8a1807d63a89d922d659e6b69
                                                              • Opcode Fuzzy Hash: 35737348fa2e0fe9d337e5069ceb04921e76376566f4a306383099d233657438
                                                              • Instruction Fuzzy Hash: 0F51ECB5E006499FDB04DFA9C980AAEBBF2FF88300F14D569D414E7255D734EA42CB60

                                                              Execution Graph

                                                              Execution Coverage:11.3%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:1.6%
                                                              Total number of Nodes:191
                                                              Total number of Limit Nodes:12
                                                              execution_graph 42878 694dbb0 42879 694dc18 CreateWindowExW 42878->42879 42881 694dcd4 42879->42881 42884 2bf0848 42886 2bf084e 42884->42886 42885 2bf091b 42886->42885 42890 2bf137f 42886->42890 42894 6942387 42886->42894 42898 6942388 42886->42898 42892 2bf1383 42890->42892 42891 2bf135a 42891->42886 42892->42891 42902 2bf8258 42892->42902 42895 6942397 42894->42895 42917 6941a54 42895->42917 42899 6942397 42898->42899 42900 6941a54 3 API calls 42899->42900 42901 69423b8 42900->42901 42901->42886 42903 2bf8262 42902->42903 42904 2bf827c 42903->42904 42907 695fa10 42903->42907 42912 695fa0f 42903->42912 42904->42892 42909 695fa25 42907->42909 42908 695fc3a 42908->42904 42909->42908 42910 695fc50 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42909->42910 42911 695fc60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42909->42911 42910->42909 42911->42909 42914 695fa25 42912->42914 42913 695fc3a 42913->42904 42914->42913 42915 695fc50 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42914->42915 42916 695fc60 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 42914->42916 42915->42914 42916->42914 42918 6941a5f 42917->42918 42921 694322c 42918->42921 42920 6943d3e 42920->42920 42922 6943237 42921->42922 42923 6944464 42922->42923 42926 6945ce7 42922->42926 42930 6945ce8 42922->42930 42923->42920 42928 6945ce8 42926->42928 42927 6945d2d 42927->42923 42928->42927 42934 69462a0 42928->42934 42931 6945d09 42930->42931 42932 6945d2d 42931->42932 42933 69462a0 3 API calls 42931->42933 42932->42923 42933->42932 42935 69462ad 42934->42935 42936 69462e6 42935->42936 42938 6945e8c 42935->42938 42936->42927 42939 6945e97 42938->42939 42941 6946358 42939->42941 42942 6945ec0 42939->42942 42941->42941 42943 6945ecb 42942->42943 42949 6945ed0 42943->42949 42945 6946401 42945->42941 42946 69463c7 42953 694b6e8 42946->42953 42962 694b700 42946->42962 42952 6945edb 42949->42952 42950 6947650 42950->42946 42951 6945ce8 3 API calls 42951->42950 42952->42950 42952->42951 42955 694b731 42953->42955 42957 694b831 42953->42957 42954 694b73d 42954->42945 42955->42954 42971 694b978 42955->42971 42975 694b968 42955->42975 42956 694b77d 42979 694cc78 42956->42979 42989 694cc69 42956->42989 42957->42945 42964 694b731 42962->42964 42965 694b831 42962->42965 42963 694b73d 42963->42945 42964->42963 42969 694b978 3 API calls 42964->42969 42970 694b968 3 API calls 42964->42970 42965->42945 42966 694b77d 42967 694cc78 GetModuleHandleW 42966->42967 42968 694cc69 GetModuleHandleW 42966->42968 42967->42965 42968->42965 42969->42966 42970->42966 42999 694b9b8 42971->42999 43008 694b9c8 42971->43008 42972 694b982 42972->42956 42976 694b982 42975->42976 42977 694b9b8 2 API calls 42975->42977 42978 694b9c8 2 API calls 42975->42978 42976->42956 42977->42976 42978->42976 42980 694cca3 42979->42980 43017 694aa3c 42980->43017 42983 694cd26 42985 694cd52 42983->42985 43032 694a968 42983->43032 42988 694aa3c GetModuleHandleW 42988->42983 42990 694cca3 42989->42990 42991 694aa3c GetModuleHandleW 42990->42991 42992 694cd0a 42991->42992 42996 694d1e0 GetModuleHandleW 42992->42996 42997 694d130 GetModuleHandleW 42992->42997 42998 694aa3c GetModuleHandleW 42992->42998 42993 694cd26 42994 694a968 GetModuleHandleW 42993->42994 42995 694cd52 42993->42995 42994->42995 42996->42993 42997->42993 42998->42993 43000 694b9bd 42999->43000 43001 694a968 GetModuleHandleW 43000->43001 43003 694b9fc 43000->43003 43002 694b9e4 43001->43002 43002->43003 43007 694bc5f GetModuleHandleW 43002->43007 43003->42972 43004 694bc00 GetModuleHandleW 43006 694bc2d 43004->43006 43005 694b9f4 43005->43003 43005->43004 43006->42972 43007->43005 43009 694b9d9 43008->43009 43012 694b9fc 43008->43012 43010 694a968 GetModuleHandleW 43009->43010 43011 694b9e4 43010->43011 43011->43012 43016 694bc5f GetModuleHandleW 43011->43016 43012->42972 43013 694bc00 GetModuleHandleW 43015 694bc2d 43013->43015 43014 694b9f4 43014->43012 43014->43013 43015->42972 43016->43014 43018 694aa47 43017->43018 43019 694cd0a 43018->43019 43020 694d350 GetModuleHandleW 43018->43020 43021 694d340 GetModuleHandleW 43018->43021 43019->42988 43022 694d130 43019->43022 43027 694d1e0 43019->43027 43020->43019 43021->43019 43023 694d140 43022->43023 43024 694d14b 43023->43024 43025 694d350 GetModuleHandleW 43023->43025 43026 694d340 GetModuleHandleW 43023->43026 43024->42983 43025->43024 43026->43024 43028 694d20d 43027->43028 43029 694d28e 43028->43029 43030 694d350 GetModuleHandleW 43028->43030 43031 694d340 GetModuleHandleW 43028->43031 43030->43029 43031->43029 43034 694bbb8 GetModuleHandleW 43032->43034 43035 694bc2d 43034->43035 43035->42985 43036 7122f68 43037 7122f90 43036->43037 43040 7122fbc 43036->43040 43038 7122f99 43037->43038 43041 71223e4 43037->43041 43043 71223ef 43041->43043 43042 71232b3 43042->43040 43043->43042 43045 7122400 43043->43045 43046 71232e8 OleInitialize 43045->43046 43047 712334c 43046->43047 43047->43042 43048 12bd030 43049 12bd048 43048->43049 43050 12bd0a2 43049->43050 43055 694dd57 43049->43055 43059 694dd68 43049->43059 43063 694eeb8 43049->43063 43069 694ab4c 43049->43069 43056 694dd65 43055->43056 43057 694ab4c 2 API calls 43056->43057 43058 694ddaf 43057->43058 43058->43050 43060 694dd8e 43059->43060 43061 694ab4c 2 API calls 43060->43061 43062 694ddaf 43061->43062 43062->43050 43064 694eef5 43063->43064 43065 694ef27 43064->43065 43075 694f050 43064->43075 43080 694f11c 43064->43080 43086 694f040 43064->43086 43070 694ab57 43069->43070 43071 694ef27 43070->43071 43072 694f050 2 API calls 43070->43072 43073 694f040 2 API calls 43070->43073 43074 694f11c 2 API calls 43070->43074 43072->43071 43073->43071 43074->43071 43076 694f064 43075->43076 43091 694f0f8 43076->43091 43095 694f108 43076->43095 43077 694f0f0 43077->43065 43081 694f0da 43080->43081 43082 694f12a 43080->43082 43084 694f0f8 2 API calls 43081->43084 43085 694f108 2 API calls 43081->43085 43083 694f0f0 43083->43065 43084->43083 43085->43083 43088 694f051 43086->43088 43087 694f0f0 43087->43065 43089 694f0f8 2 API calls 43088->43089 43090 694f108 2 API calls 43088->43090 43089->43087 43090->43087 43092 694f108 43091->43092 43093 694f119 43092->43093 43098 7120c40 43092->43098 43093->43077 43096 694f119 43095->43096 43097 7120c40 2 API calls 43095->43097 43096->43077 43097->43096 43102 7120c62 43098->43102 43106 7120c70 43098->43106 43099 7120c5a 43099->43093 43103 7120cb2 43102->43103 43105 7120cb9 43102->43105 43104 7120d0a CallWindowProcW 43103->43104 43103->43105 43104->43105 43105->43099 43107 7120cb2 43106->43107 43109 7120cb9 43106->43109 43108 7120d0a CallWindowProcW 43107->43108 43107->43109 43108->43109 43109->43099 42882 69436d8 DuplicateHandle 42883 694376e 42882->42883 43110 2bf70a0 43111 2bf70e4 CheckRemoteDebuggerPresent 43110->43111 43112 2bf7126 43111->43112

                                                              Executed Functions

                                                              Function 06952350 Relevance: 9.0, Strings: 6, Instructions: 1479COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-2574395493
                                                              • Opcode ID: a2fdbb873855fbab4692d287fc65420a78ce1dfd545b14efdd541153a87d27c6
                                                              • Instruction ID: b59abc762515bb56f624af25f08b3e91023f0c31547820349e56b8015bfdddf6
                                                              • Opcode Fuzzy Hash: a2fdbb873855fbab4692d287fc65420a78ce1dfd545b14efdd541153a87d27c6
                                                              • Instruction Fuzzy Hash: 48D23B30E002098FCB64DF64C594A9DB7B6FF89310F65C96AD809AB755EB30ED85CB80
                                                              Function 0695B208 Relevance: 8.3, Strings: 6, Instructions: 762COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-2574395493
                                                              • Opcode ID: 58df2e60e6c0c355fc54d9a680ac23a386f2c49a96e3d6301a58a3be4bf8f88f
                                                              • Instruction ID: 431cb264a891abff75b5a9dfaf1701ca79cf4e82cefd7c378543040acee9a23e
                                                              • Opcode Fuzzy Hash: 58df2e60e6c0c355fc54d9a680ac23a386f2c49a96e3d6301a58a3be4bf8f88f
                                                              • Instruction Fuzzy Hash: A4527170E102098FDFA4DF69D4A07ADB7B6EB85310F21852AE805EB759DB34DC81CB91
                                                              Function 06957D50 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2322 6957d50-6957d6e 2323 6957d70-6957d73 2322->2323 2324 6957d75-6957d8f 2323->2324 2325 6957d94-6957d97 2323->2325 2324->2325 2326 6957da4-6957da7 2325->2326 2327 6957d99-6957da3 2325->2327 2329 6957da9-6957dc5 2326->2329 2330 6957dca-6957dcd 2326->2330 2329->2330 2331 6957de4-6957de6 2330->2331 2332 6957dcf-6957ddd 2330->2332 2333 6957ded-6957df0 2331->2333 2334 6957de8 2331->2334 2338 6957df6-6957e0c 2332->2338 2340 6957ddf 2332->2340 2333->2323 2333->2338 2334->2333 2342 6958027-6958031 2338->2342 2343 6957e12-6957e1b 2338->2343 2340->2331 2344 6957e21-6957e3e 2343->2344 2345 6958032-6958067 2343->2345 2352 6958014-6958021 2344->2352 2353 6957e44-6957e6c 2344->2353 2348 6958069-695806c 2345->2348 2350 6958072-695807e 2348->2350 2351 695811f-6958122 2348->2351 2358 6958089-695808b 2350->2358 2354 695834e-6958351 2351->2354 2355 6958128-6958137 2351->2355 2352->2342 2352->2343 2353->2352 2380 6957e72-6957e7b 2353->2380 2356 6958374-6958376 2354->2356 2357 6958353-695836f 2354->2357 2365 6958156-6958191 2355->2365 2366 6958139-6958154 2355->2366 2360 695837d-6958380 2356->2360 2361 6958378 2356->2361 2357->2356 2362 69580a3-69580aa 2358->2362 2363 695808d-6958093 2358->2363 2360->2348 2370 6958386-695838f 2360->2370 2361->2360 2371 69580ac-69580b9 2362->2371 2372 69580bb 2362->2372 2368 6958095 2363->2368 2369 6958097-6958099 2363->2369 2381 6958197-69581a8 2365->2381 2382 6958322-6958338 2365->2382 2366->2365 2368->2362 2369->2362 2373 69580c0-69580c2 2371->2373 2372->2373 2375 69580c4-69580c7 2373->2375 2376 69580d9-6958112 2373->2376 2375->2370 2376->2355 2403 6958114-695811e 2376->2403 2380->2345 2383 6957e81-6957e9d 2380->2383 2390 695830d-695831c 2381->2390 2391 69581ae-69581cb 2381->2391 2382->2354 2392 6957ea3-6957ecd 2383->2392 2393 6958002-695800e 2383->2393 2390->2381 2390->2382 2391->2390 2402 69581d1-69582c7 call 6956570 2391->2402 2406 6957ed3-6957efb 2392->2406 2407 6957ff8-6957ffd 2392->2407 2393->2352 2393->2380 2455 69582d5 2402->2455 2456 69582c9-69582d3 2402->2456 2406->2407 2413 6957f01-6957f2f 2406->2413 2407->2393 2413->2407 2419 6957f35-6957f3e 2413->2419 2419->2407 2420 6957f44-6957f76 2419->2420 2428 6957f81-6957f9d 2420->2428 2429 6957f78-6957f7c 2420->2429 2428->2393 2431 6957f9f-6957ff6 call 6956570 2428->2431 2429->2407 2430 6957f7e 2429->2430 2430->2428 2431->2393 2457 69582da-69582dc 2455->2457 2456->2457 2457->2390 2458 69582de-69582e3 2457->2458 2459 69582e5-69582ef 2458->2459 2460 69582f1 2458->2460 2461 69582f6-69582f8 2459->2461 2460->2461 2461->2390 2462 69582fa-6958306 2461->2462 2462->2390
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq
                                                              • API String ID: 0-1837209516
                                                              • Opcode ID: 1ded0d3b1bb7c18cdb3f6c017ae53ab9b5f27fff505f4f3347aa351de5041ca1
                                                              • Instruction ID: adb6ad742ff277740f5a765d523889cc8d6520352ed1581b28ec1740598c1325
                                                              • Opcode Fuzzy Hash: 1ded0d3b1bb7c18cdb3f6c017ae53ab9b5f27fff505f4f3347aa351de5041ca1
                                                              • Instruction Fuzzy Hash: 0C02BF30B102159FDF54DB75D9446AEB7A6FF84310F218929E806DB755EB31ED42CB80
                                                              Function 06955568 Relevance: 1.8, Strings: 1, Instructions: 589COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2886 6955568-6955585 2887 6955587-695558a 2886->2887 2888 69555a7-69555aa 2887->2888 2889 695558c-69555a2 2887->2889 2890 69555ac-69555b0 2888->2890 2891 69555bb-69555be 2888->2891 2889->2888 2893 6955737-6955744 2890->2893 2894 69555b6 2890->2894 2895 69555c0-69555d5 2891->2895 2896 69555da-69555dd 2891->2896 2894->2891 2895->2896 2897 69555e7-69555ea 2896->2897 2898 69555df-69555e2 2896->2898 2899 69555ec-69555f9 2897->2899 2900 69555fe-6955601 2897->2900 2898->2897 2899->2900 2902 6955607-695560a 2900->2902 2903 69556a3-69556a6 2900->2903 2907 695560c-6955615 2902->2907 2908 6955648-695564b 2902->2908 2904 6955686-6955699 2903->2904 2905 69556a8 2903->2905 2920 695569e-69556a1 2904->2920 2909 69556ad-69556b0 2905->2909 2910 6955745-6955773 2907->2910 2911 695561b-6955623 2907->2911 2912 6955657-695565a 2908->2912 2913 695564d-6955656 2908->2913 2914 69556c6-69556c9 2909->2914 2915 69556b2-69556c1 2909->2915 2933 695577d-6955780 2910->2933 2911->2910 2918 6955629-6955639 2911->2918 2916 695565c-6955662 2912->2916 2917 6955669-695566c 2912->2917 2923 69556d0-69556d9 2914->2923 2924 69556cb-69556ce 2914->2924 2915->2914 2921 6955664 2916->2921 2922 695567b-695567c 2916->2922 2925 6955676-6955679 2917->2925 2926 695566e-6955673 2917->2926 2918->2910 2927 695563f-6955643 2918->2927 2920->2903 2920->2909 2921->2917 2932 6955681-6955684 2922->2932 2923->2907 2931 69556df 2923->2931 2924->2923 2930 69556e4-69556e7 2924->2930 2925->2922 2925->2932 2926->2925 2927->2908 2936 69556f1-69556f4 2930->2936 2937 69556e9-69556ec 2930->2937 2931->2930 2932->2904 2932->2920 2934 6955782-6955789 2933->2934 2935 695578a-695578d 2933->2935 2938 69557af-69557b2 2935->2938 2939 695578f-6955793 2935->2939 2940 69556f6-69556fb 2936->2940 2941 69556fe-6955701 2936->2941 2937->2936 2946 69557b4-69557bb 2938->2946 2947 69557c6-69557c9 2938->2947 2944 695586e-69558ac 2939->2944 2945 6955799-69557a1 2939->2945 2940->2941 2942 6955725-6955727 2941->2942 2943 6955703-6955720 2941->2943 2951 695572e-6955731 2942->2951 2952 6955729 2942->2952 2943->2942 2960 69558ae-69558b1 2944->2960 2945->2944 2948 69557a7-69557aa 2945->2948 2949 6955866-695586d 2946->2949 2950 69557c1 2946->2950 2953 69557eb-69557ee 2947->2953 2954 69557cb-69557cf 2947->2954 2948->2938 2950->2947 2951->2887 2951->2893 2952->2951 2958 69557f0-69557fa 2953->2958 2959 69557ff-6955802 2953->2959 2954->2944 2957 69557d5-69557dd 2954->2957 2957->2944 2961 69557e3-69557e6 2957->2961 2958->2959 2962 6955804-6955815 2959->2962 2963 695581a-695581d 2959->2963 2964 69558b3-69558ba 2960->2964 2965 69558bf-69558c2 2960->2965 2961->2953 2962->2963 2966 6955837-695583a 2963->2966 2967 695581f-6955823 2963->2967 2964->2965 2971 69558c8-6955a5c 2965->2971 2972 6955bab-6955bae 2965->2972 2974 6955854-6955856 2966->2974 2975 695583c-6955840 2966->2975 2967->2944 2973 6955825-695582d 2967->2973 3035 6955b95-6955ba8 2971->3035 3036 6955a62-6955a69 2971->3036 2976 6955bb0-6955bb7 2972->2976 2977 6955bbc-6955bbf 2972->2977 2973->2944 2978 695582f-6955832 2973->2978 2980 695585d-6955860 2974->2980 2981 6955858 2974->2981 2975->2944 2979 6955842-695584a 2975->2979 2976->2977 2982 6955bd7-6955bda 2977->2982 2983 6955bc1-6955bd4 2977->2983 2978->2966 2979->2944 2985 695584c-695584f 2979->2985 2980->2933 2980->2949 2981->2980 2986 6955bf4-6955bf7 2982->2986 2987 6955bdc-6955bed 2982->2987 2985->2974 2990 6955c11-6955c14 2986->2990 2991 6955bf9-6955c0a 2986->2991 2987->2983 2996 6955bef 2987->2996 2992 6955c16-6955c1b 2990->2992 2993 6955c1e-6955c21 2990->2993 2991->2976 3001 6955c0c 2991->3001 2992->2993 2993->2971 2995 6955c27-6955c2a 2993->2995 2999 6955c2c-6955c3d 2995->2999 3000 6955c48-6955c4b 2995->3000 2996->2986 2999->2976 3009 6955c43 2999->3009 3002 6955c65-6955c68 3000->3002 3003 6955c4d-6955c5e 3000->3003 3001->2990 3006 6955c86-6955c89 3002->3006 3007 6955c6a-6955c7b 3002->3007 3003->2999 3015 6955c60 3003->3015 3006->2971 3008 6955c8f-6955c91 3006->3008 3007->2976 3017 6955c81 3007->3017 3013 6955c93 3008->3013 3014 6955c98-6955c9b 3008->3014 3009->3000 3013->3014 3014->2960 3018 6955ca1-6955caa 3014->3018 3015->3002 3017->3006 3037 6955b1d-6955b24 3036->3037 3038 6955a6f-6955aa2 3036->3038 3037->3035 3039 6955b26-6955b59 3037->3039 3049 6955aa4 3038->3049 3050 6955aa7-6955ae8 3038->3050 3051 6955b5e-6955b8b 3039->3051 3052 6955b5b 3039->3052 3049->3050 3060 6955b00-6955b07 3050->3060 3061 6955aea-6955afb 3050->3061 3051->3018 3052->3051 3063 6955b0f-6955b11 3060->3063 3061->3018 3063->3018
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $
                                                              • API String ID: 0-3993045852
                                                              • Opcode ID: a2980aa20fcf3d45e0915e96f3496ab3ee1f4f2bf4b052c2fd9c297c03499f59
                                                              • Instruction ID: bbc2d8174c42b65a0802d95ae6d87441a20d3fbdbe3be052ddbefa2f1745a359
                                                              • Opcode Fuzzy Hash: a2980aa20fcf3d45e0915e96f3496ab3ee1f4f2bf4b052c2fd9c297c03499f59
                                                              • Instruction Fuzzy Hash: 3222DF71E002158FDF64DBA4C4806AEBBB6FF88310F26846AD806EB756DB31DC45CB90
                                                              Function 02BF70A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02BF7117
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937514401.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_2bf0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: b5b740576f6639d7f8971a0d894e769af6bc4e6ac98f8f503cca8370c8a173e1
                                                              • Instruction ID: aded309db1c83f251ff39fe01472d6f5ba5c2edc1514bde3f1d62951f915d085
                                                              • Opcode Fuzzy Hash: b5b740576f6639d7f8971a0d894e769af6bc4e6ac98f8f503cca8370c8a173e1
                                                              • Instruction Fuzzy Hash: F02139B1800259CFDB10CF9AD884BEEFBF8EF49324F14846AE455A7250D778A944CF61
                                                              Function 069565C0 Relevance: .8, Instructions: 813COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9362c741389556ad25f8fd0c7c2232cf9f805ca0818ab8feb7174d78759246ef
                                                              • Instruction ID: 145aae6358a31e6cec6d0a5028c5d2fd184827a5a10a91825049c68764be604f
                                                              • Opcode Fuzzy Hash: 9362c741389556ad25f8fd0c7c2232cf9f805ca0818ab8feb7174d78759246ef
                                                              • Instruction Fuzzy Hash: B562AB34B002058FCF54DB68D594AADB7F6EF88310F658869E806EB765DB31ED42CB80
                                                              Function 0695C148 Relevance: .6, Instructions: 637COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a26e091d287c35fde4f22fcc1fd64d63bb3936bf16c006b681b88b3c65b01fc2
                                                              • Instruction ID: 57bc450f836ab5bb1f46202368bea4e987446b63ccc17636bd9c62f47a57b03b
                                                              • Opcode Fuzzy Hash: a26e091d287c35fde4f22fcc1fd64d63bb3936bf16c006b681b88b3c65b01fc2
                                                              • Instruction Fuzzy Hash: 19327D75B10209CFDF54DB68D890BADB7B6EB88310F218529E806EB755DB35EC42CB90
                                                              Function 0695ACA0 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 526 695aca0-695acbe 527 695acc0-695acc3 526->527 528 695acc5-695acce 527->528 529 695acd3-695acd6 527->529 528->529 530 695acd8-695ace5 529->530 531 695acea-695aced 529->531 530->531 532 695ad10-695ad13 531->532 533 695acef-695ad0b 531->533 535 695aebd-695aec6 532->535 536 695ad19-695ad1c 532->536 533->532 538 695aecc-695aed6 535->538 539 695ad1e-695ad27 535->539 536->539 540 695ad36-695ad39 536->540 541 695aed7-695aee5 539->541 542 695ad2d-695ad31 539->542 543 695ad3b-695ad3f 540->543 544 695ad4a-695ad4d 540->544 552 695aee7-695aeed 541->552 553 695ae79-695ae7b 541->553 542->540 543->538 545 695ad45 543->545 546 695ad57-695ad5a 544->546 547 695ad4f-695ad54 544->547 545->544 549 695ad74-695ad76 546->549 550 695ad5c-695ad6f 546->550 547->546 554 695ad7d-695ad80 549->554 555 695ad78 549->555 550->549 557 695aeee-695af0e 552->557 553->557 558 695ae7d 553->558 554->527 559 695ad86-695adaa 554->559 555->554 560 695af10-695af13 557->560 561 695ae82-695aeb3 558->561 572 695adb0-695adbf 559->572 573 695aeba 559->573 562 695af15 560->562 563 695af22-695af25 560->563 561->573 654 695af15 call 695b208 562->654 655 695af15 call 695b1fa 562->655 566 695af27-695af43 563->566 567 695af48-695af4b 563->567 566->567 569 695af4d-695af51 567->569 570 695af58-695af5b 567->570 574 695af61-695af9c 569->574 575 695af53 569->575 570->574 577 695b1c4-695b1c7 570->577 571 695af1b-695af1d 571->563 588 695add7-695ae12 call 6956570 572->588 589 695adc1-695adc7 572->589 573->535 590 695afa2-695afae 574->590 591 695b18f-695b1a2 574->591 575->570 579 695b1d4-695b1d6 577->579 580 695b1c9-695b1d3 577->580 581 695b1dd-695b1e0 579->581 582 695b1d8 579->582 581->560 587 695b1e6-695b1f0 581->587 582->581 610 695ae14-695ae1a 588->610 611 695ae2a-695ae41 588->611 592 695adc9 589->592 593 695adcb-695adcd 589->593 599 695afb0-695afc9 590->599 600 695afce-695b012 590->600 595 695b1a4-695b1a5 591->595 592->588 593->588 595->577 599->595 617 695b014-695b026 600->617 618 695b02e-695b06d 600->618 613 695ae1c 610->613 614 695ae1e-695ae20 610->614 620 695ae43-695ae49 611->620 621 695ae59-695ae6a 611->621 613->611 614->611 617->618 624 695b154-695b169 618->624 625 695b073-695b14e call 6956570 618->625 626 695ae4d-695ae4f 620->626 627 695ae4b 620->627 621->561 632 695ae6c-695ae72 621->632 624->591 625->624 626->621 627->621 634 695ae74 632->634 635 695ae76-695ae78 632->635 634->561 635->553 654->571 655->571
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-3970889292
                                                              • Opcode ID: b682bb2ba4e196bbb72dc5220a2165d38b9fd6ca73a0480ffaad1d6094ee871b
                                                              • Instruction ID: 2973ac9c4b1f32ad576212b402756e0b7d111815b2d32fc97abefa1e8e491bbf
                                                              • Opcode Fuzzy Hash: b682bb2ba4e196bbb72dc5220a2165d38b9fd6ca73a0480ffaad1d6094ee871b
                                                              • Instruction Fuzzy Hash: 48E18170E1020A8FCF55DB69D4946AEB7B6FF88310F218A29D805AB755DB30DC46CB91
                                                              Function 06959120 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1385 6959120-6959145 1386 6959147-695914a 1385->1386 1387 6959150-6959165 1386->1387 1388 6959a08-6959a0b 1386->1388 1395 6959167-695916d 1387->1395 1396 695917d-6959193 1387->1396 1389 6959a31-6959a33 1388->1389 1390 6959a0d-6959a2c 1388->1390 1391 6959a35 1389->1391 1392 6959a3a-6959a3d 1389->1392 1390->1389 1391->1392 1392->1386 1397 6959a43-6959a4d 1392->1397 1398 6959171-6959173 1395->1398 1399 695916f 1395->1399 1402 695919e-69591a0 1396->1402 1398->1396 1399->1396 1403 69591a2-69591a8 1402->1403 1404 69591b8-6959229 1402->1404 1405 69591ac-69591ae 1403->1405 1406 69591aa 1403->1406 1415 6959255-6959271 1404->1415 1416 695922b-695924e 1404->1416 1405->1404 1406->1404 1421 6959273-6959296 1415->1421 1422 695929d-69592b8 1415->1422 1416->1415 1421->1422 1427 69592e3-69592fe 1422->1427 1428 69592ba-69592dc 1422->1428 1433 6959300-695931c 1427->1433 1434 6959323-6959331 1427->1434 1428->1427 1433->1434 1435 6959341-69593bb 1434->1435 1436 6959333-695933c 1434->1436 1442 69593bd-69593db 1435->1442 1443 6959408-695941d 1435->1443 1436->1397 1447 69593f7-6959406 1442->1447 1448 69593dd-69593ec 1442->1448 1443->1388 1447->1442 1447->1443 1448->1447
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq
                                                              • API String ID: 0-173548568
                                                              • Opcode ID: 86de6a1c9d36632d702f4d1675c671627624ed2f7a8af7db7d4ac8d982b832f7
                                                              • Instruction ID: 4bf0dc3f38db5c94537078cea32255d5e877cd0c31fa0e58a23674a7fbe75616
                                                              • Opcode Fuzzy Hash: 86de6a1c9d36632d702f4d1675c671627624ed2f7a8af7db7d4ac8d982b832f7
                                                              • Instruction Fuzzy Hash: 3A913070F1021E8FDF94DF65D9507AEB7F6AB88640F608569D80AAB344EA30DD428B91
                                                              Function 0695CF18 Relevance: 4.5, Strings: 3, Instructions: 799COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 1451 695cf18-695cf33 1452 695cf35-695cf38 1451->1452 1453 695cf55-695cf58 1452->1453 1454 695cf3a-695cf50 1452->1454 1455 695cfa1-695cfa4 1453->1455 1456 695cf5a-695cf9c 1453->1456 1454->1453 1458 695d404-695d410 1455->1458 1459 695cfaa-695cfad 1455->1459 1456->1455 1463 695d416-695d703 1458->1463 1464 695d059-695d068 1458->1464 1460 695cff6-695cff9 1459->1460 1461 695cfaf-695cff1 1459->1461 1465 695d008-695d00b 1460->1465 1466 695cffb-695cffd 1460->1466 1461->1460 1664 695d709-695d70f 1463->1664 1665 695d92a-695d934 1463->1665 1467 695d077-695d083 1464->1467 1468 695d06a-695d06f 1464->1468 1472 695d054-695d057 1465->1472 1473 695d00d-695d04f 1465->1473 1470 695d401 1466->1470 1471 695d003 1466->1471 1474 695d935-695d96e 1467->1474 1475 695d089-695d09b 1467->1475 1468->1467 1470->1458 1471->1465 1472->1464 1479 695d0a0-695d0a3 1472->1479 1473->1472 1490 695d970-695d973 1474->1490 1475->1479 1483 695d0a5-695d0e7 1479->1483 1484 695d0ec-695d0ef 1479->1484 1483->1484 1488 695d0f1-695d133 1484->1488 1489 695d138-695d13b 1484->1489 1488->1489 1497 695d184-695d187 1489->1497 1498 695d13d-695d17f 1489->1498 1495 695d975 1490->1495 1496 695d982-695d985 1490->1496 1711 695d975 call 695daa0 1495->1711 1712 695d975 call 695da8d 1495->1712 1500 695d987-695d9a3 1496->1500 1501 695d9a8-695d9ab 1496->1501 1503 695d1d0-695d1d3 1497->1503 1504 695d189-695d1cb 1497->1504 1498->1497 1500->1501 1511 695d9ad-695d9d9 1501->1511 1512 695d9de-695d9e0 1501->1512 1509 695d1d5-695d1e4 1503->1509 1510 695d21c-695d21f 1503->1510 1504->1503 1505 695d97b-695d97d 1505->1496 1518 695d1e6-695d1eb 1509->1518 1519 695d1f3-695d1ff 1509->1519 1522 695d221-695d226 1510->1522 1523 695d229-695d22c 1510->1523 1511->1512 1520 695d9e7-695d9ea 1512->1520 1521 695d9e2 1512->1521 1518->1519 1519->1474 1526 695d205-695d217 1519->1526 1520->1490 1528 695d9ec-695d9fb 1520->1528 1521->1520 1522->1523 1529 695d22e-695d230 1523->1529 1530 695d23b-695d23e 1523->1530 1526->1510 1557 695da62-695da77 1528->1557 1558 695d9fd-695da60 call 6956570 1528->1558 1536 695d236 1529->1536 1537 695d2bf-695d2c8 1529->1537 1538 695d287-695d28a 1530->1538 1539 695d240-695d282 1530->1539 1536->1530 1544 695d2d7-695d2e3 1537->1544 1545 695d2ca-695d2cf 1537->1545 1541 695d2ad-695d2af 1538->1541 1542 695d28c-695d2a8 1538->1542 1539->1538 1552 695d2b6-695d2b9 1541->1552 1553 695d2b1 1541->1553 1542->1541 1555 695d3f4-695d3f9 1544->1555 1556 695d2e9-695d2fd 1544->1556 1545->1544 1552->1452 1552->1537 1553->1552 1555->1470 1556->1470 1574 695d303-695d315 1556->1574 1571 695da78 1557->1571 1558->1557 1571->1571 1582 695d317-695d31d 1574->1582 1583 695d339-695d33b 1574->1583 1587 695d321-695d32d 1582->1587 1588 695d31f 1582->1588 1591 695d345-695d351 1583->1591 1589 695d32f-695d337 1587->1589 1588->1589 1589->1591 1599 695d353-695d35d 1591->1599 1600 695d35f 1591->1600 1601 695d364-695d366 1599->1601 1600->1601 1601->1470 1603 695d36c-695d388 call 6956570 1601->1603 1612 695d397-695d3a3 1603->1612 1613 695d38a-695d38f 1603->1613 1612->1555 1614 695d3a5-695d3f2 1612->1614 1613->1612 1614->1470 1666 695d711-695d716 1664->1666 1667 695d71e-695d727 1664->1667 1666->1667 1667->1474 1668 695d72d-695d740 1667->1668 1670 695d746-695d74c 1668->1670 1671 695d91a-695d924 1668->1671 1672 695d74e-695d753 1670->1672 1673 695d75b-695d764 1670->1673 1671->1664 1671->1665 1672->1673 1673->1474 1674 695d76a-695d78b 1673->1674 1677 695d78d-695d792 1674->1677 1678 695d79a-695d7a3 1674->1678 1677->1678 1678->1474 1679 695d7a9-695d7c6 1678->1679 1679->1671 1682 695d7cc-695d7d2 1679->1682 1682->1474 1683 695d7d8-695d7f1 1682->1683 1685 695d7f7-695d81e 1683->1685 1686 695d90d-695d914 1683->1686 1685->1474 1689 695d824-695d82e 1685->1689 1686->1671 1686->1682 1689->1474 1690 695d834-695d84b 1689->1690 1692 695d84d-695d858 1690->1692 1693 695d85a-695d875 1690->1693 1692->1693 1693->1686 1698 695d87b-695d894 call 6956570 1693->1698 1702 695d896-695d89b 1698->1702 1703 695d8a3-695d8ac 1698->1703 1702->1703 1703->1474 1704 695d8b2-695d906 1703->1704 1704->1686 1711->1505 1712->1505
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq
                                                              • API String ID: 0-2863945821
                                                              • Opcode ID: 8de5f9aa234f247e26f6653f5c2de9433fb80d46f9fb1915c960f465ebe6e698
                                                              • Instruction ID: efc2c1df1bd6f48022fa42c51da1f8ec3673978b12304a2e327b2e440639b5c7
                                                              • Opcode Fuzzy Hash: 8de5f9aa234f247e26f6653f5c2de9433fb80d46f9fb1915c960f465ebe6e698
                                                              • Instruction Fuzzy Hash: 65628270B0020A8FCB55EF79D590A5EB7B2FF85304B218A28D4069F759EB31ED46CB81
                                                              Function 06959112 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 2793 6959112-6959145 2795 6959147-695914a 2793->2795 2796 6959150-6959165 2795->2796 2797 6959a08-6959a0b 2795->2797 2804 6959167-695916d 2796->2804 2805 695917d-6959193 2796->2805 2798 6959a31-6959a33 2797->2798 2799 6959a0d-6959a2c 2797->2799 2800 6959a35 2798->2800 2801 6959a3a-6959a3d 2798->2801 2799->2798 2800->2801 2801->2795 2806 6959a43-6959a4d 2801->2806 2807 6959171-6959173 2804->2807 2808 695916f 2804->2808 2811 695919e-69591a0 2805->2811 2807->2805 2808->2805 2812 69591a2-69591a8 2811->2812 2813 69591b8-6959229 2811->2813 2814 69591ac-69591ae 2812->2814 2815 69591aa 2812->2815 2824 6959255-6959271 2813->2824 2825 695922b-695924e 2813->2825 2814->2813 2815->2813 2830 6959273-6959296 2824->2830 2831 695929d-69592b8 2824->2831 2825->2824 2830->2831 2836 69592e3-69592fe 2831->2836 2837 69592ba-69592dc 2831->2837 2842 6959300-695931c 2836->2842 2843 6959323-6959331 2836->2843 2837->2836 2842->2843 2844 6959341-69593bb 2843->2844 2845 6959333-695933c 2843->2845 2851 69593bd-69593db 2844->2851 2852 6959408-695941d 2844->2852 2845->2806 2856 69593f7-6959406 2851->2856 2857 69593dd-69593ec 2851->2857 2852->2797 2856->2851 2856->2852 2857->2856
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq
                                                              • API String ID: 0-1837209516
                                                              • Opcode ID: 42e79a3ff6e4a59fc0e7b39ef9cceae9d3a34cdf859968f11258c7477d5c3b78
                                                              • Instruction ID: 1364884a4c95628ab131fb3c6f2c4fcd944a20307fee68c51cf17748eedfc80d
                                                              • Opcode Fuzzy Hash: 42e79a3ff6e4a59fc0e7b39ef9cceae9d3a34cdf859968f11258c7477d5c3b78
                                                              • Instruction Fuzzy Hash: D6514270F0011A9FDF54DB75D950B6EB7FAEB88650F208569D80AEB758EA30DC028B91
                                                              Function 0694B9C8 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 3064 694b9c8-694b9d7 3065 694ba03-694ba07 3064->3065 3066 694b9d9-694b9e6 call 694a968 3064->3066 3068 694ba09-694ba13 3065->3068 3069 694ba1b-694ba5c 3065->3069 3073 694b9fc 3066->3073 3074 694b9e8-694b9f6 call 694bc5f 3066->3074 3068->3069 3075 694ba5e-694ba66 3069->3075 3076 694ba69-694ba77 3069->3076 3073->3065 3074->3073 3083 694bb38-694bbf8 3074->3083 3075->3076 3077 694ba79-694ba7e 3076->3077 3078 694ba9b-694ba9d 3076->3078 3080 694ba80-694ba87 call 694a974 3077->3080 3081 694ba89 3077->3081 3082 694baa0-694baa7 3078->3082 3084 694ba8b-694ba99 3080->3084 3081->3084 3086 694bab4-694babb 3082->3086 3087 694baa9-694bab1 3082->3087 3115 694bc00-694bc2b GetModuleHandleW 3083->3115 3116 694bbfa-694bbfd 3083->3116 3084->3082 3090 694babd-694bac5 3086->3090 3091 694bac8-694bad1 call 6943f9c 3086->3091 3087->3086 3090->3091 3095 694bad3-694badb 3091->3095 3096 694bade-694bae3 3091->3096 3095->3096 3098 694bae5-694baec 3096->3098 3099 694bb01-694bb05 3096->3099 3098->3099 3100 694baee-694bafe call 6949188 call 694a984 3098->3100 3120 694bb08 call 694bf10 3099->3120 3121 694bb08 call 694bf20 3099->3121 3100->3099 3103 694bb0b-694bb0e 3105 694bb10-694bb2e 3103->3105 3106 694bb31-694bb37 3103->3106 3105->3106 3117 694bc34-694bc48 3115->3117 3118 694bc2d-694bc33 3115->3118 3116->3115 3118->3117 3120->3103 3121->3103
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: eb38a25ea7f75f707a924a8891c1de8fa28ec339dc1fd9f616be9c0d3eccf44d
                                                              • Instruction ID: cb085a36eca366e416ac872f68bc98ed719ab8c7277cff22cb591ba1c5b26d98
                                                              • Opcode Fuzzy Hash: eb38a25ea7f75f707a924a8891c1de8fa28ec339dc1fd9f616be9c0d3eccf44d
                                                              • Instruction Fuzzy Hash: 59814570A10B458FDBA4EF2AD440B5ABBF5FF88314F108A2DD48AD7A44D775E845CB90
                                                              Function 02BFF0B0 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937514401.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_2bf0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2a808b3fcdbc7ad052d2ac741fd0960b57b76c3bad47795a6bc4cea203b0811c
                                                              • Instruction ID: 197e528d870a9e3e50a6a1278b3621c63b01fee5384d5c1d4d56797b6611317a
                                                              • Opcode Fuzzy Hash: 2a808b3fcdbc7ad052d2ac741fd0960b57b76c3bad47795a6bc4cea203b0811c
                                                              • Instruction Fuzzy Hash: BF412872E143998FCB00CFB9D8146EEBBF5EF89310F18866AD504E7681DB749944CB91
                                                              Function 0694DBA4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0694DCC2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: 28e3cfeffe6ade7c9788ee732e26382176fc51f34d38a5f6b628097dcd345e4d
                                                              • Instruction ID: c824070a1a3bff8ca8344b08bbce0d24dcf49099921396463952a79586a3fc71
                                                              • Opcode Fuzzy Hash: 28e3cfeffe6ade7c9788ee732e26382176fc51f34d38a5f6b628097dcd345e4d
                                                              • Instruction Fuzzy Hash: 8C51B0B5D10349DFDF14DFA9C884ADEBBB5BF88310F24852AE819AB210D7759845CF90
                                                              Function 0694DBB0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0694DCC2
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CreateWindow
                                                              • String ID:
                                                              • API String ID: 716092398-0
                                                              • Opcode ID: b26385c205bba0a3f083c378d2fbed8716463bca54e685c47b0a83eb26e40cb0
                                                              • Instruction ID: 8b5e4f156ba3e4267092f9da8d0487015d3f67df9bf81cbed0cefdf493d37204
                                                              • Opcode Fuzzy Hash: b26385c205bba0a3f083c378d2fbed8716463bca54e685c47b0a83eb26e40cb0
                                                              • Instruction Fuzzy Hash: 9E41B0B5D10349DFDF14DF99C884ADEBBB5BF88310F24852AE819AB210D7759845CF90
                                                              Function 07120C70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 07120D31
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2943083536.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7120000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CallProcWindow
                                                              • String ID:
                                                              • API String ID: 2714655100-0
                                                              • Opcode ID: d63c3c298ca2f8b4ee29dc419c123d67a3ad97d99c2fab37fbb6e77ef0d661ae
                                                              • Instruction ID: a55f76b655139bcd3c4c8da1e69359897443b6c54789b1ba8f77c69fcf4c4150
                                                              • Opcode Fuzzy Hash: d63c3c298ca2f8b4ee29dc419c123d67a3ad97d99c2fab37fbb6e77ef0d661ae
                                                              • Instruction Fuzzy Hash: C14138B4900259CFCB14CF99C448A9ABBF5FF8C314F248959D419AB361C734E841CFA0
                                                              Function 02BF7099 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 02BF7117
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937514401.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_2bf0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: CheckDebuggerPresentRemote
                                                              • String ID:
                                                              • API String ID: 3662101638-0
                                                              • Opcode ID: 481938d699cc3b719fedd68c50701bad1af079bd57aec3bfc13d40c5456909af
                                                              • Instruction ID: d0f1f3773731cf89739bf4a7984509fffba8cfafdf4799a267cafd88a9f97e94
                                                              • Opcode Fuzzy Hash: 481938d699cc3b719fedd68c50701bad1af079bd57aec3bfc13d40c5456909af
                                                              • Instruction Fuzzy Hash: 542125B18002598FCB10CF9AD884BEEBBF8EF49320F14846AE454A7250C778A944CF61
                                                              Function 069436D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0694375F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 221442b6a0afa9f5f36cc411350db6ec3b22f95a62df73f51cc393ed2fe002af
                                                              • Instruction ID: 15b5214a33b16c84084925a4bef3861bb344a65995f43d7c585cad00e6600af0
                                                              • Opcode Fuzzy Hash: 221442b6a0afa9f5f36cc411350db6ec3b22f95a62df73f51cc393ed2fe002af
                                                              • Instruction Fuzzy Hash: D72114B5C00258DFDB10DFAAD884AEEBBF4FB48320F24801AE914A3310D374A940CF61
                                                              Function 069436D8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0694375F
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: DuplicateHandle
                                                              • String ID:
                                                              • API String ID: 3793708945-0
                                                              • Opcode ID: 8a0fdb136bd2e32b995f55023580144b05912bc5e63653c5f57cecf3a200a3ea
                                                              • Instruction ID: 6880a0a97a682b6dae00e8e5ba4e2e5aa93f153ce63b9c3ab82bf925db1f740a
                                                              • Opcode Fuzzy Hash: 8a0fdb136bd2e32b995f55023580144b05912bc5e63653c5f57cecf3a200a3ea
                                                              • Instruction Fuzzy Hash: 2C21C4B5D00248DFDB10CFAAD984ADEBBF8EB48320F14841AE954A7350D375A944CF65
                                                              Function 02BFF181 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GlobalMemoryStatusEx.KERNELBASE ref: 02BFF1EF
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937514401.0000000002BF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BF0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_2bf0000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: GlobalMemoryStatus
                                                              • String ID:
                                                              • API String ID: 1890195054-0
                                                              • Opcode ID: 669a96515b590bf22581665be50bd70489c0cfda61c43e516eda38b69e0cb64b
                                                              • Instruction ID: c5d09687c908844b0ee4b83e900c264f99fc89c96fe4e9f4c0e3085457c8bce6
                                                              • Opcode Fuzzy Hash: 669a96515b590bf22581665be50bd70489c0cfda61c43e516eda38b69e0cb64b
                                                              • Instruction Fuzzy Hash: 681142B6C002598BCB10CF9AC544BEEFBF4FF48320F15816AD818B7240D378A9448FA1
                                                              Function 0694A968 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,0694B9E4), ref: 0694BC1E
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942573556.0000000006940000.00000040.00000800.00020000.00000000.sdmp, Offset: 06940000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6940000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: HandleModule
                                                              • String ID:
                                                              • API String ID: 4139908857-0
                                                              • Opcode ID: dc20d3a5d0c604edf92703573bf30185dbdd602a61927587c6d4a36e9a29da36
                                                              • Instruction ID: be838c1fc6e09cab3251a3e158143f1bd39a374ee15a1c932b62b6e29f0b61a7
                                                              • Opcode Fuzzy Hash: dc20d3a5d0c604edf92703573bf30185dbdd602a61927587c6d4a36e9a29da36
                                                              • Instruction Fuzzy Hash: 141102B5C006498FCB10DF9AC884ADEFBF8EF88224F14846AD819A7614C379A545CFA1
                                                              Function 071232E0 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0712333D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2943083536.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7120000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 29761b175717f9169e893c48a6efb098c65cbabac2a029c495f174e2c4e835c5
                                                              • Instruction ID: eaa982b56df24799f9773163ae6efc4ba0cb55d2b0401afa5951ea0847d9f015
                                                              • Opcode Fuzzy Hash: 29761b175717f9169e893c48a6efb098c65cbabac2a029c495f174e2c4e835c5
                                                              • Instruction Fuzzy Hash: 671145B58042598FDB10DF9AD444BDEBBF8EB48320F148419D518A7240C779A544CFA5
                                                              Function 07122400 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OleInitialize.OLE32(00000000), ref: 0712333D
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2943083536.0000000007120000.00000040.00000800.00020000.00000000.sdmp, Offset: 07120000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7120000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID: Initialize
                                                              • String ID:
                                                              • API String ID: 2538663250-0
                                                              • Opcode ID: 1592df1aed7680d22d36d60647d18045195606d137a34c2df204746c607ca07e
                                                              • Instruction ID: 9edda96e6ccc91dca3f9a17fbb5fe3ff69b8f5da60f29b1e93c60ddc266350d6
                                                              • Opcode Fuzzy Hash: 1592df1aed7680d22d36d60647d18045195606d137a34c2df204746c607ca07e
                                                              • Instruction Fuzzy Hash: 6C1100B18042588FCB20DF9AD444B9EBBF8EB48320F24845AD529A7240C779AA44CFA5
                                                              Function 0695DAA0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHtq
                                                              • API String ID: 0-4170314142
                                                              • Opcode ID: d0cdbd23692843b5b88c0303c6820b6b911353e29dbe44c5fc99e3776ae82b1f
                                                              • Instruction ID: f41ee2ab89827f17486e65556ffdcc93146126f6d4e382c3f5da4ff4fd652e0a
                                                              • Opcode Fuzzy Hash: d0cdbd23692843b5b88c0303c6820b6b911353e29dbe44c5fc99e3776ae82b1f
                                                              • Instruction Fuzzy Hash: BE418E70E1420ADFDB64EF65D4546AEBBB7FF85300F214929E801EB640EB70D949CB85
                                                              Function 0695DA8D Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHtq
                                                              • API String ID: 0-4170314142
                                                              • Opcode ID: bfdf4c303b3345a3758bc1bbafce056afadd04a59c3a5612e4ea0ba875249cd4
                                                              • Instruction ID: 2b94094795fade2d1e900adec599c5a10e256fe542b0314286fd8b72cd875cb0
                                                              • Opcode Fuzzy Hash: bfdf4c303b3345a3758bc1bbafce056afadd04a59c3a5612e4ea0ba875249cd4
                                                              • Instruction Fuzzy Hash: 40418F70E042098FDB25EF65C4446AEBBB7FF85300F21492AE801EB640EB70D94ACB85
                                                              Function 069521B5 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHtq
                                                              • API String ID: 0-4170314142
                                                              • Opcode ID: f3e088aef184317e88f1feabda218c3a5bce60135ac5a231c60f07bf5b37fe0e
                                                              • Instruction ID: 8b29ed7e223000c9bda4eb8b5d2a84a0890ed8e7e4b14880faf37b037fc2d5d4
                                                              • Opcode Fuzzy Hash: f3e088aef184317e88f1feabda218c3a5bce60135ac5a231c60f07bf5b37fe0e
                                                              • Instruction Fuzzy Hash: 38312275B002058FDF58DB74D55826E3BA6EF88200F254928D806EB385EF30CD46CB95
                                                              Function 069521C8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHtq
                                                              • API String ID: 0-4170314142
                                                              • Opcode ID: f57d41daaceca16f93f5a7b3a9f99cefa0c5d4f868516520652c89f0d8775cda
                                                              • Instruction ID: 2b0a2dfbe428f6ba38b42f12dcf825a269aefa4ae9c5cfb5a95858991d0c13ab
                                                              • Opcode Fuzzy Hash: f57d41daaceca16f93f5a7b3a9f99cefa0c5d4f868516520652c89f0d8775cda
                                                              • Instruction Fuzzy Hash: 99310170B002058FDF58EB74D45466F7BE7AB88200F258928D806DB385EF31CD46CBA5
                                                              Function 0695FEA3 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: |
                                                              • API String ID: 0-2343686810
                                                              • Opcode ID: 28ed3ec3759298466ac0f1f8692d6fe7623c76511cfe85a8a22cd464b087c959
                                                              • Instruction ID: 1c91244a3d82479640b27386af2e288b2af11edb273c7cfc9d3e578934494c39
                                                              • Opcode Fuzzy Hash: 28ed3ec3759298466ac0f1f8692d6fe7623c76511cfe85a8a22cd464b087c959
                                                              • Instruction Fuzzy Hash: 7D21AE71B042108FDB55DF78880876DBBF1AF48710F0588AAE94ADB3A2DB349D04CB80
                                                              Function 0695FEC0 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: |
                                                              • API String ID: 0-2343686810
                                                              • Opcode ID: b835994d9d7500b14813c38db39605e423a8dca6815e1f89884f1624ad2c191c
                                                              • Instruction ID: 454f759a9a87178b49b2f6048a2974f0ccf072987d5a89fc798a45736302c386
                                                              • Opcode Fuzzy Hash: b835994d9d7500b14813c38db39605e423a8dca6815e1f89884f1624ad2c191c
                                                              • Instruction Fuzzy Hash: 12115B71B002149FDB44EB789804B6EBBF5AF4C710F108869EA0AE77A1DB359D00DB94
                                                              Function 06954619 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \Oyq
                                                              • API String ID: 0-44443374
                                                              • Opcode ID: 0c610c15a2c25658a4fa7540abca7fd85edf9118426201a41bf7882959d1959d
                                                              • Instruction ID: a01e4a4cd56d0ff250316ea426b938bd7c8e3e549bb7016abbf159e638b63b5d
                                                              • Opcode Fuzzy Hash: 0c610c15a2c25658a4fa7540abca7fd85edf9118426201a41bf7882959d1959d
                                                              • Instruction Fuzzy Hash: 06F0FE70A21219DFDB54DF90E859BAEBBB2FF84700F210519E402A7694CB701D85CB80
                                                              Function 0695B1FA Relevance: .3, Instructions: 293COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d088525d297470522113bab7bb7fcbc064cc666dab90f7686679a3c1654ad911
                                                              • Instruction ID: 35cac24909148133b72ba119fa7863bc04adad636c8d661132c0b28dbb2b2bcf
                                                              • Opcode Fuzzy Hash: d088525d297470522113bab7bb7fcbc064cc666dab90f7686679a3c1654ad911
                                                              • Instruction Fuzzy Hash: 7CA1B870F101098BDFA4DBADD4A07BEB7BAEB89310F714425E909EB799CA34DC818751
                                                              Function 069561C0 Relevance: .2, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ca464324454deb504717f302b8a8497f9217f5331f3229713f156b7f88e8ec94
                                                              • Instruction ID: b41af05308c08e4e111657f43fd19b6166dcd8954b30f3bbaaa2409a14e87202
                                                              • Opcode Fuzzy Hash: ca464324454deb504717f302b8a8497f9217f5331f3229713f156b7f88e8ec94
                                                              • Instruction Fuzzy Hash: 3961B3B1F001214BCF549A7EC88066EBADBAFC4620B654439E80ADB374DE65EC4287D1
                                                              Function 06953E61 Relevance: .2, Instructions: 219COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: df9a689447720f6229f0fca23465d7aecab89f891ecffeb2403533598badc624
                                                              • Instruction ID: 1e153a09686856625276ea8827270c1b31fd0476cf7fc7da0d93bf71bd1ad023
                                                              • Opcode Fuzzy Hash: df9a689447720f6229f0fca23465d7aecab89f891ecffeb2403533598badc624
                                                              • Instruction Fuzzy Hash: 66815271B1020A8FDF98DF75D5547AEBBF6AF89300F218525E80AEB355EA30DC428B51
                                                              Function 06953E70 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ab7f4347af6c4d89439a0a6b5776d432ca3f7d8fb0044bd3fe112c94bd9fd550
                                                              • Instruction ID: 88a2acccb27572a0fe33cc32534c76d33ba83f9f613db6d2eaa6560a80d8e4b1
                                                              • Opcode Fuzzy Hash: ab7f4347af6c4d89439a0a6b5776d432ca3f7d8fb0044bd3fe112c94bd9fd550
                                                              • Instruction Fuzzy Hash: BD814371B1020A8FDF98DF75D5547AEBBF6AB89300F218525E80AEB355EB30DC418B51
                                                              Function 06954184 Relevance: .2, Instructions: 218COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d23fa0a88fbb07739b13007a6704244c2370c886c0ac18a61d9cf575d2e615bb
                                                              • Instruction ID: 44eb501f1a826e7facb0468ba0440b5c63f31893165b5a2e04ef025716825061
                                                              • Opcode Fuzzy Hash: d23fa0a88fbb07739b13007a6704244c2370c886c0ac18a61d9cf575d2e615bb
                                                              • Instruction Fuzzy Hash: 1D915D70E102198BDF60CF69C880B9DB7B1FF89310F208699D549AB355EB70AD85CF91
                                                              Function 06954198 Relevance: .2, Instructions: 210COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a3c78fccd555900dd562d7f12a90a494af8981b17196650f2490f35708b781ef
                                                              • Instruction ID: 974f856c7fa59d78aa8c94516d2e31bf9af13cd7c997cbe0a73564a069a5a03f
                                                              • Opcode Fuzzy Hash: a3c78fccd555900dd562d7f12a90a494af8981b17196650f2490f35708b781ef
                                                              • Instruction Fuzzy Hash: D2915D70E102198BDF64DFA5C880B9DB7B1FF89310F208699D509AB355DB70AD85CF90
                                                              Function 0695EAE0 Relevance: .2, Instructions: 202COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9d13b933a08ea44942dbf751dc8cf18c40abdf95c88ecf215b3e8540fa6179a4
                                                              • Instruction ID: a4fdcedae314de826410fed2298f2b98035e6be7e5ca6d46e5617061cb053c7b
                                                              • Opcode Fuzzy Hash: 9d13b933a08ea44942dbf751dc8cf18c40abdf95c88ecf215b3e8540fa6179a4
                                                              • Instruction Fuzzy Hash: C1713C71A002098FCB54DFA9D980AADBBF6FF88300F258469D406EB755DB31ED46CB40
                                                              Function 0695EAF0 Relevance: .2, Instructions: 201COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d94d1fa757a6915be996b40cb33f97e0f3e186786521d4684aa8dc761c5ce1e8
                                                              • Instruction ID: eb3677a89398c38252de4ae8163b33ae350b16f138b454c9a87f2abd56c9b018
                                                              • Opcode Fuzzy Hash: d94d1fa757a6915be996b40cb33f97e0f3e186786521d4684aa8dc761c5ce1e8
                                                              • Instruction Fuzzy Hash: A3713F71A002099FDB54EFA9D980AADBBF6FF88300F258429E406EB755DB31ED45CB50
                                                              Function 0695FC60 Relevance: .2, Instructions: 171COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 658212f7d880fe71dbde0a2e3c31ca85eadac109d3aae3c6c914c5a9f1c6ae78
                                                              • Instruction ID: e07b82d94f5f363614d5a935284a41acf37814a1584ccaa9c09be69232d876be
                                                              • Opcode Fuzzy Hash: 658212f7d880fe71dbde0a2e3c31ca85eadac109d3aae3c6c914c5a9f1c6ae78
                                                              • Instruction Fuzzy Hash: 9951C231E00109DFCF64EB78E4586ADBBB6FB84321F21887AE906D7651DB319959CB80
                                                              Function 0695FA10 Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e3c49e46c8193a9a06b7c43050daf10a45e0c9edbc3aef78033fba3b87c406f8
                                                              • Instruction ID: d1826f1965e2238f076bcc8752a79a6ee5fbcb8e55b46aa8b98b6c199e7e93fa
                                                              • Opcode Fuzzy Hash: e3c49e46c8193a9a06b7c43050daf10a45e0c9edbc3aef78033fba3b87c406f8
                                                              • Instruction Fuzzy Hash: 4C51E8B0B201049BEFA4A67CD86476F365ED788320F314426E90EC77D9DB79CC414B92
                                                              Function 0695FA0F Relevance: .2, Instructions: 163COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8008d19d7367b424a76f3925514bfa590abe0761458e810ca913a505dedc62d2
                                                              • Instruction ID: c0e59d9fa54c721a78db3aacd2752088d8cc9efbfce95b929cc3499477c88cc6
                                                              • Opcode Fuzzy Hash: 8008d19d7367b424a76f3925514bfa590abe0761458e810ca913a505dedc62d2
                                                              • Instruction Fuzzy Hash: F451E8B0B201049BEFA4A67CD8A476F365ED788320F31442AE90EC77D9CB79CC414B92
                                                              Function 0695FC50 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: c913e015d88d675bac06177a2b1345aa56722e858a47dd2c990759265a0de860
                                                              • Instruction ID: ccd3906ce9c359e5385dcc98843dd53d9e6c5696ed1ea88a800042fa31cdf7d8
                                                              • Opcode Fuzzy Hash: c913e015d88d675bac06177a2b1345aa56722e858a47dd2c990759265a0de860
                                                              • Instruction Fuzzy Hash: 2031F032A002059FCF19EB78E4481AEBBB6FF84311F618879E506D7651DF329859CB90
                                                              Function 0695D940 Relevance: .1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b8093137a85439a0a491f765d6a38db538f8002ea6d11d8b5cce735f289d3182
                                                              • Instruction ID: 0c0b7138fc1a77e4977b36a616f757a6757ac9246624b12af03c83ee2187ef5a
                                                              • Opcode Fuzzy Hash: b8093137a85439a0a491f765d6a38db538f8002ea6d11d8b5cce735f289d3182
                                                              • Instruction Fuzzy Hash: 8331A971E1060A8BCF55DF69C4506DEBBB5FF85300F208919E845EB700EB71E946C781
                                                              Function 06952078 Relevance: .1, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5eaaab890e7c99d343c6af1d6f08d1ef0fe02d5b69fb4db50dd6a21090618ff1
                                                              • Instruction ID: 966743a6311bafcaf133146d3be604d0de97f23181cb48fee0da36e9fb5fd1db
                                                              • Opcode Fuzzy Hash: 5eaaab890e7c99d343c6af1d6f08d1ef0fe02d5b69fb4db50dd6a21090618ff1
                                                              • Instruction Fuzzy Hash: 4F315C71E106069BCB09CFA5D894A9EFBB6EF89340F108929E806E7744DB71E942CB50
                                                              Function 06952088 Relevance: .1, Instructions: 91COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 9f7b09bdf1e5d7bee4bb644e5df3c68496cb19e3cb62fbbc470a27763d033880
                                                              • Instruction ID: 72e1ebc2ee8957bebb80693e3cc230cf98bbcae78b203eb47f7c80088b7dd47d
                                                              • Opcode Fuzzy Hash: 9f7b09bdf1e5d7bee4bb644e5df3c68496cb19e3cb62fbbc470a27763d033880
                                                              • Instruction Fuzzy Hash: 76316B71E106069BCB09CF65D89469FF7B6AF89340F208929E806EB744DB71A942CB40
                                                              Function 0695A378 Relevance: .1, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3b2c7ec0fb2c5f04ea7b92ddad649c7eb31989cc7163959595068a92a118433c
                                                              • Instruction ID: 67e28cd8378e8ffd4c1e74ca6a9b4d1101e01b72218bcc71493d9a7db5610def
                                                              • Opcode Fuzzy Hash: 3b2c7ec0fb2c5f04ea7b92ddad649c7eb31989cc7163959595068a92a118433c
                                                              • Instruction Fuzzy Hash: 2521F371F101184BDF94DABDD89079FB7AAE789714F20853AE50AE7740EA31DC028784
                                                              Function 06953A78 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a89e59907f79418ac6ee9e4f1e8f1312553baaa43f3f6cc5082aa599e4958849
                                                              • Instruction ID: 9d83ba5992320c472aeaeba6ccb7470599f7f70c60c50575b7884172b3c8c37b
                                                              • Opcode Fuzzy Hash: a89e59907f79418ac6ee9e4f1e8f1312553baaa43f3f6cc5082aa599e4958849
                                                              • Instruction Fuzzy Hash: A2218E75F002299FDF54DFA9D880AAEBBF5EB48360F208129E905E7340E730D840CB90
                                                              Function 06953A69 Relevance: .1, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bb6f78ca64dc07a5ffb45776cb561d02e8f05b2aa002b1587d1faa60d63b1b47
                                                              • Instruction ID: f3cdfb3bf8e7915a470f1e72178da1ce276bfae73be82aafcf84b7bf8024e030
                                                              • Opcode Fuzzy Hash: bb6f78ca64dc07a5ffb45776cb561d02e8f05b2aa002b1587d1faa60d63b1b47
                                                              • Instruction Fuzzy Hash: 2A218EB6F102299FDF44DFA9E884ABEB7F5EB48220F218125E905E7345E734D8018B90
                                                              Function 06956CD8 Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: acd80c395536afb3ea3b3ccc7262f6f8c5d119874be5237c2e4efa0fc2e23164
                                                              • Instruction ID: ac1f8e1d3a8418df212f95dc46a48d21ba9a6f67882d4bfde9428fded2bcce38
                                                              • Opcode Fuzzy Hash: acd80c395536afb3ea3b3ccc7262f6f8c5d119874be5237c2e4efa0fc2e23164
                                                              • Instruction Fuzzy Hash: 90210731B000194BCF44DB69EC4079EB7F6EB84310F65882AD805EB754EB31DD418B80
                                                              Function 012BD030 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937062027.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_12bd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 33f61fce190973e63dcbab1bb1f815a931fcbbd997f6cbfdf66b4cd3f0dc7de4
                                                              • Instruction ID: 0fdf19da0fb5f7395012c3deca16dd095bf49f9fbd5cb339b2d7b62b4049f527
                                                              • Opcode Fuzzy Hash: 33f61fce190973e63dcbab1bb1f815a931fcbbd997f6cbfdf66b4cd3f0dc7de4
                                                              • Instruction Fuzzy Hash: 55214971514208DFDB11DF58D9C0BA6BBA5FB88398F24C96DD9094B242C377D407CB61
                                                              Function 0695AEF0 Relevance: .1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 81b06c10956abd2b07dfa1421e9d241f5d0429e4f9f238b61d476f3a5c0de87d
                                                              • Instruction ID: d56b9120dea46528051ed4f68ff3b21265a377cde2c70921f13773f5972a0443
                                                              • Opcode Fuzzy Hash: 81b06c10956abd2b07dfa1421e9d241f5d0429e4f9f238b61d476f3a5c0de87d
                                                              • Instruction Fuzzy Hash: 44216271D1071A8BDF64CFA9C85069EBBB9FF85310F218A2AEC05EB644D770A945CB80
                                                              Function 06953B88 Relevance: .1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25875e08bf70cf716641049601829efd2c708a8498b5f5ade137ebe37bd0faf3
                                                              • Instruction ID: c29f235cd7addebd2c51d6994f16b8710a3866aa037bd27af6375ddd76042dca
                                                              • Opcode Fuzzy Hash: 25875e08bf70cf716641049601829efd2c708a8498b5f5ade137ebe37bd0faf3
                                                              • Instruction Fuzzy Hash: 2A11AD32B2052C8BDF98E679C8146BE77EAEBC8350F114539D806E7344EE34DC028B91
                                                              Function 06953DBF Relevance: .1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 04ca82887ab7663b5a47eddfb69f779ab5a11156d76eb2b1bb2ad126135e0325
                                                              • Instruction ID: 337f5015252b7ecb270d16ec70d61b2677a5cfc2dfee255769f31afd25240a4f
                                                              • Opcode Fuzzy Hash: 04ca82887ab7663b5a47eddfb69f779ab5a11156d76eb2b1bb2ad126135e0325
                                                              • Instruction Fuzzy Hash: BC01B131B101101BDB64DA7D985476BBBEADBC9710F25843AF80ECB742EA65DC068791
                                                              Function 012BD02B Relevance: .1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2937062027.00000000012BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012BD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_12bd000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                              • Instruction ID: 4e5f17d2a2f7998a2eb565716dc6e039221d2eff057ad335ba88f465cd59fa88
                                                              • Opcode Fuzzy Hash: 8bad08bc3297c4791243414a9a82218353e3075920b51f23bb46501d1989d77c
                                                              • Instruction Fuzzy Hash: 6D11BB75504284CFDB12CF58D5C0B55BBA1FB84318F28CAAAD9494B656C33AD44ACB62
                                                              Function 06953848 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ac297b76f2b1926008972cbe520f16e913eb397b0cae4fb0c17d9433839008c5
                                                              • Instruction ID: d1489f9ce979a9fc0c394ae85cc44f88548702561f33fba07e428df8f9fc188e
                                                              • Opcode Fuzzy Hash: ac297b76f2b1926008972cbe520f16e913eb397b0cae4fb0c17d9433839008c5
                                                              • Instruction Fuzzy Hash: AD11D3B1D012599FCB00CF9AD884ACEFBF8FB48320F10852AE918A7640D375A554CFA5
                                                              Function 0695ED61 Relevance: .1, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad8edb5420ce05a2f4fddb3db3513e20d260beacad1e3d27a1b37afa9040d7b8
                                                              • Instruction ID: 29df524194236a4ce4db19109a010f89246d0eb99d611c3e5541334c11736ed2
                                                              • Opcode Fuzzy Hash: ad8edb5420ce05a2f4fddb3db3513e20d260beacad1e3d27a1b37afa9040d7b8
                                                              • Instruction Fuzzy Hash: A6017136B105114BCBA4DB3C989476A77EAEBC9710F25882AF40BC7341DE22DD028745
                                                              Function 06953B79 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 10c43a9f10896d375e1d8d2246e09ec3174e6bfdf5a45e92245d74e1c875c3ad
                                                              • Instruction ID: 6f53dba76f3139290f6003a54ab9f7968762f310fe159231026bd57b5c35da32
                                                              • Opcode Fuzzy Hash: 10c43a9f10896d375e1d8d2246e09ec3174e6bfdf5a45e92245d74e1c875c3ad
                                                              • Instruction Fuzzy Hash: 56018F32B205294BDF98E669DC147FE77AA9BC8350F15453AD906E7784EE24CC024791
                                                              Function 06953841 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6dd39050e6a0ced554b7e170812f9c85a9fea5a5523bf0bc68618e16dbd172ce
                                                              • Instruction ID: d2d2f93de01bc6478ccfad6add1d06c8e315851486794f577159aab82606d4fb
                                                              • Opcode Fuzzy Hash: 6dd39050e6a0ced554b7e170812f9c85a9fea5a5523bf0bc68618e16dbd172ce
                                                              • Instruction Fuzzy Hash: 1621EEB5D002199FCB00CF9AD984A8EFBB8FB48320F10862AE918A7640D374A554CFA5
                                                              Function 06953DD0 Relevance: .1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72ac0ed886f4e68e9b09d876cd3c77a94fcdf8dec551b65d8f80484765923cad
                                                              • Instruction ID: eb417c62b1310c559f1125d8e8fd6c6ddda27fb467ac866a2d2885caad92992e
                                                              • Opcode Fuzzy Hash: 72ac0ed886f4e68e9b09d876cd3c77a94fcdf8dec551b65d8f80484765923cad
                                                              • Instruction Fuzzy Hash: D401D171B101100BDB64DA7D984072BB7DECBC9B20F20883AF90EC7741ED65DC064391
                                                              Function 0695A2D8 Relevance: .0, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d0a74580528d93d61190873e778ec865ba00836191b8fa4cf505986b8d80a965
                                                              • Instruction ID: 43c3266183611d9b9905804e4278ee7f0c662bdac767e6fd97f1b61804a94575
                                                              • Opcode Fuzzy Hash: d0a74580528d93d61190873e778ec865ba00836191b8fa4cf505986b8d80a965
                                                              • Instruction Fuzzy Hash: 4A01D471B182145FCB55DA7DD85572F77E9DB49710F24852AF80ACB341EE21DC018785
                                                              Function 0695ED70 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 027789baa9756e270dc16cb7ef98e8d6a2f478148e76a182d96c7e35eb61961d
                                                              • Instruction ID: 012fe40f5c0ee4d2e02e307e43231e76a1978039102e1366388977b9ef20686d
                                                              • Opcode Fuzzy Hash: 027789baa9756e270dc16cb7ef98e8d6a2f478148e76a182d96c7e35eb61961d
                                                              • Instruction Fuzzy Hash: B3018136B105154BCBA4D67D989476FB7EADBC9720F25882AF90FC7340EE22ED024785
                                                              Function 0695A2E8 Relevance: .0, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b9ca2f68f545f11500881ee3781d9106317f7caee3993e446be080a7c3e450cd
                                                              • Instruction ID: 34630c368e5c6b173667cdbb535ee2ef05fd994ccd27ef913e885fd806973de0
                                                              • Opcode Fuzzy Hash: b9ca2f68f545f11500881ee3781d9106317f7caee3993e446be080a7c3e450cd
                                                              • Instruction Fuzzy Hash: 9A01F431B101240FCB54EA7DE85072F73DAE78D714F208929F90AD7340EE21DC028784
                                                              Function 0695C7A8 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 8bf814b6d5bac465bbd651916fac7f50cd9be4d98395f89372b8f7739becb23b
                                                              • Instruction ID: ed4b66d7666c0b3c73a2aec5f213e8dcf63a7c32c8fd4b01202afddb8d409fb4
                                                              • Opcode Fuzzy Hash: 8bf814b6d5bac465bbd651916fac7f50cd9be4d98395f89372b8f7739becb23b
                                                              • Instruction Fuzzy Hash: B4F02736E2122497CB54A965EC0059AB33AE780314F104439ED00B7744DB316C1087C0
                                                              Function 06956441 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b42641444e313e461d342a51760c86a90b94bb85122c74267c054401fb733851
                                                              • Instruction ID: e8ba85045212539cf95663b571ffaf31662dcf0461739929b222ebb1150270da
                                                              • Opcode Fuzzy Hash: b42641444e313e461d342a51760c86a90b94bb85122c74267c054401fb733851
                                                              • Instruction Fuzzy Hash: 74E026B1E2014CABDF90CFB0CE553AA36A8EB52308F7149A6C809CB651E136CA064740
                                                              Function 06956450 Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a09e4ac86f6dabbd3939ea16ebbd6618dc96c32b88f0b4e1e883662f68e0dce5
                                                              • Instruction ID: bc3553099a7930e8d2df7d65867555fa9c009ccf24e71e7aabf3c71073c9de27
                                                              • Opcode Fuzzy Hash: a09e4ac86f6dabbd3939ea16ebbd6618dc96c32b88f0b4e1e883662f68e0dce5
                                                              • Instruction Fuzzy Hash: 39E0C270E1010CABDF90CEB0C95575A77ADD702308F7184A4DC08CB601E572CA024380

                                                              Non-executed Functions

                                                              Function 06957670 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-173664734
                                                              • Opcode ID: 8e9aaa37c5f038612b570e6978c79fb605ec560f381b2b670857e951e0f09294
                                                              • Instruction ID: 12323e36e034c6ea41f543f1ba9c8af9e3b204cd4c12d19bec11369d65785d17
                                                              • Opcode Fuzzy Hash: 8e9aaa37c5f038612b570e6978c79fb605ec560f381b2b670857e951e0f09294
                                                              • Instruction Fuzzy Hash: 9C123F70E002198FDF64DFA9D884A9DB7B6FF88300F2185A9D905AB754DB309E85CF50
                                                              Function 0695A908 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-3970889292
                                                              • Opcode ID: f3ba9c061043424a48c9550b45b14bf225bac61dab5c9e52a70145a579c04867
                                                              • Instruction ID: 45e26ecc1d76a4618972bce222772db6ba91304b52379133d69b9e1bfb6ecc33
                                                              • Opcode Fuzzy Hash: f3ba9c061043424a48c9550b45b14bf225bac61dab5c9e52a70145a579c04867
                                                              • Instruction Fuzzy Hash: E8918170A00209DFDFA4EF69D5547AEB7B7FF84310F218629E802AB694DB359C41CB94
                                                              Function 06957070 Relevance: 7.9, Strings: 6, Instructions: 405COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq$$tq$$tq
                                                              • API String ID: 0-2574395493
                                                              • Opcode ID: 4a25f6c71b7a2fdf30d400ec3f10cd4248876190c40d7bca6a96aa82b4b3f29a
                                                              • Instruction ID: 9f2003bdd3dc38c396236b58786028142ca2e8452a479a3aa43a181768908020
                                                              • Opcode Fuzzy Hash: 4a25f6c71b7a2fdf30d400ec3f10cd4248876190c40d7bca6a96aa82b4b3f29a
                                                              • Instruction Fuzzy Hash: 8CF15D30B01209DFDB98EFA9D454A6EB7B3BF84300F218568D8069B759DB31ED46CB90
                                                              Function 069583A0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq
                                                              • API String ID: 0-173548568
                                                              • Opcode ID: 2149129debf03c074e84f6667889eaf9bd72e0eb60b429a623e10f6ef3671530
                                                              • Instruction ID: 16ddc569eeacf2289a5d704056599c8b6900ca20d64ff17eba46e96ddd050812
                                                              • Opcode Fuzzy Hash: 2149129debf03c074e84f6667889eaf9bd72e0eb60b429a623e10f6ef3671530
                                                              • Instruction Fuzzy Hash: D5B14C70B102198FDB94EFA9C5846AEB7B6FF84300F258969D806DB755DB35DC82CB80
                                                              Function 069587B8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: LRtq$LRtq$$tq$$tq
                                                              • API String ID: 0-1602856738
                                                              • Opcode ID: 8cae31ccfb204941b6376a36c6f92b8c7cb9455ea2f1661aa29c4623daa8105a
                                                              • Instruction ID: 752323fe03c2fa454ad6e201080f14a0a0c975739c4d823c2b81f34303ce5448
                                                              • Opcode Fuzzy Hash: 8cae31ccfb204941b6376a36c6f92b8c7cb9455ea2f1661aa29c4623daa8105a
                                                              • Instruction Fuzzy Hash: F051E531B002159FCB54EB79D944A6AB7F6FF88300F218969E8029B7A5DB30EC45CB91
                                                              Function 0695AC9B Relevance: 5.2, Strings: 4, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2942616229.0000000006950000.00000040.00000800.00020000.00000000.sdmp, Offset: 06950000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_6950000_z81zEuzkJPHHV3KYua.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $tq$$tq$$tq$$tq
                                                              • API String ID: 0-173548568
                                                              • Opcode ID: 521ba01fba2f0262c67521af67be037ed1efd243039246636e3e6897aeedde50
                                                              • Instruction ID: 2e160ef238799803efd48bccb0d75bec15e720958b34097dc04be4bbcf7a5063
                                                              • Opcode Fuzzy Hash: 521ba01fba2f0262c67521af67be037ed1efd243039246636e3e6897aeedde50
                                                              • Instruction Fuzzy Hash: D351B530E102099FCFA4EB68E4846BEB3B6EB88310F218A6ADC05D7755DB30DC45CB95