Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipment Dec Orders valves 2024.scr.exe

Overview

General Information

Sample name:Shipment Dec Orders valves 2024.scr.exe
Analysis ID:1571438
MD5:bcc43d82f28edc1c778ca6ccb281cd77
SHA1:0fff277db3ecc821de1286c8a1b4b258ae7564d8
SHA256:e7fdc8fc613dea0792fac0242c3b51586e4d53cbd85647656b3691d70757df79
Tags:AgentTeslaexescruser-cocaman
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large strings
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Shipment Dec Orders valves 2024.scr.exe (PID: 6704 cmdline: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe" MD5: BCC43D82F28EDC1C778CA6CCB281CD77)
    • powershell.exe (PID: 5708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5256 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4232 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7252 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 776 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1012 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 3560 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • FriQTglEtYKsd.exe (PID: 7232 cmdline: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe MD5: BCC43D82F28EDC1C778CA6CCB281CD77)
    • schtasks.exe (PID: 7424 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7432 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7476 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2197422453.0000000002F1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000F.00000002.3370050987.0000000002F3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000F.00000002.3370050987.0000000002F27000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316cb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3173d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317c7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31859:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318c3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31935:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319cb:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a5b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ParentImage: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe, ParentProcessId: 6704, ParentProcessName: Shipment Dec Orders valves 2024.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ProcessId: 5708, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ParentImage: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe, ParentProcessId: 6704, ParentProcessName: Shipment Dec Orders valves 2024.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ProcessId: 5708, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe, ParentImage: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe, ParentProcessId: 7232, ParentProcessName: FriQTglEtYKsd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp", ProcessId: 7424, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 46.175.148.58, DestinationIsIpv6: false, DestinationPort: 25, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 3560, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ParentImage: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe, ParentProcessId: 6704, ParentProcessName: Shipment Dec Orders valves 2024.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", ProcessId: 776, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ParentImage: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe, ParentProcessId: 6704, ParentProcessName: Shipment Dec Orders valves 2024.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ProcessId: 5708, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe", ParentImage: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe, ParentProcessId: 6704, ParentProcessName: Shipment Dec Orders valves 2024.scr.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp", ProcessId: 776, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://mail.iaa-airferight.comAvira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "25", "Host": "mail.iaa-airferight.com", "Username": "admin@iaa-airferight.com", "Password": "manlikeyou88"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeReversingLabs: Detection: 28%
                    Multi AV Scanner detection for submitted file
                    Source: Shipment Dec Orders valves 2024.scr.exeReversingLabs: Detection: 28%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: Shipment Dec Orders valves 2024.scr.exeJoe Sandbox ML: detected
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: gFopk.pdb source: Shipment Dec Orders valves 2024.scr.exe, FriQTglEtYKsd.exe.0.dr
                    Source: Binary string: gFopk.pdbSHA256 source: Shipment Dec Orders valves 2024.scr.exe, FriQTglEtYKsd.exe.0.dr

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPE
                    Source: Joe Sandbox ViewIP Address: 46.175.148.58 46.175.148.58
                    Source: global trafficTCP traffic: 192.168.2.6:49711 -> 46.175.148.58:25
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: mail.iaa-airferight.com
                    Source: RegSvcs.exe, 0000000A.00000002.2197422453.0000000002F26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3370050987.0000000002F46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.iaa-airferight.com
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2151251739.0000000003184000.00000004.00000800.00020000.00000000.sdmp, FriQTglEtYKsd.exe, 0000000B.00000002.2203272531.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, SKTzxzsJw.cs.Net Code: sf6jJs8S

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large strings
                    Source: Shipment Dec Orders valves 2024.scr.exe, Form1.csLong String: Length: 166868
                    Source: FriQTglEtYKsd.exe.0.dr, Form1.csLong String: Length: 166868
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: Shipment Dec Orders valves 2024.scr.exe
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_075B4F800_2_075B4F80
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_075B22700_2_075B2270
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_075B2AE00_2_075B2AE0
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_075B26A80_2_075B26A8
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_075B48B80_2_075B48B8
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_016842180_2_01684218
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_01686F900_2_01686F90
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeCode function: 0_2_0168D4240_2_0168D424
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CD937810_2_02CD9378
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CD4A9810_2_02CD4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CD9B3810_2_02CD9B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CD3E8010_2_02CD3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CDCDB010_2_02CDCDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_02CD41C810_2_02CD41C8
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_00E3421811_2_00E34218
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_00E3D42411_2_00E3D424
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_02A4008811_2_02A40088
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_02A4007811_2_02A40078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE4A9815_2_00EE4A98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE9B3815_2_00EE9B38
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EECDB015_2_00EECDB0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE3E8015_2_00EE3E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_00EE41C815_2_00EE41C8
                    Source: Shipment Dec Orders valves 2024.scr.exeBinary or memory string: OriginalFilename vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2164809768.000000000742D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2161415384.0000000005750000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2149655578.00000000013FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000000.2109678456.0000000000CDE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamegFopk.exe> vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2151251739.0000000003184000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7e5bb978-3a35-43a5-95fe-dd44d69d6a5a.exe4 vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exeBinary or memory string: OriginalFilenamegFopk.exe> vs Shipment Dec Orders valves 2024.scr.exe
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, T6TvDRNNtKfIWilUfi.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, T6TvDRNNtKfIWilUfi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, T6TvDRNNtKfIWilUfi.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, T6TvDRNNtKfIWilUfi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wEeBZs2Jdv6EXV4XI8.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@1/1
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile created: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7432:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4544:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5256:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1112:120:WilError_03
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3F67.tmpJump to behavior
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Shipment Dec Orders valves 2024.scr.exeReversingLabs: Detection: 28%
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile read: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic file information: File size 1192960 > 1048576
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: gFopk.pdb source: Shipment Dec Orders valves 2024.scr.exe, FriQTglEtYKsd.exe.0.dr
                    Source: Binary string: gFopk.pdbSHA256 source: Shipment Dec Orders valves 2024.scr.exe, FriQTglEtYKsd.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: Shipment Dec Orders valves 2024.scr.exe, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: FriQTglEtYKsd.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wEeBZs2Jdv6EXV4XI8.cs.Net Code: bdd5GiOdTAYNXywXgEY System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wEeBZs2Jdv6EXV4XI8.cs.Net Code: bdd5GiOdTAYNXywXgEY System.Reflection.Assembly.Load(byte[])
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: 0xC659F6FD [Sat Jun 15 00:38:21 2075 UTC]
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_04F5B5F1 push eax; ret 11_2_04F5B623
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_04F5AF18 push eax; mov dword ptr [esp], ecx11_2_04F5AF1C
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeCode function: 11_2_04F5AF07 push eax; mov dword ptr [esp], ecx11_2_04F5AF1C
                    Source: Shipment Dec Orders valves 2024.scr.exeStatic PE information: section name: .text entropy: 6.876098701184314
                    Source: FriQTglEtYKsd.exe.0.drStatic PE information: section name: .text entropy: 6.876098701184314
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wA4GhuO2rkOdFL3JPL.csHigh entropy of concatenated method names: 'ToString', 'IhgGSao71S', 'LvSGN8Gu5N', 'O9JGeMREZg', 'HFyG2hIR6n', 'xgZGhL5hN4', 'rl5GFWfxJs', 'ejLGYX84l2', 'prbGWrch5D', 'FK9GiNQDp6'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, xhuDgH1gZNN4ctZjeX.csHigh entropy of concatenated method names: 'UrgIt3k17L', 'gkjINeVRXL', 'dniIeBaO2q', 'cLHI2MRmlC', 'ambIhgCmX6', 'R2UIFYBUx2', 'EWVIYOLAqQ', 'gADIWhAi4I', 'XhXIiwlBPB', 'xNqIc8l45e'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, M6bpDiPAW9KyjewuAa.csHigh entropy of concatenated method names: 'Dispose', 'AaXbXY4AP5', 'UPcmNciIUg', 'h2rRsHLs7h', 'QGSb0BoJXH', 'WIbbzZsvhT', 'ProcessDialogKey', 'rtGm51MklW', 'y9xmbMK9IQ', 'Exqmm9j7Pi'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, THpVipTnWW1DjeNCe2.csHigh entropy of concatenated method names: 'dSZb3hZj6j', 'CivblN0G9t', 'dYTbq7wokT', 'C9ObyuCc3w', 'Qt3ba74qnD', 'NUYbG9KDWF', 'QJgegbuF7xQMXZEaiv', 'KvMYFVUDLwIthgQm7D', 'ianbb7RsgB', 'NavbPYhVW1'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, wEeBZs2Jdv6EXV4XI8.csHigh entropy of concatenated method names: 'NOuPHpAyC5', 'wX8PTuwPkJ', 'G03P4loi71', 'a92Pujl5Xr', 'jn5PMHlWCC', 'XmQPQuCqBT', 'mgJP3elfQX', 'jwAPlmnkd6', 'lGuPEvZWFe', 'R6HPqESYP1'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, l94lNSMPG0gFMJYjqD.csHigh entropy of concatenated method names: 'fjW8qUkO9T', 'jxX8ywcKyf', 'ToString', 'Gqp8TB0kpB', 'ixq84q12pH', 'hTU8ujWG9c', 'NJu8MrSr5y', 'm088Q8Yva1', 'FRc83HQp45', 'W1f8lVMd6J'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, tDpHbM7gdjH5mGXH2o.csHigh entropy of concatenated method names: 'kn787uf8vP', 'MlR80eDsWl', 'VLox57Y2Vt', 'XOrxblRZjL', 'bIo8Syu287', 'dkN8pv9wfK', 'U058KRxRd2', 'lqf8Zjdcow', 'fAE89eprn3', 'HoP81eHBNn'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, c60wjqWWCtZJ8x35nlR.csHigh entropy of concatenated method names: 'Ju1A0o7sKi', 'RQrAzchQuV', 'TcQg5FWGIr', 'uw7gbqDmYx', 'TSrgmhgI0P', 'jNLgPBGDlr', 'JhtgrbwjGM', 'rwUgH9JARR', 'pLmgTPZ48f', 'hW0g4MiYgX'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, HN6LLaWTcvMDPQu1eMF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a08RI2INET', 'GraRAJif6H', 'ckvRgqL5nS', 'JN0RRs30yk', 'q2kRCQk5YQ', 'ImkRoFhSMR', 'IsTRd69GK4'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, tm5sIsCmNQCGdyGP60.csHigh entropy of concatenated method names: 'ULoOIQkJJ', 'KRKLcqmeF', 'qG0BDhTRB', 'b0NnEcMoS', 'y78wBhb3c', 'C8jVjTAP6', 'oyjNkdAjOGiw8o4XBr', 'p9WPZO79nTV7pa3CRA', 'tSvxr1WNn', 'apQA33uZg'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, vB3e7yaQwBr1rmWU1k.csHigh entropy of concatenated method names: 'JoQuLxLcCt', 'WgPuBJHoNs', 'YQQuUBOlC0', 'KiFuwv9A7T', 'SxMuatWB5e', 'ccCuG7Rwri', 'r1iu8P71h4', 'wQPuxC4Ihm', 'wh4uIEY05J', 'A7kuA30qr3'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, fYK14gY6GIZc2evamQ.csHigh entropy of concatenated method names: 'V99acuJluA', 'hjyapUYXDc', 'EKbaZkfX49', 'GFLa9lQuCU', 'lCcaNSQ01E', 'bglaeFDreg', 'bgqa22BfmP', 'BODahBimSe', 'b3XaFH6JXa', 'yE7aYH5dTx'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, evhYDbS7W5A2oPOtqI.csHigh entropy of concatenated method names: 'stu366HgZP', 'X2V3vVp6C3', 'er03Ojp7AO', 'H5m3LR7heJ', 'ChL3jkVLQo', 'HyE3BxZjFn', 'aRn3noxp8h', 'ArM3UH6Q53', 'LXm3w88ZQs', 'MX83VSCWfN'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, DHEKVquE2x0YtuWemy.csHigh entropy of concatenated method names: 'Ee4AuTu91k', 'OBAAMs5kuZ', 'dLHAQhH6DF', 'h19A3yObR7', 'UDyAIFb5et', 'TNqAlgY1AK', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, WgAMOoin07111qOqXP.csHigh entropy of concatenated method names: 'avWDUbMY72', 'jToDwUBUxB', 'PatDtxPNcu', 'sNiDNITmBb', 'NRtD2UfolH', 'PPdDhHlyQM', 'xNeDYHMSk1', 'cyiDWJh15o', 'QxUDcXLZDb', 'yjPDSuuvZi'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, Pk3iqtGcHtU5By9ukK.csHigh entropy of concatenated method names: 'cj1IaBHlyk', 'NlWI8LOHqh', 'oSnIIxqFB6', 'FaFIgY6Erh', 'TbQIC15X1X', 'y5XIdmvBhj', 'Dispose', 'jZFxTGXRy6', 'VP4x4EPr5t', 'iYKxunhCLk'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, T6TvDRNNtKfIWilUfi.csHigh entropy of concatenated method names: 'j2e4ZOPHtR', 'p8f49Jk015', 'ICx41hh5Vi', 'f1S4fDUaAM', 'H5Y4s9Qwhh', 'LRu4JiUjq3', 'lHD4kHhm2a', 'DdZ47ST7U4', 'HCw4XUG7oh', 'Hh540HWpWG'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, KIFTLTzFiiyZ8TPE81.csHigh entropy of concatenated method names: 'bdTABXWK5V', 'QY8AUownGx', 'NZaAwi3Rg5', 'SUhAtyAXAr', 'e4TANZCgA4', 'PyZA29QdOa', 'OGAAhiiTRj', 'lOlAdUIYbF', 'I3nA6EdmLt', 'Y9ZAvZbiZf'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, sSm50dZXZkykYhXWt8.csHigh entropy of concatenated method names: 'sc5QHindY6', 'yItQ4dYcbP', 'HttQMZT3w4', 'zFvQ3hUdD0', 'WtDQldhDVr', 'R3gMsnoJ0t', 'tdcMJ2dRj9', 'Km3Mk5aI9S', 'm2iM7sNpS5', 'qtAMXFOd4M'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.7530000.8.raw.unpack, IIqeJRcTo9GbTy9kSw.csHigh entropy of concatenated method names: 'CbZMj4T84p', 'vuaMnCqHMb', 'dJEueRqdpi', 'Bftu2FOfkX', 'ihyuhNOpL8', 'EicuFM0RIy', 'riMuYXL2Dp', 'jWHuWZI8qA', 'rEpuijCuMo', 'mrVuc9UCWJ'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wA4GhuO2rkOdFL3JPL.csHigh entropy of concatenated method names: 'ToString', 'IhgGSao71S', 'LvSGN8Gu5N', 'O9JGeMREZg', 'HFyG2hIR6n', 'xgZGhL5hN4', 'rl5GFWfxJs', 'ejLGYX84l2', 'prbGWrch5D', 'FK9GiNQDp6'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, xhuDgH1gZNN4ctZjeX.csHigh entropy of concatenated method names: 'UrgIt3k17L', 'gkjINeVRXL', 'dniIeBaO2q', 'cLHI2MRmlC', 'ambIhgCmX6', 'R2UIFYBUx2', 'EWVIYOLAqQ', 'gADIWhAi4I', 'XhXIiwlBPB', 'xNqIc8l45e'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, M6bpDiPAW9KyjewuAa.csHigh entropy of concatenated method names: 'Dispose', 'AaXbXY4AP5', 'UPcmNciIUg', 'h2rRsHLs7h', 'QGSb0BoJXH', 'WIbbzZsvhT', 'ProcessDialogKey', 'rtGm51MklW', 'y9xmbMK9IQ', 'Exqmm9j7Pi'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, THpVipTnWW1DjeNCe2.csHigh entropy of concatenated method names: 'dSZb3hZj6j', 'CivblN0G9t', 'dYTbq7wokT', 'C9ObyuCc3w', 'Qt3ba74qnD', 'NUYbG9KDWF', 'QJgegbuF7xQMXZEaiv', 'KvMYFVUDLwIthgQm7D', 'ianbb7RsgB', 'NavbPYhVW1'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, wEeBZs2Jdv6EXV4XI8.csHigh entropy of concatenated method names: 'NOuPHpAyC5', 'wX8PTuwPkJ', 'G03P4loi71', 'a92Pujl5Xr', 'jn5PMHlWCC', 'XmQPQuCqBT', 'mgJP3elfQX', 'jwAPlmnkd6', 'lGuPEvZWFe', 'R6HPqESYP1'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, l94lNSMPG0gFMJYjqD.csHigh entropy of concatenated method names: 'fjW8qUkO9T', 'jxX8ywcKyf', 'ToString', 'Gqp8TB0kpB', 'ixq84q12pH', 'hTU8ujWG9c', 'NJu8MrSr5y', 'm088Q8Yva1', 'FRc83HQp45', 'W1f8lVMd6J'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, tDpHbM7gdjH5mGXH2o.csHigh entropy of concatenated method names: 'kn787uf8vP', 'MlR80eDsWl', 'VLox57Y2Vt', 'XOrxblRZjL', 'bIo8Syu287', 'dkN8pv9wfK', 'U058KRxRd2', 'lqf8Zjdcow', 'fAE89eprn3', 'HoP81eHBNn'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, c60wjqWWCtZJ8x35nlR.csHigh entropy of concatenated method names: 'Ju1A0o7sKi', 'RQrAzchQuV', 'TcQg5FWGIr', 'uw7gbqDmYx', 'TSrgmhgI0P', 'jNLgPBGDlr', 'JhtgrbwjGM', 'rwUgH9JARR', 'pLmgTPZ48f', 'hW0g4MiYgX'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, HN6LLaWTcvMDPQu1eMF.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'a08RI2INET', 'GraRAJif6H', 'ckvRgqL5nS', 'JN0RRs30yk', 'q2kRCQk5YQ', 'ImkRoFhSMR', 'IsTRd69GK4'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, tm5sIsCmNQCGdyGP60.csHigh entropy of concatenated method names: 'ULoOIQkJJ', 'KRKLcqmeF', 'qG0BDhTRB', 'b0NnEcMoS', 'y78wBhb3c', 'C8jVjTAP6', 'oyjNkdAjOGiw8o4XBr', 'p9WPZO79nTV7pa3CRA', 'tSvxr1WNn', 'apQA33uZg'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, vB3e7yaQwBr1rmWU1k.csHigh entropy of concatenated method names: 'JoQuLxLcCt', 'WgPuBJHoNs', 'YQQuUBOlC0', 'KiFuwv9A7T', 'SxMuatWB5e', 'ccCuG7Rwri', 'r1iu8P71h4', 'wQPuxC4Ihm', 'wh4uIEY05J', 'A7kuA30qr3'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, fYK14gY6GIZc2evamQ.csHigh entropy of concatenated method names: 'V99acuJluA', 'hjyapUYXDc', 'EKbaZkfX49', 'GFLa9lQuCU', 'lCcaNSQ01E', 'bglaeFDreg', 'bgqa22BfmP', 'BODahBimSe', 'b3XaFH6JXa', 'yE7aYH5dTx'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, evhYDbS7W5A2oPOtqI.csHigh entropy of concatenated method names: 'stu366HgZP', 'X2V3vVp6C3', 'er03Ojp7AO', 'H5m3LR7heJ', 'ChL3jkVLQo', 'HyE3BxZjFn', 'aRn3noxp8h', 'ArM3UH6Q53', 'LXm3w88ZQs', 'MX83VSCWfN'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, DHEKVquE2x0YtuWemy.csHigh entropy of concatenated method names: 'Ee4AuTu91k', 'OBAAMs5kuZ', 'dLHAQhH6DF', 'h19A3yObR7', 'UDyAIFb5et', 'TNqAlgY1AK', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, WgAMOoin07111qOqXP.csHigh entropy of concatenated method names: 'avWDUbMY72', 'jToDwUBUxB', 'PatDtxPNcu', 'sNiDNITmBb', 'NRtD2UfolH', 'PPdDhHlyQM', 'xNeDYHMSk1', 'cyiDWJh15o', 'QxUDcXLZDb', 'yjPDSuuvZi'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, Pk3iqtGcHtU5By9ukK.csHigh entropy of concatenated method names: 'cj1IaBHlyk', 'NlWI8LOHqh', 'oSnIIxqFB6', 'FaFIgY6Erh', 'TbQIC15X1X', 'y5XIdmvBhj', 'Dispose', 'jZFxTGXRy6', 'VP4x4EPr5t', 'iYKxunhCLk'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, T6TvDRNNtKfIWilUfi.csHigh entropy of concatenated method names: 'j2e4ZOPHtR', 'p8f49Jk015', 'ICx41hh5Vi', 'f1S4fDUaAM', 'H5Y4s9Qwhh', 'LRu4JiUjq3', 'lHD4kHhm2a', 'DdZ47ST7U4', 'HCw4XUG7oh', 'Hh540HWpWG'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, KIFTLTzFiiyZ8TPE81.csHigh entropy of concatenated method names: 'bdTABXWK5V', 'QY8AUownGx', 'NZaAwi3Rg5', 'SUhAtyAXAr', 'e4TANZCgA4', 'PyZA29QdOa', 'OGAAhiiTRj', 'lOlAdUIYbF', 'I3nA6EdmLt', 'Y9ZAvZbiZf'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, sSm50dZXZkykYhXWt8.csHigh entropy of concatenated method names: 'sc5QHindY6', 'yItQ4dYcbP', 'HttQMZT3w4', 'zFvQ3hUdD0', 'WtDQldhDVr', 'R3gMsnoJ0t', 'tdcMJ2dRj9', 'Km3Mk5aI9S', 'm2iM7sNpS5', 'qtAMXFOd4M'
                    Source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, IIqeJRcTo9GbTy9kSw.csHigh entropy of concatenated method names: 'CbZMj4T84p', 'vuaMnCqHMb', 'dJEueRqdpi', 'Bftu2FOfkX', 'ihyuhNOpL8', 'EicuFM0RIy', 'riMuYXL2Dp', 'jWHuWZI8qA', 'rEpuijCuMo', 'mrVuc9UCWJ'
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeFile created: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: Shipment Dec Orders valves 2024.scr.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FriQTglEtYKsd.exe PID: 7232, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: 1680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: 3120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: 7EA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: B400000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: E30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: 4A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: 85A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: 95A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: 9790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeMemory allocated: A790000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4977Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5185Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3153Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1787Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7130
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe TID: 2248Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3804Thread sleep count: 4977 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4044Thread sleep count: 83 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1128Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe TID: 7316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99827Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99717Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99596Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99137Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99028Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98915Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98809Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98230Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98114Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97957Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97831Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97247Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96701Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99015
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98906
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98797
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98391
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98266
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97975
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97832
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97703
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97590
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97481
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97375
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97266
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97141
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97031
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95436
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95217
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95052
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94897
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94779
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94219
                    Source: RegSvcs.exe, 0000000A.00000002.2203962993.0000000006251000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllnnection* 8-QoS Packet Scheduler-0000
                    Source: FriQTglEtYKsd.exe, 0000000B.00000002.2197192954.0000000000F25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: RegSvcs.exe, 0000000F.00000002.3375797437.0000000006060000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43C000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DDD008Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeQueries volume information: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2197422453.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3370050987.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3370050987.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2197422453.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment Dec Orders valves 2024.scr.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7476, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2197422453.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment Dec Orders valves 2024.scr.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7476, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41b5b58.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.417b138.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.429c8e0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Shipment Dec Orders valves 2024.scr.exe.41fb978.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.2197422453.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3370050987.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3370050987.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2197422453.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Shipment Dec Orders valves 2024.scr.exe PID: 6704, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3560, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7476, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Application Layer Protocol                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		11
                    Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		Protocol ImpersonationTraffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571438 Sample: Shipment Dec Orders valves ... Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 46 mail.iaa-airferight.com 2->46 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 Antivirus detection for URL or domain 2->54 56 14 other signatures 2->56 8 Shipment Dec Orders valves 2024.scr.exe 7 2->8         started        12 FriQTglEtYKsd.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\FriQTglEtYKsd.exe, PE32 8->38 dropped 40 C:\...\FriQTglEtYKsd.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp3F67.tmp, XML 8->42 dropped 44 Shipment Dec Order...es 2024.scr.exe.log, ASCII 8->44 dropped 58 Writes to foreign memory regions 8->58 60 Allocates memory in foreign processes 8->60 62 Adds a directory exclusion to Windows Defender 8->62 64 Injects a PE file into a foreign processes 8->64 14 RegSvcs.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 48 mail.iaa-airferight.com 46.175.148.58, 25 ASLAGIDKOM-NETUA Ukraine 14->48 70 Loading BitLocker PowerShell Module 18->70 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->72 74 Tries to steal Mail credentials (via file / registry access) 22->74 76 Tries to harvest and steal ftp login credentials 22->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 34 conhost.exe 24->34         started        80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->80 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    Shipment Dec Orders valves 2024.scr.exe29%ReversingLabs
                    Shipment Dec Orders valves 2024.scr.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe29%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.iaa-airferight.com100%Avira URL Cloudmalware

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mail.iaa-airferight.com
                    		46.175.148.58
                    		truefalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://account.dyn.com/Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Shipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameShipment Dec Orders valves 2024.scr.exe, 00000000.00000002.2151251739.0000000003184000.00000004.00000800.00020000.00000000.sdmp, FriQTglEtYKsd.exe, 0000000B.00000002.2203272531.0000000002AD4000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://mail.iaa-airferight.comRegSvcs.exe, 0000000A.00000002.2197422453.0000000002F26000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3370050987.0000000002F46000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          46.175.148.58
                          		mail.iaa-airferight.comUkraine
                          		56394ASLAGIDKOM-NETUAfalse

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1571438
                          Start date and time:2024-12-09 11:36:05 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 25s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:18
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:Shipment Dec Orders valves 2024.scr.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@21/15@1/1
                          EGA Information:
                          • Successful, ratio: 50%
                          HCA Information:
                          • Successful, ratio: 96%
                          • Number of executed functions: 172
                          • Number of non-executed functions: 6
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target RegSvcs.exe, PID 3560 because it is empty
                          • Execution Graph export aborted for target RegSvcs.exe, PID 7476 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: Shipment Dec Orders valves 2024.scr.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          05:36:55API Interceptor2x Sleep call for process: Shipment Dec Orders valves 2024.scr.exe modified
                          05:36:57API Interceptor30x Sleep call for process: powershell.exe modified
                          05:36:58API Interceptor208x Sleep call for process: RegSvcs.exe modified
                          05:37:00API Interceptor2x Sleep call for process: FriQTglEtYKsd.exe modified
                          11:36:59Task SchedulerRun new task: FriQTglEtYKsd path: C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          46.175.148.58proforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                            Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                              PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                  lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                    OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                      RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                        v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                          l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                            SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse

                                              Domains

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              mail.iaa-airferight.comproforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 46.175.148.58
                                              980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              • 46.175.148.58

                                              ASNs

                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                              ASLAGIDKOM-NETUAproforma invoice.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              Overdue_payment.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              PO for fabric forecast.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                              • 46.175.148.58
                                              980001672 PPR for 30887217.scr.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                              • 46.175.148.58
                                              RFQ ENQ186 OI REQUIRE RATE.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              v58HgfB8Af.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              l6F8Xgr0Ov.exeGet hashmaliciousAgentTeslaBrowse
                                              • 46.175.148.58
                                              SPlVyHiGOz.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                              • 46.175.148.58

                                              JA3 Fingerprints

                                              No context

                                              Dropped Files

                                              No context

                                              Created / dropped Files

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FriQTglEtYKsd.exe.log

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:false
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Shipment Dec Orders valves 2024.scr.exe.log

                                              Download File
                                              Process:C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):1216
                                              Entropy (8bit):5.34331486778365
                                              Encrypted:false
                                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                              Malicious:true
                                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:data
                                              Category:dropped
                                              Size (bytes):2232
                                              Entropy (8bit):5.380134126512796
                                              Encrypted:false
                                              SSDEEP:48:+WSU4xc4RTmaoUeW+gZ9tK8NPZHUxL7u1iMuge//ZLiUyus:+LHxcIalLgZ2KRHWLOug4Xs
                                              MD5:F0D50EE2B384AF2F082FB39E4968CCC9
                                              SHA1:1038175C07BCD040E199971167D62C4AAB540A77
                                              SHA-256:0D52B87AAC6C669468B065ED71A5C69E9AC7F8D5B0F3150DA18F5F239C945801
                                              SHA-512:52512FEE50EDAEAA23F3E86415AC8E5751544E1FF4A81A23B22CFACC27550820732FDC9F5A66BCD76E39F58D864261038770144FA9E8E7B21FF9913B0BA430A1
                                              Malicious:false
                                              Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.ConfigurationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2n54hxnj.pkx.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3eddnbio.stk.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e55z2abn.tv3.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fj1rvcht.ucs.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_netrxbqp.ea3.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qcmkenfl.iej.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_urwigjp0.3fv.ps1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x4xnogo2.cow.psm1

                                              Download File
                                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              File Type:ASCII text, with no line terminators
                                              Category:dropped
                                              Size (bytes):60
                                              Entropy (8bit):4.038920595031593
                                              Encrypted:false
                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                              Malicious:false
                                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                                              C:\Users\user\AppData\Local\Temp\tmp3F67.tmp

                                              Download File
                                              Process:C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1600
                                              Entropy (8bit):5.1000973196134565
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL3zJxv:cge7QYrFdOFzOzN33ODOiDdKrsuTH/v
                                              MD5:CE35012EAE74B4CA7238A172381632DC
                                              SHA1:D6E13586DC311FD5C69F0CCB9E00708FECB198F6
                                              SHA-256:27D448E36CCC674FC6A5CCB1B7EA7FEEF949B8798776AD9AADD98736D6C5A0A2
                                              SHA-512:4309AC56159CA7F5FD762E36A051814DC4E9A7FABC33C60B15CC4D209BE6D942E126159E1AAE1DFD46A854D3323F9676CA7D304BAA6731CE78EF63A14B4C352C
                                              Malicious:true
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                              C:\Users\user\AppData\Local\Temp\tmp51C6.tmp

                                              Download File
                                              Process:C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe
                                              File Type:XML 1.0 document, ASCII text
                                              Category:dropped
                                              Size (bytes):1600
                                              Entropy (8bit):5.1000973196134565
                                              Encrypted:false
                                              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtL3zJxv:cge7QYrFdOFzOzN33ODOiDdKrsuTH/v
                                              MD5:CE35012EAE74B4CA7238A172381632DC
                                              SHA1:D6E13586DC311FD5C69F0CCB9E00708FECB198F6
                                              SHA-256:27D448E36CCC674FC6A5CCB1B7EA7FEEF949B8798776AD9AADD98736D6C5A0A2
                                              SHA-512:4309AC56159CA7F5FD762E36A051814DC4E9A7FABC33C60B15CC4D209BE6D942E126159E1AAE1DFD46A854D3323F9676CA7D304BAA6731CE78EF63A14B4C352C
                                              Malicious:false
                                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                              C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe

                                              Download File
                                              Process:C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe
                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Category:dropped
                                              Size (bytes):1192960
                                              Entropy (8bit):6.730784977446453
                                              Encrypted:false
                                              SSDEEP:12288:T1RocijsWiV9Gd6l2089Me53e9DIR5Nxfjz2M+6dlgrdm4Vz0Rppppppppppppp9:hRocijsjVHlR82dsPrz2r6d
                                              MD5:BCC43D82F28EDC1C778CA6CCB281CD77
                                              SHA1:0FFF277DB3ECC821DE1286C8A1B4B258AE7564D8
                                              SHA-256:E7FDC8FC613DEA0792FAC0242C3B51586E4D53CBD85647656B3691D70757DF79
                                              SHA-512:A18799F7E97C1752EE069E0C664F11F9BAC78379F50C24D8DC4DB73A04C281E8A5D2E7275954AE46D731C7AF6627CC74E60C5F6B8B67BFDA10177178A10BF7C9
                                              Malicious:true
                                              Antivirus:
                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                              • Antivirus: ReversingLabs, Detection: 29%
                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y...............0.............f.... ........@.. ....................................@.....................................O.......H..............................p............................................ ............... ..H............text...l.... ...................... ..`.rsrc...H...........................@..@.reloc...............2..............@..B................F.......H............R......J....... ............................................0............}......}.....(.......(......{...........%.r...p(....s.....%.r...p(....s.....%.r%..p(....s.......o.......(...+....-....o....&*..0...........s2.....o.....*..0...........sA.....o.....*..0...........s/.....o.....*..0...........s8.....o.....*..0...........s;.....o.....*..0...........s>.....o.....*..0...........s5.....o.....*..0...........sD.....o.....*..0...........sG.....o.....*..0...........s .

                                              C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe:Zone.Identifier

                                              Download File
                                              Process:C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe
                                              File Type:ASCII text, with CRLF line terminators
                                              Category:dropped
                                              Size (bytes):26
                                              Entropy (8bit):3.95006375643621
                                              Encrypted:false
                                              SSDEEP:3:ggPYV:rPYV
                                              MD5:187F488E27DB4AF347237FE461A079AD
                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                              Malicious:true
                                              Preview:[ZoneTransfer]....ZoneId=0

                                              Static File Info

                                              General

                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                              Entropy (8bit):6.730784977446453
                                              TrID:
                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                              • DOS Executable Generic (2002/1) 0.01%
                                              File name:Shipment Dec Orders valves 2024.scr.exe
                                              File size:1'192'960 bytes
                                              MD5:bcc43d82f28edc1c778ca6ccb281cd77
                                              SHA1:0fff277db3ecc821de1286c8a1b4b258ae7564d8
                                              SHA256:e7fdc8fc613dea0792fac0242c3b51586e4d53cbd85647656b3691d70757df79
                                              SHA512:a18799f7e97c1752ee069e0c664f11f9bac78379f50c24d8dc4db73a04c281e8a5d2e7275954ae46d731c7af6627cc74e60c5f6b8b67bfda10177178a10bf7c9
                                              SSDEEP:12288:T1RocijsWiV9Gd6l2089Me53e9DIR5Nxfjz2M+6dlgrdm4Vz0Rppppppppppppp9:hRocijsjVHlR82dsPrz2r6d
                                              TLSH:0E45B63D497912E7C1A5C779CBF58827B600AC6F7160AC6C94D67B663377A4B308322E
                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Y...............0.............f.... ........@.. ....................................@................................

                                              File Icon

                                              Icon Hash:c5949296969e8473

                                              Static PE Info

                                              General

                                              Entrypoint:0x4ecc66
                                              Entrypoint Section:.text
                                              Digitally signed:false
                                              Imagebase:0x400000
                                              Subsystem:windows gui
                                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                              Time Stamp:0xC659F6FD [Sat Jun 15 00:38:21 2075 UTC]
                                              TLS Callbacks:
                                              CLR (.Net) Version:
                                              OS Version Major:4
                                              OS Version Minor:0
                                              File Version Major:4
                                              File Version Minor:0
                                              Subsystem Version Major:4
                                              Subsystem Version Minor:0
                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                              Entrypoint Preview

                                              Instruction
                                              jmp dword ptr [00402000h]
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al
                                              add byte ptr [eax], al

                                              Data Directories

                                              NameVirtual AddressVirtual Size Is in Section
                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IMPORT0xecc120x4f.text
                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xee0000x38148.rsrc
                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1280000xc.reloc
                                              IMAGE_DIRECTORY_ENTRY_DEBUG0xeb3c40x70.text
                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                              Sections

                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                              .text0x20000xeac6c0xeae00815bf0f4a06a4da36441a51da325d04aFalse0.6818381203432677data6.876098701184314IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                              .rsrc0xee0000x381480x3820055d05835d7b456de82a2b0bc0d03f967False0.3080848065144766data5.206359947095698IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                              .reloc0x1280000xc0x200ccdc75db6e28ade6abda8000863e4ba6False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                              Resources

                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                              RT_ICON0xee4600x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.38353658536585367
                                              RT_ICON0xeeac80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.48655913978494625
                                              RT_ICON0xeedb00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 2880.5286885245901639
                                              RT_ICON0xeef980x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.5878378378378378
                                              RT_ICON0xef0c00x6739PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9933017975402081
                                              RT_ICON0xf57fc0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.5578358208955224
                                              RT_ICON0xf66a40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.6367328519855595
                                              RT_ICON0xf6f4c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors0.6497695852534562
                                              RT_ICON0xf76140x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.47760115606936415
                                              RT_ICON0xf7b7c0x10828Device independent bitmap graphic, 128 x 256 x 32, image size 675840.125
                                              RT_ICON0x1083a40x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 380160.21113622030691612
                                              RT_ICON0x11184c0x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 265600.21157894736842106
                                              RT_ICON0x1180340x5488Device independent bitmap graphic, 72 x 144 x 32, image size 216000.24269870609981517
                                              RT_ICON0x11d4bc0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.22325224374114314
                                              RT_ICON0x1216e40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.3196058091286307
                                              RT_ICON0x123c8c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.3642120075046904
                                              RT_ICON0x124d340x988Device independent bitmap graphic, 24 x 48 x 32, image size 24000.5086065573770492
                                              RT_ICON0x1256bc0x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5735815602836879
                                              RT_GROUP_ICON0x125b240x102data0.5697674418604651
                                              RT_VERSION0x125c280x334data0.4353658536585366
                                              RT_MANIFEST0x125f5c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                              Imports

                                              DLLImport
                                              mscoree.dll_CorExeMain

                                              Network Behavior

                                              Network Port Distribution

                                              TCP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 9, 2024 11:37:00.344050884 CET4971125192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:01.444370031 CET4971125192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:04.715842962 CET4971525192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:05.719764948 CET4971525192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:07.725239038 CET4971525192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:11.725261927 CET4971525192.168.2.646.175.148.58
                                              Dec 9, 2024 11:37:19.725398064 CET4971525192.168.2.646.175.148.58

                                              UDP Packets

                                              TimestampSource PortDest PortSource IPDest IP
                                              Dec 9, 2024 11:36:59.983457088 CET6480553192.168.2.61.1.1.1
                                              Dec 9, 2024 11:37:00.331617117 CET53648051.1.1.1192.168.2.6

                                              DNS Queries

                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                              Dec 9, 2024 11:36:59.983457088 CET192.168.2.61.1.1.10x1945Standard query (0)mail.iaa-airferight.comA (IP address)IN (0x0001)false

                                              DNS Answers

                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                              Dec 9, 2024 11:37:00.331617117 CET1.1.1.1192.168.2.60x1945No error (0)mail.iaa-airferight.com46.175.148.58A (IP address)IN (0x0001)false

                                              Statistics

                                              CPU Usage

                                              Click to jump to process

                                              Memory Usage

                                              Click to jump to process

                                              High Level Behavior Distribution

                                              Click to dive into process behavior distribution

                                              Behavior

                                              Click to jump to process

                                              System Behavior

                                              General

                                              Target ID:0
                                              Start time:05:36:53
                                              Start date:09/12/2024
                                              Path:C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"
                                              Imagebase:0xbf0000
                                              File size:1'192'960 bytes
                                              MD5 hash:BCC43D82F28EDC1C778CA6CCB281CD77
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2152309271.0000000004129000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2152309271.00000000041FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:3
                                              Start time:05:36:56
                                              Start date:09/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Shipment Dec Orders valves 2024.scr.exe"
                                              Imagebase:0x250000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:4
                                              Start time:05:36:56
                                              Start date:09/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:5
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe"
                                              Imagebase:0x250000
                                              File size:433'152 bytes
                                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:6
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:7
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp3F67.tmp"
                                              Imagebase:0x520000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:8
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:9
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):false
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x1e0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:10
                                              Start time:05:36:57
                                              Start date:09/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0xb50000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:true
                                              Has administrator privileges:true
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2197422453.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2194034718.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2197422453.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2197422453.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:11
                                              Start time:05:36:59
                                              Start date:09/12/2024
                                              Path:C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe
                                              Wow64 process (32bit):true
                                              Commandline:C:\Users\user\AppData\Roaming\FriQTglEtYKsd.exe
                                              Imagebase:0x590000
                                              File size:1'192'960 bytes
                                              MD5 hash:BCC43D82F28EDC1C778CA6CCB281CD77
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Antivirus matches:
                                              • Detection: 100%, Joe Sandbox ML
                                              • Detection: 29%, ReversingLabs
                                              Reputation:low
                                              Has exited:true

                                              General

                                              Target ID:12
                                              Start time:05:36:59
                                              Start date:09/12/2024
                                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                              Imagebase:0x7ff717f30000
                                              File size:496'640 bytes
                                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                              Has elevated privileges:true
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:13
                                              Start time:05:37:01
                                              Start date:09/12/2024
                                              Path:C:\Windows\SysWOW64\schtasks.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FriQTglEtYKsd" /XML "C:\Users\user\AppData\Local\Temp\tmp51C6.tmp"
                                              Imagebase:0x520000
                                              File size:187'904 bytes
                                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Reputation:high
                                              Has exited:true

                                              General

                                              Target ID:14
                                              Start time:05:37:01
                                              Start date:09/12/2024
                                              Path:C:\Windows\System32\conhost.exe
                                              Wow64 process (32bit):false
                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                              Imagebase:0x7ff66e660000
                                              File size:862'208 bytes
                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Has exited:true

                                              General

                                              Target ID:15
                                              Start time:05:37:02
                                              Start date:09/12/2024
                                              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                              Wow64 process (32bit):true
                                              Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                              Imagebase:0x8c0000
                                              File size:45'984 bytes
                                              MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                              Has elevated privileges:false
                                              Has administrator privileges:false
                                              Programmed in:C, C++ or other language
                                              Yara matches:
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3370050987.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3370050987.0000000002F27000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                              Has exited:false

                                              Disassembly

                                              Reset < >

                                                Execution Graph

                                                Execution Coverage:12.4%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:3.2%
                                                Total number of Nodes:93
                                                Total number of Limit Nodes:6
                                                execution_graph 18063 1684668 18064 168467a 18063->18064 18065 1684686 18064->18065 18069 1684778 18064->18069 18074 1684218 18065->18074 18067 16846a5 18070 168479d 18069->18070 18078 1684878 18070->18078 18082 1684888 18070->18082 18075 1684223 18074->18075 18090 1685c7c 18075->18090 18077 1686ffb 18077->18067 18080 1684882 18078->18080 18079 168498c 18079->18079 18080->18079 18086 16844e0 18080->18086 18084 16848af 18082->18084 18083 168498c 18083->18083 18084->18083 18085 16844e0 CreateActCtxA 18084->18085 18085->18083 18087 1685918 CreateActCtxA 18086->18087 18089 16859db 18087->18089 18091 1685c87 18090->18091 18094 1685c9c 18091->18094 18093 16871b5 18093->18077 18095 1685ca7 18094->18095 18098 1685ccc 18095->18098 18097 168729a 18097->18093 18099 1685cd7 18098->18099 18102 1685cfc 18099->18102 18101 168738d 18101->18097 18103 1685d07 18102->18103 18105 168868b 18103->18105 18108 168ad38 18103->18108 18104 16886c9 18104->18101 18105->18104 18112 168ce20 18105->18112 18117 168ad60 18108->18117 18121 168ad70 18108->18121 18109 168ad4e 18109->18105 18113 168ce51 18112->18113 18114 168ce75 18113->18114 18130 168cfe0 18113->18130 18134 168cfd0 18113->18134 18114->18104 18118 168ad70 18117->18118 18124 168ae59 18118->18124 18119 168ad7f 18119->18109 18123 168ae59 GetModuleHandleW 18121->18123 18122 168ad7f 18122->18109 18123->18122 18125 168ae01 18124->18125 18127 168ae62 18124->18127 18125->18119 18126 168ae9c 18126->18119 18127->18126 18128 168b0a0 GetModuleHandleW 18127->18128 18129 168b0cd 18128->18129 18129->18119 18131 168cfed 18130->18131 18132 168d027 18131->18132 18138 168b840 18131->18138 18132->18114 18137 168cfed 18134->18137 18135 168d027 18135->18114 18136 168b840 GetModuleHandleW 18136->18135 18137->18135 18137->18136 18139 168b84b 18138->18139 18141 168dd38 18139->18141 18142 168d144 18139->18142 18141->18141 18143 168d14f 18142->18143 18144 1685cfc GetModuleHandleW 18143->18144 18145 168dda7 18144->18145 18145->18141 18146 168d4f8 18147 168d53e GetCurrentProcess 18146->18147 18149 168d589 18147->18149 18150 168d590 GetCurrentThread 18147->18150 18149->18150 18151 168d5cd GetCurrentProcess 18150->18151 18152 168d5c6 18150->18152 18153 168d603 18151->18153 18152->18151 18154 168d62b GetCurrentThreadId 18153->18154 18155 168d65c 18154->18155 18156 168d740 DuplicateHandle 18157 168d7d6 18156->18157 18158 75b5470 18159 75b54f9 18158->18159 18159->18159 18160 75b565e CreateProcessA 18159->18160 18161 75b56bb 18160->18161 18162 75b4730 18163 75b4770 ResumeThread 18162->18163 18165 75b47a1 18163->18165 18166 75b4cf0 18167 75b4d30 VirtualAllocEx 18166->18167 18169 75b4d6d 18167->18169 18170 75b4db0 18171 75b4df8 WriteProcessMemory 18170->18171 18173 75b4e4f 18171->18173 18174 75b47e0 18175 75b4825 Wow64SetThreadContext 18174->18175 18177 75b486d 18175->18177 18178 75b4ea0 18179 75b4eeb ReadProcessMemory 18178->18179 18181 75b4f2f 18179->18181

                                                Executed Functions

                                                Function 01686F90 Relevance: .1, Instructions: 123COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ee846a62757faa35304b98e454da447bd128b3bd9a5f6c9e1b6bf4583c2c1c80
                                                • Instruction ID: b6f59bac3e6005b5f3ed43192306b19743ea4f2e3d3d908eee7c4f0c2b193677
                                                • Opcode Fuzzy Hash: ee846a62757faa35304b98e454da447bd128b3bd9a5f6c9e1b6bf4583c2c1c80
                                                • Instruction Fuzzy Hash: 4A51B370E012499FDB08DFA9D8449EEBBF2BF88300F14856AD415AB365DB359941CF90
                                                Function 01684218 Relevance: .1, Instructions: 122COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ce2d779c1256095c6cc5e34a7a23269f4bee8e8586e25e2948e3e8921f70c683
                                                • Instruction ID: 453d494530bb5f8bd8cdc2a4f5b8a35f846dac2afec67e7dae710b9d5369afda
                                                • Opcode Fuzzy Hash: ce2d779c1256095c6cc5e34a7a23269f4bee8e8586e25e2948e3e8921f70c683
                                                • Instruction Fuzzy Hash: 7551A270E012099FDB08DFA9D8949EEBBF2FF88310F14852AD415AB364DB359942CF94
                                                Function 0168D4E8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0168D576
                                                • GetCurrentThread.KERNEL32 ref: 0168D5B3
                                                • GetCurrentProcess.KERNEL32 ref: 0168D5F0
                                                • GetCurrentThreadId.KERNEL32 ref: 0168D649
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 0973233744e4c2107f69ab4c84c3012fbdc10d97b4a40dd9e142c2a36d6b6dc5
                                                • Instruction ID: 7d99837cedda2db754c3208ca2409d42c1d9784cb9b1bfbabdce2160d37d714f
                                                • Opcode Fuzzy Hash: 0973233744e4c2107f69ab4c84c3012fbdc10d97b4a40dd9e142c2a36d6b6dc5
                                                • Instruction Fuzzy Hash: BF5155B09013498FDB14DFA9D948B9EBFF1BF88318F20845AD419A73A0D7745944CB65
                                                Function 0168D4F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 0168D576
                                                • GetCurrentThread.KERNEL32 ref: 0168D5B3
                                                • GetCurrentProcess.KERNEL32 ref: 0168D5F0
                                                • GetCurrentThreadId.KERNEL32 ref: 0168D649
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 86b2c80d545d581b0388c3c1f3793a6c9f6f4a0077b1520e822a873f87864fc8
                                                • Instruction ID: 222d1f8986ede1921201f607ae3b84eff748ea251d21f0b82411ce216b71181a
                                                • Opcode Fuzzy Hash: 86b2c80d545d581b0388c3c1f3793a6c9f6f4a0077b1520e822a873f87864fc8
                                                • Instruction Fuzzy Hash: C15134B09013498FDB14DFAAD948B9EBBF1AF88318F208059E419A7390DB755944CB65
                                                Function 075B5470 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 44 75b5470-75b5505 46 75b553e-75b555e 44->46 47 75b5507-75b5511 44->47 54 75b5560-75b556a 46->54 55 75b5597-75b55c6 46->55 47->46 48 75b5513-75b5515 47->48 49 75b5538-75b553b 48->49 50 75b5517-75b5521 48->50 49->46 52 75b5523 50->52 53 75b5525-75b5534 50->53 52->53 53->53 56 75b5536 53->56 54->55 57 75b556c-75b556e 54->57 61 75b55c8-75b55d2 55->61 62 75b55ff-75b56b9 CreateProcessA 55->62 56->49 59 75b5591-75b5594 57->59 60 75b5570-75b557a 57->60 59->55 63 75b557e-75b558d 60->63 64 75b557c 60->64 61->62 66 75b55d4-75b55d6 61->66 75 75b56bb-75b56c1 62->75 76 75b56c2-75b5748 62->76 63->63 65 75b558f 63->65 64->63 65->59 67 75b55f9-75b55fc 66->67 68 75b55d8-75b55e2 66->68 67->62 70 75b55e6-75b55f5 68->70 71 75b55e4 68->71 70->70 73 75b55f7 70->73 71->70 73->67 75->76 86 75b574a-75b574e 76->86 87 75b5758-75b575c 76->87 86->87 88 75b5750 86->88 89 75b575e-75b5762 87->89 90 75b576c-75b5770 87->90 88->87 89->90 91 75b5764 89->91 92 75b5772-75b5776 90->92 93 75b5780-75b5784 90->93 91->90 92->93 94 75b5778 92->94 95 75b5796-75b579d 93->95 96 75b5786-75b578c 93->96 94->93 97 75b579f-75b57ae 95->97 98 75b57b4 95->98 96->95 97->98
                                                APIs
                                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 075B56A6
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: CreateProcess
                                                • String ID:
                                                • API String ID: 963392458-0
                                                • Opcode ID: e6eb46d73b9c4c0bdf24dff34f768a5c9a9e0317fdff5ac89fe74911806dd55d
                                                • Instruction ID: 50127c907e8b8fb0d4621a8e75214cab5586b1921a8910a598809f7e97a5cb63
                                                • Opcode Fuzzy Hash: e6eb46d73b9c4c0bdf24dff34f768a5c9a9e0317fdff5ac89fe74911806dd55d
                                                • Instruction Fuzzy Hash: 0C913EB1D0025ADFDF24DF68C8817EDBBB2BF48310F14856AE809A7280E7749995CF91
                                                Function 0168AE59 Relevance: 1.7, APIs: 1, Instructions: 241COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 100 168ae59-168ae60 101 168ae01-168ae35 100->101 102 168ae62-168ae77 100->102 115 168ae44-168ae4c 101->115 116 168ae37-168ae42 101->116 104 168ae79-168ae86 call 1689494 102->104 105 168aea3-168aea7 102->105 112 168ae88 104->112 113 168ae9c 104->113 107 168aea9-168aeb3 105->107 108 168aebb-168aefc 105->108 107->108 118 168af09-168af17 108->118 119 168aefe-168af06 108->119 167 168ae8e call 168b100 112->167 168 168ae8e call 168b0f1 112->168 113->105 117 168ae4f-168ae54 115->117 116->117 120 168af19-168af1e 118->120 121 168af3b-168af3d 118->121 119->118 123 168af29 120->123 124 168af20-168af27 call 168a1d0 120->124 126 168af40-168af47 121->126 122 168ae94-168ae96 122->113 125 168afd8-168aff1 122->125 128 168af2b-168af39 123->128 124->128 140 168aff2-168b050 125->140 129 168af49-168af51 126->129 130 168af54-168af5b 126->130 128->126 129->130 133 168af68-168af71 call 168a1e0 130->133 134 168af5d-168af65 130->134 138 168af7e-168af83 133->138 139 168af73-168af7b 133->139 134->133 141 168afa1-168afae 138->141 142 168af85-168af8c 138->142 139->138 158 168b052-168b054 140->158 149 168afb0-168afce 141->149 150 168afd1-168afd7 141->150 142->141 143 168af8e-168af9e call 168a1f0 call 168a200 142->143 143->141 149->150 159 168b080-168b098 158->159 160 168b056-168b07e 158->160 162 168b09a-168b09d 159->162 163 168b0a0-168b0cb GetModuleHandleW 159->163 160->159 162->163 164 168b0cd-168b0d3 163->164 165 168b0d4-168b0e8 163->165 164->165 167->122 168->122
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0168B0BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 572afff80802762be52a4eef81f838c0fed7c097ef221b809a7c1dbb5c8b1094
                                                • Instruction ID: 93eddb7492700ba405641bbf4e4b87a76c1b667570a43600b7a2157d5a0515e1
                                                • Opcode Fuzzy Hash: 572afff80802762be52a4eef81f838c0fed7c097ef221b809a7c1dbb5c8b1094
                                                • Instruction Fuzzy Hash: 98917870A00B458FD725EF69D84475ABBF1FF88304F008A2ED596DBA91D775E806CB90
                                                Function 0168590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 169 168590d-16859d9 CreateActCtxA 171 16859db-16859e1 169->171 172 16859e2-1685a3c 169->172 171->172 179 1685a4b-1685a4f 172->179 180 1685a3e-1685a41 172->180 181 1685a60 179->181 182 1685a51-1685a5d 179->182 180->179 184 1685a61 181->184 182->181 184->184
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 501248a66696851b1885ad2fb3757338701021621a9cfbb9a3774914267f9310
                                                • Instruction ID: b74560474d65337f48640bdfb6d9c35708bdb7c38d265b23fa1c36cdfb6e6d3e
                                                • Opcode Fuzzy Hash: 501248a66696851b1885ad2fb3757338701021621a9cfbb9a3774914267f9310
                                                • Instruction Fuzzy Hash: 4341EFB0C0071DCADB24DFAAC984B8EFBF1BF89304F20816AD419AB251DB756946CF50
                                                Function 016844E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 185 16844e0-16859d9 CreateActCtxA 188 16859db-16859e1 185->188 189 16859e2-1685a3c 185->189 188->189 196 1685a4b-1685a4f 189->196 197 1685a3e-1685a41 189->197 198 1685a60 196->198 199 1685a51-1685a5d 196->199 197->196 201 1685a61 198->201 199->198 201->201
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: bc009d9067cfb1a6352729e3390617733b41021b5a06efdefe544b9e271c1a1c
                                                • Instruction ID: 582a5023ea38af92a93c3a3b3bce1f76b62b4d9160df8c182428421f0747ab31
                                                • Opcode Fuzzy Hash: bc009d9067cfb1a6352729e3390617733b41021b5a06efdefe544b9e271c1a1c
                                                • Instruction Fuzzy Hash: 2641EF70C0071DCBDB24DFA9C884B8EBBF5BF89704F20816AD409AB251DB756945CF90
                                                Function 075B4DB0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 202 75b4db0-75b4dfe 204 75b4e0e-75b4e4d WriteProcessMemory 202->204 205 75b4e00-75b4e0c 202->205 207 75b4e4f-75b4e55 204->207 208 75b4e56-75b4e86 204->208 205->204 207->208
                                                APIs
                                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 075B4E40
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: MemoryProcessWrite
                                                • String ID:
                                                • API String ID: 3559483778-0
                                                • Opcode ID: d8e862b534b10140639c8c726599ad7fcd686b68f0e251e7717c4b19b7daf28c
                                                • Instruction ID: f85e9ca488130fde5293508ba42bdb56fbc278454d7037d3e982d21670732887
                                                • Opcode Fuzzy Hash: d8e862b534b10140639c8c726599ad7fcd686b68f0e251e7717c4b19b7daf28c
                                                • Instruction Fuzzy Hash: AE2126B1900359DFDB20CFA9C881BEEBBF5FF48310F10842AE958A7241C7789950CBA5
                                                Function 0168D738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 212 168d738-168d73e 213 168d740-168d7d4 DuplicateHandle 212->213 214 168d7dd-168d7fa 213->214 215 168d7d6-168d7dc 213->215 215->214
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168D7C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 4f56f8cb9046e7c0ccf545e5f242556e12e6939b0bfba791a8f08aefa95268ff
                                                • Instruction ID: c8ef95d9b895b53c060da123d8fe2bbb4c0b86cd6c644cd83f0129f40c7c31f8
                                                • Opcode Fuzzy Hash: 4f56f8cb9046e7c0ccf545e5f242556e12e6939b0bfba791a8f08aefa95268ff
                                                • Instruction Fuzzy Hash: 6C21F4B5900348DFDB10CFAAD984AEEBFF4EB48310F14805AE954A7250D374A950CFA1
                                                Function 075B47E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 218 75b47e0-75b482b 220 75b483b-75b486b Wow64SetThreadContext 218->220 221 75b482d-75b4839 218->221 223 75b486d-75b4873 220->223 224 75b4874-75b48a4 220->224 221->220 223->224
                                                APIs
                                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075B485E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: ContextThreadWow64
                                                • String ID:
                                                • API String ID: 983334009-0
                                                • Opcode ID: 8ab58f75b3cf4d3d5a196dca91c8d3820a6c44acc2e5ce4d68a5671a49c98935
                                                • Instruction ID: 4d47933fde73c15f95aa682bc8783dabda57907c25ae918cdfb05f1ca9765b80
                                                • Opcode Fuzzy Hash: 8ab58f75b3cf4d3d5a196dca91c8d3820a6c44acc2e5ce4d68a5671a49c98935
                                                • Instruction Fuzzy Hash: 572159B1D003498FDB20CFAAC4817EEBBF4FF88214F10842AD519A7241C7789544CBA4
                                                Function 075B4EA0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 228 75b4ea0-75b4f2d ReadProcessMemory 231 75b4f2f-75b4f35 228->231 232 75b4f36-75b4f66 228->232 231->232
                                                APIs
                                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 075B4F20
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: MemoryProcessRead
                                                • String ID:
                                                • API String ID: 1726664587-0
                                                • Opcode ID: 312ea67bae95cdf3f3b244ee09fb509257bd88d0b4fc4ba0b505557a6715aab6
                                                • Instruction ID: 81aa14f2cb51f944d051baee95edf9c1da875955d2402e8ffd76278e46c75d23
                                                • Opcode Fuzzy Hash: 312ea67bae95cdf3f3b244ee09fb509257bd88d0b4fc4ba0b505557a6715aab6
                                                • Instruction Fuzzy Hash: 1C21E9B1900359DFDB20DF9AC841BEEBBF5FF48310F108429E559A7240D7759550CBA5
                                                Function 0168D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 236 168d740-168d7d4 DuplicateHandle 237 168d7dd-168d7fa 236->237 238 168d7d6-168d7dc 236->238 238->237
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0168D7C7
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 3ea9d2fed7f1fcb563603a892d485dc41b1ada624b3527e867b90b0b6ff7174a
                                                • Instruction ID: 149488272178dbecd33dc0e340641ea0a29cc505cad5ef95654f7391f5ad46a1
                                                • Opcode Fuzzy Hash: 3ea9d2fed7f1fcb563603a892d485dc41b1ada624b3527e867b90b0b6ff7174a
                                                • Instruction Fuzzy Hash: B221E4B5900249DFDB10DF9AD984ADEBFF4FB48320F14841AE918A3350D374A950CFA0
                                                Function 075B4CF0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 241 75b4cf0-75b4d6b VirtualAllocEx 244 75b4d6d-75b4d73 241->244 245 75b4d74-75b4d99 241->245 244->245
                                                APIs
                                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 075B4D5E
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: AllocVirtual
                                                • String ID:
                                                • API String ID: 4275171209-0
                                                • Opcode ID: d4378cae45b2c9a9038f6e6cbfa20a0fff7aaf2c5bbbbe678b7ccb5f9d18e0af
                                                • Instruction ID: afc37b9376420b80c9e4fdbfc1c214ed7c9aabf4ab5bc98835d35dea13a76771
                                                • Opcode Fuzzy Hash: d4378cae45b2c9a9038f6e6cbfa20a0fff7aaf2c5bbbbe678b7ccb5f9d18e0af
                                                • Instruction Fuzzy Hash: 8F115672800249DFDB20DFAAC844BEFBBF5FF88720F10881AE519A7250C775A510CBA0
                                                Function 075B4730 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 249 75b4730-75b479f ResumeThread 252 75b47a8-75b47cd 249->252 253 75b47a1-75b47a7 249->253 253->252
                                                APIs
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: ResumeThread
                                                • String ID:
                                                • API String ID: 947044025-0
                                                • Opcode ID: 9d56f79f54494c58717175279a384db38931f0aeb2d40c23c4b2f4c016aad3ab
                                                • Instruction ID: 62a1960de4b4b21acc1e483d66d9099ae4bae76088c1e02025cb626ec3bc0e98
                                                • Opcode Fuzzy Hash: 9d56f79f54494c58717175279a384db38931f0aeb2d40c23c4b2f4c016aad3ab
                                                • Instruction Fuzzy Hash: E31128B1900349CFDB20DFAAC4457EFFBF4EF88624F248419D519A7240CB75A540CB95
                                                Function 0168B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 257 168b058-168b098 259 168b09a-168b09d 257->259 260 168b0a0-168b0cb GetModuleHandleW 257->260 259->260 261 168b0cd-168b0d3 260->261 262 168b0d4-168b0e8 260->262 261->262
                                                APIs
                                                • GetModuleHandleW.KERNEL32(00000000), ref: 0168B0BE
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: 0af355935354abedf8f6635691291e4737cafe7c0cbffb9b9653413be95178b1
                                                • Instruction ID: 68e131c4970f4fc7121a3bdce01d9045044a3226dff9c639f6ead122e762dbee
                                                • Opcode Fuzzy Hash: 0af355935354abedf8f6635691291e4737cafe7c0cbffb9b9653413be95178b1
                                                • Instruction Fuzzy Hash: 14110FB6C00249CFDB10DF9AC844B9EFBF4EF88224F20851AD528A7610D3B9A545CFA1
                                                Function 013ED4C4 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149643305.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_13ed000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 27d5ac4db4f36f373dbb12731bec776018e8e3cd5c3494a7a7bdb8eb572c737c
                                                • Instruction ID: 1ef624a9b377cf5126d8b849331dda652e70c71fc167a3c5abb8387661c157bc
                                                • Opcode Fuzzy Hash: 27d5ac4db4f36f373dbb12731bec776018e8e3cd5c3494a7a7bdb8eb572c737c
                                                • Instruction Fuzzy Hash: 4821F172504344EFDB05DF54D9C4B2ABFA5FB8831CF208569E9090A296C336D456CAA1
                                                Function 015FD01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149864655.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_15fd000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d55ea227369d382a9c78fa9fdda47eb6a6c33c51b7c40d8fa4c023477b365cb5
                                                • Instruction ID: 1f30386ef5345a7b4b4e9a8065800ba0a2218489e3af40010b262cdf3ca15209
                                                • Opcode Fuzzy Hash: d55ea227369d382a9c78fa9fdda47eb6a6c33c51b7c40d8fa4c023477b365cb5
                                                • Instruction Fuzzy Hash: D3214275204200EFDB15DF54D9C0B2ABBB9FB84314F20C96DEA0A4F252D33AC407CA61
                                                Function 015FD1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149864655.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_15fd000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4e4768e176194a107439d404817fd9c89913b758c3393a1ed28e3d0b7215b4ec
                                                • Instruction ID: 7feca192f773f2a75bf1aa1d448a233d3b425f3bd2d300ef7958be1c485d973a
                                                • Opcode Fuzzy Hash: 4e4768e176194a107439d404817fd9c89913b758c3393a1ed28e3d0b7215b4ec
                                                • Instruction Fuzzy Hash: B3210479504204EFDB05DF94D9C0B2ABBB5FB84324F20C96DEA0A4F252C77AD446CAA1
                                                Function 015FD006 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149864655.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_15fd000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 94bcb406b2daf08cda1efdf605dc735ee6a9daf8a3c0622e0ad2f65889c8ec80
                                                • Instruction ID: 061297e0a33ca7eec2598854b6bcd430a6697fee346abc5043b7e9897d288d86
                                                • Opcode Fuzzy Hash: 94bcb406b2daf08cda1efdf605dc735ee6a9daf8a3c0622e0ad2f65889c8ec80
                                                • Instruction Fuzzy Hash: 15218E755093808FCB03CF24D990719BF71FB46214F28C5EAD9498F6A7C33A980ACB62
                                                Function 013ED4BF Relevance: .1, Instructions: 56COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149643305.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_13ed000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction ID: 65f2643af61d0108ec083804507829cdac0936c8a339bdf56b79b84efe299cd7
                                                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                • Instruction Fuzzy Hash: 3011AF76504384CFCB16CF54D9C4B16BFB1FB84318F24C6A9D8490B696C33AD456CBA1
                                                Function 015FD1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149864655.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_15fd000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: f02eeeae0a241cb883bccf37a2eacb0beb6422b497f42e2cd0ced281af6d92b8
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 8B11BB7A504280DFCB02CF54C5C0B19BBB1FB84224F24C6AED9494F2A6C33AD40ACBA1
                                                Function 013ED745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149643305.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_13ed000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6b3a9fe8513d40edd7cc698bbc024aa8c3659624483c1d754e831822b88bdb2e
                                                • Instruction ID: 1d84aeb74366bbef54bc025f167ca6edbc1beccb578b2d65262da87f0259da5d
                                                • Opcode Fuzzy Hash: 6b3a9fe8513d40edd7cc698bbc024aa8c3659624483c1d754e831822b88bdb2e
                                                • Instruction Fuzzy Hash: 3F012B710443A4DAF7105FA9CD88B66BFDCDF41328F08C51AEE090F6C2C6B99440C671
                                                Function 013ED744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2149643305.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_13ed000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 169cf43fee4a33399961bc3be286c9029104925cfe1d1f1801636fe91846630b
                                                • Instruction ID: 610e54e13e71cb6c101db7cb685c755c11419f479b6d77ccc1cb64d8153d420b
                                                • Opcode Fuzzy Hash: 169cf43fee4a33399961bc3be286c9029104925cfe1d1f1801636fe91846630b
                                                • Instruction Fuzzy Hash: 11F0C2714053949AE7108F1AC888B62FFD8EB81638F18C05AED480B286C2799840CBB1

                                                Non-executed Functions

                                                Function 075B26A8 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: LK9L
                                                • API String ID: 0-4255636153
                                                • Opcode ID: 71b70e8518cd29a86e487d9b1c54c8501602c6bb1a21e149c2a7d691c1d3aa71
                                                • Instruction ID: 8fa3eb7bdca49cf33b3913bb6ec370d14bac92d0191ecc4d558d80f7bc4423c7
                                                • Opcode Fuzzy Hash: 71b70e8518cd29a86e487d9b1c54c8501602c6bb1a21e149c2a7d691c1d3aa71
                                                • Instruction Fuzzy Hash: 98E1DAB4E002599FDB24CFA9C590AEEBBF2FF49304F248159D418A7355D771A982CF60
                                                Function 075B2270 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 665fee33507cc7e38787a7202340da75c62b8999b23aa6761e07322851fe37b2
                                                • Instruction ID: 9cd3d93cf931da28cc7e2b60eab64d50262f95e99aa90b344ca455c73af45845
                                                • Opcode Fuzzy Hash: 665fee33507cc7e38787a7202340da75c62b8999b23aa6761e07322851fe37b2
                                                • Instruction Fuzzy Hash: F5E1C8B4E002598FDB24CF99C590AAEBBF2FF49304F248269D414AB355D731AD42CF61
                                                Function 075B2AE0 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ca265a9c682c2db8b89e4d56c467227bb17dafbcb1b12238bd00fbafcb35d302
                                                • Instruction ID: 125c6b88651445e5a93fd523ddf7ab51c0f83e422b3646a734c224e66cc7eda1
                                                • Opcode Fuzzy Hash: ca265a9c682c2db8b89e4d56c467227bb17dafbcb1b12238bd00fbafcb35d302
                                                • Instruction Fuzzy Hash: 99E1E9B4E002599FDB24CF99C590AAEBBF2FF89304F248269D414AB355D731AD42CF61
                                                Function 075B4F80 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34dda0936a9367800f9adc04a2af68bc396013b2377071e455b734ad6666757c
                                                • Instruction ID: 7df7fe6d2517d3991d672b57ed6208705807a23db648f7fb2d3769ea5595b597
                                                • Opcode Fuzzy Hash: 34dda0936a9367800f9adc04a2af68bc396013b2377071e455b734ad6666757c
                                                • Instruction Fuzzy Hash: E6E1E8B4E002598FDB24CF99C580AAEFBF2FF89304F248269D454AB355D771A942CF60
                                                Function 075B48B8 Relevance: .3, Instructions: 312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2165505163.00000000075B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 07530000, based on PE: true
                                                • Associated: 00000000.00000002.2165132439.0000000007530000.00000004.08000000.00040000.00000000.sdmpDownload File
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_7530000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 641fffb525442f902ae59857c6a100ac9f3a9da79c4db6b593ac5244813ca997
                                                • Instruction ID: cb9bf5901ad36425f7079f1ef00be15539c200b05dfd610463f88d081eafad44
                                                • Opcode Fuzzy Hash: 641fffb525442f902ae59857c6a100ac9f3a9da79c4db6b593ac5244813ca997
                                                • Instruction Fuzzy Hash: 8AE1D9B4E002599FDB24CFA9C591AAEBBF2FF89304F248259D414A7356D731AD42CF60
                                                Function 0168D424 Relevance: .3, Instructions: 264COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 00000000.00000002.2150012205.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_0_2_1680000_Shipment Dec Orders valves 2024.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 352a6fc5cf5bcf8834d77b894d1f38c7a2e71a5fbda46081195d49dd42d6d365
                                                • Instruction ID: c9a51bf3baa95b6cf205374d99442f0b7a1189bf015d3bf264ba248865432ad4
                                                • Opcode Fuzzy Hash: 352a6fc5cf5bcf8834d77b894d1f38c7a2e71a5fbda46081195d49dd42d6d365
                                                • Instruction Fuzzy Hash: F4A1A132E106168FCF05EFB4D8804DEBBB2FF89301B1586AAE901AB265DB75D955CB40

                                                Executed Functions

                                                Function 02CD9B38 Relevance: 3.1, Instructions: 3051COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 312c40639a1285103f5bba4940a9312638373f7140c90cf90f5d4b76abc5af87
                                                • Instruction ID: a56aa3d2c59e0d54ab2d4bf21da29ae17a7745dab16934e327070f5255689f3c
                                                • Opcode Fuzzy Hash: 312c40639a1285103f5bba4940a9312638373f7140c90cf90f5d4b76abc5af87
                                                • Instruction Fuzzy Hash: DD630B31D10B5A8ACB11EF68C8806A9F7B1FF99300F15D79AE45877121EB70AAD5CF81
                                                Function 02CDCDB0 Relevance: 2.3, Instructions: 2299COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5f12973939b4ad99e2246fb1ad7507c8733c2bbbb0763f0ae3ac8977760088db
                                                • Instruction ID: c4dfb528c913b4ce8f1642ef13858ff186d19d34b0034d4fb5aa814e4626a677
                                                • Opcode Fuzzy Hash: 5f12973939b4ad99e2246fb1ad7507c8733c2bbbb0763f0ae3ac8977760088db
                                                • Instruction Fuzzy Hash: 2E333F31D107198EDB11EF68C8806ADF7B1FF99300F15D79AE549AB211EB70AAC5CB81
                                                Function 02CD3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n
                                                • API String ID: 0-1005319620
                                                • Opcode ID: 1d005dd1bc8e9566e5d3f671326c46284815fd0a1c9d57976b787223f77bff22
                                                • Instruction ID: 6488b31d404edaef41453a3b6d5de84c80f9d3b5364441f82637e15db2dd13e4
                                                • Opcode Fuzzy Hash: 1d005dd1bc8e9566e5d3f671326c46284815fd0a1c9d57976b787223f77bff22
                                                • Instruction Fuzzy Hash: 9C916B70E0024DCFDF24CFA9C9957AEBBF2AF88704F148129E605AB254EB749945CF81
                                                Function 02CD9378 Relevance: .6, Instructions: 611COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e64bffd3c0b01dd7c301b6d0f818cd0fe32765f5c3b099a85985b125ac44f2be
                                                • Instruction ID: 358b995a1d34d3825c8f7c96cfa59fd4d30aa86255fb4af30416dc184409db20
                                                • Opcode Fuzzy Hash: e64bffd3c0b01dd7c301b6d0f818cd0fe32765f5c3b099a85985b125ac44f2be
                                                • Instruction Fuzzy Hash: 29226D39A002058FDB14DF69D894BAEBBB2FF88310F148569E609EB395DB71DD42CB50
                                                Function 02CD4A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 9b6df68118d9fcfae60402f86b4649a59e74342588bb8a6eb34a28c3dea45b74
                                                • Instruction ID: 79096151a05225b9b0c33ab9aa6d6f69929b8316ea33beffe09018fe47579a10
                                                • Opcode Fuzzy Hash: 9b6df68118d9fcfae60402f86b4649a59e74342588bb8a6eb34a28c3dea45b74
                                                • Instruction Fuzzy Hash: 17B18E70E00609DFDF28CFA9C8817ADBBF2AF88714F148529DA15EB254EB749945CF81
                                                Function 02CD4810 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n$\V[n
                                                • API String ID: 0-3705941238
                                                • Opcode ID: 7313ec5202a5ebba42aecd22d3e6b0a23566b9689922ba4c0da03b76e329c237
                                                • Instruction ID: 5b3f9e20ccbafd0a4ca39636df9ce829ccb799f87231833ec59e85043ef06e58
                                                • Opcode Fuzzy Hash: 7313ec5202a5ebba42aecd22d3e6b0a23566b9689922ba4c0da03b76e329c237
                                                • Instruction Fuzzy Hash: B9717E70E00249CFDF24CFA9C88579EBBF2BF88714F148129E619A7254EB749941CF95
                                                Function 02CD4804 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n$\V[n
                                                • API String ID: 0-3705941238
                                                • Opcode ID: db28577d543bb1fcf9b1d42da8083b77bb60d54e3968b4f6d97427e0ad44a470
                                                • Instruction ID: 9a391f0d7efeffb0fcf7d614cb2e9f9571e7e5d26c6545a445d7e4243feb193d
                                                • Opcode Fuzzy Hash: db28577d543bb1fcf9b1d42da8083b77bb60d54e3968b4f6d97427e0ad44a470
                                                • Instruction Fuzzy Hash: CE717CB0E00249CFDF24CFA9C88579EBBF2BF88714F148129E619A7254EB749941CF95
                                                Function 02CD3E74 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n
                                                • API String ID: 0-1005319620
                                                • Opcode ID: e65170796b9822b86b7010b7eafce16a8ace6d95308266a592e97eb5febdaaf1
                                                • Instruction ID: 4f339b47e17dce059f7044ce340677537211a6f11c4ba7e483566ddf2c835a35
                                                • Opcode Fuzzy Hash: e65170796b9822b86b7010b7eafce16a8ace6d95308266a592e97eb5febdaaf1
                                                • Instruction Fuzzy Hash: D6916A70E00249CFDF24CFA9C9857DEBBF2AF88704F148129E605AB254EB759945CF91
                                                Function 02CD7908 Relevance: .6, Instructions: 552COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 456b5e57af7ec329290fc844e5302d9dffd2282911a497d4f41d2baccd39a43b
                                                • Instruction ID: d8d0db4d94acf5279d5f8a681b0b6a894f2d3668fe14633b5ad825c1c49c5c28
                                                • Opcode Fuzzy Hash: 456b5e57af7ec329290fc844e5302d9dffd2282911a497d4f41d2baccd39a43b
                                                • Instruction Fuzzy Hash: 84124030711112CFEB29AB38E49572D7AA2FBC9740B50AA2DE505CB395CF75EC478B80
                                                Function 02CD7918 Relevance: .6, Instructions: 550COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbbd441ce8573694153ea9a1e352b6771098a93e7c0b71a80acae4727d216af3
                                                • Instruction ID: 0a346d11dfac666fd1a30ce402fe05e6826e8d57d4d7514dc738fd56d90bb9b2
                                                • Opcode Fuzzy Hash: dbbd441ce8573694153ea9a1e352b6771098a93e7c0b71a80acae4727d216af3
                                                • Instruction Fuzzy Hash: 15123030711112CFEB29AB38E49576D7AA2FBC9740B50AA2DE505CB395CF75EC478B80
                                                Function 02CD4A8E Relevance: .3, Instructions: 260COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e4fff48a14c3be48cd8f5fbe67df39abecd0d66eebcea6465f7ff61afc1b8cf2
                                                • Instruction ID: 28dc33284df6bb89b49fe4abe263680b10057dfccc6fd4f159ab3c98794d159b
                                                • Opcode Fuzzy Hash: e4fff48a14c3be48cd8f5fbe67df39abecd0d66eebcea6465f7ff61afc1b8cf2
                                                • Instruction Fuzzy Hash: 84A18B70E00609DFDB24CFA9C8817ADBBF1BF88714F148529DA18EB294EB749945CF91
                                                Function 02CD9364 Relevance: .2, Instructions: 240COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 49bab4f9fee4412852906010b0d28b7f4f8a0120d9d88b6e2246a347d254f0b3
                                                • Instruction ID: 0be032fcf619ec575f6e4f5c52872a11dbc5e2197e09aa7c6583cb878e596ebe
                                                • Opcode Fuzzy Hash: 49bab4f9fee4412852906010b0d28b7f4f8a0120d9d88b6e2246a347d254f0b3
                                                • Instruction Fuzzy Hash: C2914B38A102149FDB14DF68D994BADBBF2EF88350F148569E906E73A4DB31ED42CB50
                                                Function 02CD6ED8 Relevance: .1, Instructions: 144COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f541ff4e6b129bed104bf59ff33a08dcc955c09919ab1a0a4a86abe936095741
                                                • Instruction ID: 12387c21714264eed10dd4e602a651c55b81598aa036ab8f22ef2fa94b743bc7
                                                • Opcode Fuzzy Hash: f541ff4e6b129bed104bf59ff33a08dcc955c09919ab1a0a4a86abe936095741
                                                • Instruction Fuzzy Hash: 2E51F130A002598FDB15DF79D85479EBBB6EF89300F60856AE505EB380EB71AD46CB90
                                                Function 02CD6CDE Relevance: .1, Instructions: 133COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 07e797c1e39ddb581b3ed59e11361775490d94572f74bdee03f7d338898580f8
                                                • Instruction ID: 01e7a21728ce6d72a0a30899df859e20d45f202d29ebc57e60da163294536176
                                                • Opcode Fuzzy Hash: 07e797c1e39ddb581b3ed59e11361775490d94572f74bdee03f7d338898580f8
                                                • Instruction Fuzzy Hash: B5512470D002588FDB14CFAAE884B9EFBB5BF88314F24841AE815BB351D774A944CF90
                                                Function 02CD6CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 507bb586ec60e009e6afd3b99e7f031de9ec1af83a545d74d07e3f53a09e4a0f
                                                • Instruction ID: b710e95c451ec188cbe0f7d676f0348f86b948159e2b0c6d46ccb866450111be
                                                • Opcode Fuzzy Hash: 507bb586ec60e009e6afd3b99e7f031de9ec1af83a545d74d07e3f53a09e4a0f
                                                • Instruction Fuzzy Hash: 90513670D002588FDB14CFA9E884B9DFBB5BF48314F24841AE815BB351D774A940CF90
                                                Function 02CD1128 Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 369e593621fcf6d41d64b0c6ce44dd6daf866f3f7a221a3e20925e520a82eec4
                                                • Instruction ID: 19e563649f1918fae87861fd44f908718bb5fa1fab9793df0d2938a6b2ce9621
                                                • Opcode Fuzzy Hash: 369e593621fcf6d41d64b0c6ce44dd6daf866f3f7a221a3e20925e520a82eec4
                                                • Instruction Fuzzy Hash: 4E51FA70607253CFCB0AFF2AF8819593FB1EB913057045B6DD2005B67EEA607966CB91
                                                Function 02CD96E0 Relevance: .1, Instructions: 118COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1139ad719c1d0f6fe6d4ba130378c3d2f61929a91d878bfa33cb86404d9a164e
                                                • Instruction ID: c65c80d221537a630975b0816d79ba868566c708a23a35a75bebcca71679f4e7
                                                • Opcode Fuzzy Hash: 1139ad719c1d0f6fe6d4ba130378c3d2f61929a91d878bfa33cb86404d9a164e
                                                • Instruction Fuzzy Hash: 58417E78B0124A8BDB649EA9D89076FB3B6FFC5610F21082AD61AD7394D734ED41C781
                                                Function 02CD1138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e3a5c4bf781e06bab0abfd27a82755a048b58753dab28b8c9f9d57da8c7052a
                                                • Instruction ID: bed032d9ae3dfd92379084fca78eb16f878abb60dfbd916292383551496b8b21
                                                • Opcode Fuzzy Hash: 1e3a5c4bf781e06bab0abfd27a82755a048b58753dab28b8c9f9d57da8c7052a
                                                • Instruction Fuzzy Hash: 9451AA71607263CFCB09FF2AF8819583FB1EB913053049B6DD2005B67EEA607966CB91
                                                Function 02CDF2ED Relevance: .1, Instructions: 107COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0fe1b83d95b1be6981e752ea4526b2e2a512e24275fc0e5e6ed4f1cffa9225cc
                                                • Instruction ID: b9e6bcb4377dba7bb65dd7089cfdc1fe85cb59cc471c20c238f8465231f198ed
                                                • Opcode Fuzzy Hash: 0fe1b83d95b1be6981e752ea4526b2e2a512e24275fc0e5e6ed4f1cffa9225cc
                                                • Instruction Fuzzy Hash: C0310B70B002068FDB19AB34D56466E3BB2BFC9644F18442DC506DB799EF38CD42CB91
                                                Function 02CDF300 Relevance: .1, Instructions: 105COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5478a86e0a1772da255617d0d195565ede34d4649d6ddfcce32bcebf288d4de2
                                                • Instruction ID: b374a7aa95c0fdd51d498368372a3b7c38a2be9f252e8f1866460c38e21d1452
                                                • Opcode Fuzzy Hash: 5478a86e0a1772da255617d0d195565ede34d4649d6ddfcce32bcebf288d4de2
                                                • Instruction Fuzzy Hash: 0B31EB30B002068FEB19AB35D56466E7BA3BBC9644F24442CC507DB399EF75DD42CB91
                                                Function 02CD4F88 Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fde0a04633228969dc723af4096bbe287c5638d64a2127be7b06316f4dd82ab5
                                                • Instruction ID: d95755231a190e54527de7a0a2669df7f495797a391fcba447adeb09b698dcee
                                                • Opcode Fuzzy Hash: fde0a04633228969dc723af4096bbe287c5638d64a2127be7b06316f4dd82ab5
                                                • Instruction Fuzzy Hash: 01316F70A00205CFDB24DF69D45879DBBF1EF88314F504469E606EB364DB76AD01CB91
                                                Function 02CD6F78 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 214c9299444b719b55657b56e69290265f2ebf8a56435d65cdfa231d03c7bd27
                                                • Instruction ID: 7b3471cee75f6a1043097829e2cbfe5bbb46e7e3086d8384093dad28ecdb1672
                                                • Opcode Fuzzy Hash: 214c9299444b719b55657b56e69290265f2ebf8a56435d65cdfa231d03c7bd27
                                                • Instruction Fuzzy Hash: 8C317030E10219CBDB14CF65D45479EF7B5FF89300F608525E906E7280EB71E946CB90
                                                Function 02CDF1B0 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8be85186ba52ca1de85b0a143b1eb037ddd9ec1f2c2e2aa6b10228a09ee536c2
                                                • Instruction ID: fafed645220afc38a67dc8096c936844459f730f9ef16e5ba434aefa682821f4
                                                • Opcode Fuzzy Hash: 8be85186ba52ca1de85b0a143b1eb037ddd9ec1f2c2e2aa6b10228a09ee536c2
                                                • Instruction Fuzzy Hash: D5316135E102168BDB19CFA4D854B9EB7B2BF89300F14892EE906E7790DB70AD42CB50
                                                Function 02CD26DC Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe8059f4409e5c2812eb2066200aebfccdf69433c625b29d83c34a62955da857
                                                • Instruction ID: eb9e5168785d7d182afcb78eeacd800abaa5ef940fccb8625f411161cb834cf0
                                                • Opcode Fuzzy Hash: fe8059f4409e5c2812eb2066200aebfccdf69433c625b29d83c34a62955da857
                                                • Instruction Fuzzy Hash: 5E410FB1D00349DFEB10CFA9C984A9EBBF5FF48310F148029E909AB250DB75A945CB91
                                                Function 02CDF1C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 012c78eef5273bcf8d3ce20a832706fc0f92a10f25fc71357339cd7188063081
                                                • Instruction ID: 27db820dcfc5b7a62ba4a891bd1cbe7df1bb85f004a1b16ac47521cae4042a5f
                                                • Opcode Fuzzy Hash: 012c78eef5273bcf8d3ce20a832706fc0f92a10f25fc71357339cd7188063081
                                                • Instruction Fuzzy Hash: CC316034E102169BDF19CFA5D854B9EB7B2BF88300F10892EE906E7750DB71AD42CB90
                                                Function 02CD26E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95bcf049aeb14f04bb6561fccda6a9f61d44c1a4d2a0407192fa75684ebe4780
                                                • Instruction ID: 9a1dafa2a2bec51a83ccc09fac78ce0743a26de8fba2b08de61a122abe1b8d87
                                                • Opcode Fuzzy Hash: 95bcf049aeb14f04bb6561fccda6a9f61d44c1a4d2a0407192fa75684ebe4780
                                                • Instruction Fuzzy Hash: 97410FB1D0034DDFDB10CFA9C980A9EBBB5FF48310F108029E909AB254DB75A945CB91
                                                Function 02CD50A8 Relevance: .1, Instructions: 89COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 31e3f1ed5947c08c370f2049eef3612db1cfb8337414a832102912d2d607651e
                                                • Instruction ID: ccfbb0efa7fe7f3ec5badaccb5fbacfdfc1ab4ad52f6267c066e13e77d2d1cf2
                                                • Opcode Fuzzy Hash: 31e3f1ed5947c08c370f2049eef3612db1cfb8337414a832102912d2d607651e
                                                • Instruction Fuzzy Hash: 08319E30B01215CFDB24EB75C8546AD77F6AF89384F900569C605AB3A4DF36ED01CB91
                                                Function 02CD5099 Relevance: .1, Instructions: 87COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fd867502984affdc6f7aacd48d73e2bbef5e3e6d9e1f1547979d67497ca2367e
                                                • Instruction ID: ab9c18f2b204262f0423f6d6f970dae97d6230d2c64508e30bff6296a00c1dd0
                                                • Opcode Fuzzy Hash: fd867502984affdc6f7aacd48d73e2bbef5e3e6d9e1f1547979d67497ca2367e
                                                • Instruction Fuzzy Hash: 9E316D30B01215CFDB24EB75D9506AD73F6AF89384F900969CA05BB3A4DB36ED02CB91
                                                Function 02CD9250 Relevance: .1, Instructions: 80COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 98c804dd2f17e0a6d2ee3325608d457b8a9444963607753672a5334aa980e7f6
                                                • Instruction ID: a2b747a2c62a49bd1303ca0b576be6cd22a360c5776531f407d02d46599703e0
                                                • Opcode Fuzzy Hash: 98c804dd2f17e0a6d2ee3325608d457b8a9444963607753672a5334aa980e7f6
                                                • Instruction Fuzzy Hash: 44318D75E1021A8BDF09DFA4D49479EF7B2BF89300F548619E905EB290DB709942CB90
                                                Function 02CD9260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0a93370123d6af322a9d22ad68b39c42fb16f2a643e7a6172eb1bc977f64b050
                                                • Instruction ID: b70194af822b75966412f4186d023226ec5e32bde8d1bee2b5091c653fa3079c
                                                • Opcode Fuzzy Hash: 0a93370123d6af322a9d22ad68b39c42fb16f2a643e7a6172eb1bc977f64b050
                                                • Instruction Fuzzy Hash: FD218D34E1021A9BDF15DFA5D494B9EF7B2FF89300F54C629E905EB250DB709942CB90
                                                Function 02CD6B8F Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f4b2da020b95cb49b97b096e7ad04e12fe69978c6265167e6a9b305c028d3308
                                                • Instruction ID: ffdbebfb6422371b27799dc3e2848fcc7c3ec0387592a66f458525e8cd403b22
                                                • Opcode Fuzzy Hash: f4b2da020b95cb49b97b096e7ad04e12fe69978c6265167e6a9b305c028d3308
                                                • Instruction Fuzzy Hash: 572167717081959FE315AB3AA4207AE3FA2EFD6740F1146AAC145C73D5EE718C06CB80
                                                Function 02CD9150 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6557f0d2d82242ce051937c8f8b3564c7c813b8482d2b18b8e3fdcc10db41843
                                                • Instruction ID: b68d6fc1f62d9bf3ab4b8374114966b743d5dedd4a18b5a384b789c3192162c6
                                                • Opcode Fuzzy Hash: 6557f0d2d82242ce051937c8f8b3564c7c813b8482d2b18b8e3fdcc10db41843
                                                • Instruction Fuzzy Hash: 6F21A134E0021A9BDB18CFA4D854A9EF7B2AF89310F10852AE915F7390EB70E946CB50
                                                Function 02CD16A0 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 091ce2ff066f3e1bd3d4ab9a9561b6e4dd562a05ed1bae3170b00be1b1b25257
                                                • Instruction ID: 8b64cec604fe737f0baa558d9c04647cd0d3a3517a950e4f3ac18150459de741
                                                • Opcode Fuzzy Hash: 091ce2ff066f3e1bd3d4ab9a9561b6e4dd562a05ed1bae3170b00be1b1b25257
                                                • Instruction Fuzzy Hash: 1A212638601152CFEF12E725F884B5A3766EBC5304F145B29D20ACB365DBB8DD51CB92
                                                Function 02CD1380 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 26c3c4567435449a43bb4a4f2c039b9b8b022f1daf971a47f0caa012ad5a5f51
                                                • Instruction ID: 97f4e674777f18650e1b9bf36dc6e266b84501bd21d38e363df718659ff08cae
                                                • Opcode Fuzzy Hash: 26c3c4567435449a43bb4a4f2c039b9b8b022f1daf971a47f0caa012ad5a5f51
                                                • Instruction Fuzzy Hash: 77210A70A01240CFEF365B74E0687AD3761EB82311F18092AD24FCB794D7A5DD90C742
                                                Function 02CD9160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fe01a7653b61c7d3e34e7ad8924d8cdc5a2205813c09496af6d0438310760ed2
                                                • Instruction ID: 51b175b8ac287363fb8545be9f064ed63560055064079951ca2adcad3f32c581
                                                • Opcode Fuzzy Hash: fe01a7653b61c7d3e34e7ad8924d8cdc5a2205813c09496af6d0438310760ed2
                                                • Instruction Fuzzy Hash: E6219234E0021A9BDB18CFA4D844ADEF7B2AF89310F10862AE916F7350DB709945CB50
                                                Function 02CD1888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4ec4d49de76da7d927e636e9d4f556d75057ff2cc959892a7c91b01d6c95b467
                                                • Instruction ID: f9d6f3ea376fa1517821b09de78ee4641cae2f2c680e45e8e1c45e59ac5fecc5
                                                • Opcode Fuzzy Hash: 4ec4d49de76da7d927e636e9d4f556d75057ff2cc959892a7c91b01d6c95b467
                                                • Instruction Fuzzy Hash: 62216D30B00215CFDB64EBB8C5547AE77F6AF89304F540469D60AEB350DB729D01CBA1
                                                Function 02CD16B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2e826f47a27485ec3be88a32f474c5cb5154f6dc5d33f56e137bb5cbc31aa24
                                                • Instruction ID: 175b1213e2136a0686dc674765f43a8dbc14b5cfa40b25e866c8b424600b0b7b
                                                • Opcode Fuzzy Hash: a2e826f47a27485ec3be88a32f474c5cb5154f6dc5d33f56e137bb5cbc31aa24
                                                • Instruction Fuzzy Hash: 8321D238601112CFEF22EB29F884B593766EBC5304F145B29E20ACB365DBB4DD518B92
                                                Function 02CD187A Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: da97c1aa5acf36d3b5755c04d9a7a59228bc0392fd7c4d71301afa0d6f6307e5
                                                • Instruction ID: 2575e30c1d736c15fadd47c47eb3cb4ae003e5fa67c145d4e7a2e67f2162c89b
                                                • Opcode Fuzzy Hash: da97c1aa5acf36d3b5755c04d9a7a59228bc0392fd7c4d71301afa0d6f6307e5
                                                • Instruction Fuzzy Hash: 22215930B00215CFDB64EBB4C5647AD73F2AF89204F580869D60AFB3A0DB729E01CB91
                                                Function 02CD4F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 947e6c8260367fcac6cba65a3ff29bcf6c9a6a9d5f33a923a3f64ec957b67f2d
                                                • Instruction ID: 23633131985bbc59cc33632899697e95682f6d3db8d817dc8c4abbb5b9e8c7a8
                                                • Opcode Fuzzy Hash: 947e6c8260367fcac6cba65a3ff29bcf6c9a6a9d5f33a923a3f64ec957b67f2d
                                                • Instruction Fuzzy Hash: 15212830700215CFCB24EF79D558BAD77F2AF89344B5004A9E606EB3A4DB76AD01CB91
                                                Function 02CD0848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 096e5e66ff5639035a20b9b30b48d9378f68461dafd555fec441f5a33fc269c0
                                                • Instruction ID: 2bfbcf9f6e739ae95c0d2aac091fcc1248193b3e86bf5b40e0bc6d26122ed2e7
                                                • Opcode Fuzzy Hash: 096e5e66ff5639035a20b9b30b48d9378f68461dafd555fec441f5a33fc269c0
                                                • Instruction Fuzzy Hash: 60118C30B402198BEF249B7ED84472A37A5FFC1715F204939D206CF245DBA5CD818BD2
                                                Function 02CD0838 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 362bb899f9e4bbdce6d3732738f7d5d6d04e5474b2a9d42fb60d3e87049ce38c
                                                • Instruction ID: 2c5520beda91b3a0757061435f4e545607a8faea97f91303564108038e4a0c7a
                                                • Opcode Fuzzy Hash: 362bb899f9e4bbdce6d3732738f7d5d6d04e5474b2a9d42fb60d3e87049ce38c
                                                • Instruction Fuzzy Hash: A1110E30E812098BEF245ABE9C0037A3761EFC1315F20893AD602CF285DB60CA428BD2
                                                Function 02CD80F1 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0add0f00d37725431248a3a214a0e529a3c178ca5088c5f10b136a64c6d1bd3f
                                                • Instruction ID: 9beea0a68a6ae01027d2c12227b511632e292488270675752756f03eaa5468d8
                                                • Opcode Fuzzy Hash: 0add0f00d37725431248a3a214a0e529a3c178ca5088c5f10b136a64c6d1bd3f
                                                • Instruction Fuzzy Hash: 65110130611256CFEF1AEBA8F88479D7B61EFC0300F40576EC5009B2A5DF75AA46CB82
                                                Function 02CD17C2 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b3298fb983e0e015d1763175f188ad71679b1c6876c0827a243b38fd84644a48
                                                • Instruction ID: f4121e316bcf4a0604647c2009cd5e81b5e30e030ce0388f1d9a0a8cd303a3af
                                                • Opcode Fuzzy Hash: b3298fb983e0e015d1763175f188ad71679b1c6876c0827a243b38fd84644a48
                                                • Instruction Fuzzy Hash: F7118E76F40262DFCF11ABB6A85865E7BF9EB88650F150925EA09D3344EB30D911CB90
                                                Function 02CD148A Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ccc9ebeb784f3b0e5c0a3ca71e569fc703bc0cb4e0810eb2728307b894a39fea
                                                • Instruction ID: 5cf39cd96d2a8539791be7ec00acd677f28af5f281af118dde5512ebfc882015
                                                • Opcode Fuzzy Hash: ccc9ebeb784f3b0e5c0a3ca71e569fc703bc0cb4e0810eb2728307b894a39fea
                                                • Instruction Fuzzy Hash: 11116931A012158FCB21DFB894502ED77F6EB48365F28047AD509D7301E776D942CF91
                                                Function 02CD1498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72b803aad2a5fba48d2f158624f8bad42ab23438548b9292eacc78ba04f12e14
                                                • Instruction ID: 4dff67e89c3780db7c9c44be5d80d1e88c84e18fed34f1181c6632e056d736e3
                                                • Opcode Fuzzy Hash: 72b803aad2a5fba48d2f158624f8bad42ab23438548b9292eacc78ba04f12e14
                                                • Instruction Fuzzy Hash: 09014431A002159FCB11EFB984502AE77F6EB88314F24047AD509E7301E776D941CB95
                                                Function 02CD9898 Relevance: .0, Instructions: 47COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 006fe97b63f589c442719aedee0d6ddc10defb86118626868adb0f12d5c40e7d
                                                • Instruction ID: dc6243724fb110512729080fc2c33b2bb1f3c5cc3d776b2e81a9a7b0833db514
                                                • Opcode Fuzzy Hash: 006fe97b63f589c442719aedee0d6ddc10defb86118626868adb0f12d5c40e7d
                                                • Instruction Fuzzy Hash: 0801B531A002058BDB04EF55D94478EBB75FFC4310F548169C90C6F29AEBB0A905CBA1
                                                Function 02CD7090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 589a4fccdebd1ce7e455b3630628cc4cee9d4865e55c193d7de51553f87109d8
                                                • Instruction ID: 6c319f384dc66924e185e7ccfdf115501d48885361ccd553be9631800631489f
                                                • Opcode Fuzzy Hash: 589a4fccdebd1ce7e455b3630628cc4cee9d4865e55c193d7de51553f87109d8
                                                • Instruction Fuzzy Hash: 09F0E739B40158CFC714DB74D5A8BAD77B2EF88715F5044A8E6069B3A4DB31AD42CF40
                                                Function 02CD8100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000A.00000002.2196974255.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_10_2_2cd0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d9570af215667b0b3d2493ec1f7436d42b5311b18260810d4be4a7fcbcfca369
                                                • Instruction ID: c2297f3bb786c4dfd3b063f1fa48553e3bdd84bd93c7758c91ca019d36120acf
                                                • Opcode Fuzzy Hash: d9570af215667b0b3d2493ec1f7436d42b5311b18260810d4be4a7fcbcfca369
                                                • Instruction Fuzzy Hash: 63F0313490215AEFEF09FBA5F940A9D7BB1EB80700F50577DC504A7254EE712E148B92

                                                Execution Graph

                                                Execution Coverage:9.8%
                                                Dynamic/Decrypted Code Coverage:100%
                                                Signature Coverage:0%
                                                Total number of Nodes:157
                                                Total number of Limit Nodes:8
                                                execution_graph 36824 e3ad70 36827 e3ae59 36824->36827 36825 e3ad7f 36828 e3ae01 36827->36828 36830 e3ae62 36827->36830 36828->36825 36829 e3ae9c 36829->36825 36830->36829 36831 e3b0a0 GetModuleHandleW 36830->36831 36832 e3b0cd 36831->36832 36832->36825 36895 e3d740 DuplicateHandle 36896 e3d7d6 36895->36896 36833 4f5fce0 36834 4f5fd02 36833->36834 36835 e35cfc CreateWindowExW 36833->36835 36835->36834 36836 c9d01c 36837 c9d034 36836->36837 36838 c9d08e 36837->36838 36842 2a42848 36837->36842 36847 2a41ae8 36837->36847 36852 2a42858 36837->36852 36843 2a42885 36842->36843 36844 2a428b7 36843->36844 36857 2a42de8 36843->36857 36862 2a42dc8 36843->36862 36844->36844 36848 2a41b0e 36847->36848 36850 2a42848 2 API calls 36848->36850 36851 2a42858 2 API calls 36848->36851 36849 2a41b2f 36849->36838 36850->36849 36851->36849 36853 2a42885 36852->36853 36854 2a428b7 36853->36854 36855 2a42de8 2 API calls 36853->36855 36856 2a42dc8 2 API calls 36853->36856 36854->36854 36855->36854 36856->36854 36859 2a42dfc 36857->36859 36858 2a42e88 36858->36844 36867 2a42ea0 36859->36867 36870 2a42e90 36859->36870 36864 2a42ddd 36862->36864 36863 2a42e88 36863->36844 36865 2a42ea0 2 API calls 36864->36865 36866 2a42e90 2 API calls 36864->36866 36865->36863 36866->36863 36868 2a42eb1 36867->36868 36873 2a44061 36867->36873 36868->36858 36871 2a42eb1 36870->36871 36872 2a44061 2 API calls 36870->36872 36871->36858 36872->36871 36877 2a44080 36873->36877 36881 2a44090 36873->36881 36874 2a4407a 36874->36868 36878 2a44090 36877->36878 36879 2a4412a CallWindowProcW 36878->36879 36880 2a440d9 36878->36880 36879->36880 36880->36874 36882 2a440d2 36881->36882 36884 2a440d9 36881->36884 36883 2a4412a CallWindowProcW 36882->36883 36882->36884 36883->36884 36884->36874 36757 e34668 36758 e3467a 36757->36758 36759 e34686 36758->36759 36763 e34778 36758->36763 36767 e34218 36759->36767 36761 e346a5 36764 e3479d 36763->36764 36771 e34888 36764->36771 36768 e34223 36767->36768 36779 e35c7c 36768->36779 36770 e36ffb 36770->36761 36773 e348af 36771->36773 36772 e3498c 36773->36772 36775 e344e0 36773->36775 36776 e35918 CreateActCtxA 36775->36776 36778 e359db 36776->36778 36780 e35c87 36779->36780 36783 e35c9c 36780->36783 36782 e371b5 36782->36770 36784 e35ca7 36783->36784 36787 e35ccc 36784->36787 36786 e3729a 36786->36782 36788 e35cd7 36787->36788 36791 e35cfc 36788->36791 36790 e3738d 36790->36786 36792 e35d07 36791->36792 36793 e386c9 36792->36793 36795 e3ce20 36792->36795 36793->36790 36796 e3ce51 36795->36796 36797 e3ce75 36796->36797 36800 e3cfe0 36796->36800 36804 e3cfd0 36796->36804 36797->36793 36801 e3cfed 36800->36801 36802 e3d027 36801->36802 36808 e3b840 36801->36808 36802->36797 36805 e3cfe0 36804->36805 36806 e3d027 36805->36806 36807 e3b840 CreateWindowExW 36805->36807 36806->36797 36807->36806 36809 e3b84b 36808->36809 36811 e3dd38 36809->36811 36812 e3d144 36809->36812 36811->36811 36813 e3d14f 36812->36813 36814 e35cfc CreateWindowExW 36813->36814 36815 e3dda7 36814->36815 36818 e3fb28 36815->36818 36819 e3fb59 36818->36819 36821 e3fc59 36818->36821 36820 e3dde1 36819->36820 36822 2a40a08 CreateWindowExW 36819->36822 36823 2a409f8 CreateWindowExW 36819->36823 36820->36811 36822->36821 36823->36821 36885 e3d4f8 36886 e3d53e GetCurrentProcess 36885->36886 36888 e3d590 GetCurrentThread 36886->36888 36889 e3d589 36886->36889 36890 e3d5c6 36888->36890 36891 e3d5cd GetCurrentProcess 36888->36891 36889->36888 36890->36891 36892 e3d603 36891->36892 36893 e3d62b GetCurrentThreadId 36892->36893 36894 e3d65c 36893->36894 36897 2a47c88 36898 2a47cb5 36897->36898 36901 2a4777c 36898->36901 36900 2a47d0e 36902 2a47787 36901->36902 36905 2a47954 36902->36905 36904 2a4b735 36904->36900 36906 2a4795f 36905->36906 36910 e35ccc CreateWindowExW 36906->36910 36913 e372d7 36906->36913 36907 2a4b8cc 36917 2a4cfa8 36907->36917 36921 2a4cf98 36907->36921 36908 2a4bbb0 36908->36904 36910->36907 36914 e3731b 36913->36914 36915 e35cfc CreateWindowExW 36914->36915 36916 e3738d 36915->36916 36916->36907 36918 2a4cfd1 36917->36918 36919 2a4d0d6 36918->36919 36925 2a4d411 36918->36925 36919->36908 36922 2a4cfd1 36921->36922 36923 2a4d0d6 36922->36923 36924 2a4d411 KiUserCallbackDispatcher 36922->36924 36923->36908 36924->36923 36927 2a4d484 36925->36927 36926 2a4d55a 36926->36919 36927->36926 36930 2a4da88 36927->36930 36935 2a4da78 36927->36935 36931 2a4daa3 36930->36931 36940 2a4dc53 36930->36940 36944 2a4dab8 36930->36944 36948 2a4daa8 36930->36948 36931->36926 36936 2a4dc53 KiUserCallbackDispatcher 36935->36936 36937 2a4daa8 KiUserCallbackDispatcher 36935->36937 36938 2a4dab8 KiUserCallbackDispatcher 36935->36938 36939 2a4daa3 36935->36939 36936->36939 36937->36939 36938->36939 36939->36926 36941 2a4dc19 36940->36941 36952 2a4ee65 36941->36952 36946 2a4daf2 36944->36946 36945 2a4dc40 36945->36931 36947 2a4ee65 KiUserCallbackDispatcher 36946->36947 36947->36945 36949 2a4daf2 36948->36949 36951 2a4ee65 KiUserCallbackDispatcher 36949->36951 36950 2a4dc40 36950->36931 36951->36950 36954 2a4ee8f 36952->36954 36953 2a4ef16 36954->36953 36955 2a4efa1 KiUserCallbackDispatcher 36954->36955 36955->36953

                                                Executed Functions

                                                Function 00E3D4E8 Relevance: 6.1, APIs: 4, Instructions: 136threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00E3D576
                                                • GetCurrentThread.KERNEL32 ref: 00E3D5B3
                                                • GetCurrentProcess.KERNEL32 ref: 00E3D5F0
                                                • GetCurrentThreadId.KERNEL32 ref: 00E3D649
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: f6a97d414b64d70477c5b5a51b1d58317123a5fec56bc9b187bd83d7314cd7bb
                                                • Instruction ID: fd5bac6af7c5cd749a1fa2046605643ff492242326c932eca4aeee66278f6efd
                                                • Opcode Fuzzy Hash: f6a97d414b64d70477c5b5a51b1d58317123a5fec56bc9b187bd83d7314cd7bb
                                                • Instruction Fuzzy Hash: B95166B0905349CFDB54CFA9E988BDEBFF1BF88318F248059E009A7291C7749984CB65
                                                Function 00E3D4F8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                APIs
                                                • GetCurrentProcess.KERNEL32 ref: 00E3D576
                                                • GetCurrentThread.KERNEL32 ref: 00E3D5B3
                                                • GetCurrentProcess.KERNEL32 ref: 00E3D5F0
                                                • GetCurrentThreadId.KERNEL32 ref: 00E3D649
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: Current$ProcessThread
                                                • String ID:
                                                • API String ID: 2063062207-0
                                                • Opcode ID: 30e28f72484284270da0f74ea93edf514eeb4c58c8ea03ba4c0a69e12adfed54
                                                • Instruction ID: 2d73a1e51b1e18e6d33e6072fef0c71dd6b40f5adede767c552b85e62e2583e2
                                                • Opcode Fuzzy Hash: 30e28f72484284270da0f74ea93edf514eeb4c58c8ea03ba4c0a69e12adfed54
                                                • Instruction Fuzzy Hash: 585178B0900349CFDB54DFA9E988B9EBBF1FF88318F208059E119B7250D7745984CB65
                                                Function 00E3AE59 Relevance: 1.7, APIs: 1, Instructions: 227COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1597 e3ae59-e3ae60 1598 e3ae62-e3ae77 1597->1598 1599 e3ae01-e3ae35 1597->1599 1600 e3aea3-e3aea7 1598->1600 1601 e3ae79-e3ae86 call e39494 1598->1601 1609 e3ae37-e3ae42 1599->1609 1610 e3ae44-e3ae4c 1599->1610 1604 e3aebb-e3aefc 1600->1604 1605 e3aea9-e3aeb3 1600->1605 1611 e3ae88 1601->1611 1612 e3ae9c 1601->1612 1614 e3af09-e3af17 1604->1614 1615 e3aefe-e3af06 1604->1615 1605->1604 1616 e3ae4f-e3ae54 1609->1616 1610->1616 1661 e3ae8e call e3b0f1 1611->1661 1662 e3ae8e call e3b100 1611->1662 1612->1600 1617 e3af3b-e3af3d 1614->1617 1618 e3af19-e3af1e 1614->1618 1615->1614 1623 e3af40-e3af47 1617->1623 1620 e3af20-e3af27 call e3a1d0 1618->1620 1621 e3af29 1618->1621 1619 e3ae94-e3ae96 1619->1612 1622 e3afd8-e3aff1 1619->1622 1625 e3af2b-e3af39 1620->1625 1621->1625 1637 e3aff2-e3b050 1622->1637 1626 e3af54-e3af5b 1623->1626 1627 e3af49-e3af51 1623->1627 1625->1623 1630 e3af68-e3af71 call e3a1e0 1626->1630 1631 e3af5d-e3af65 1626->1631 1627->1626 1635 e3af73-e3af7b 1630->1635 1636 e3af7e-e3af83 1630->1636 1631->1630 1635->1636 1638 e3afa1-e3afae 1636->1638 1639 e3af85-e3af8c 1636->1639 1655 e3b052-e3b098 1637->1655 1646 e3afd1-e3afd7 1638->1646 1647 e3afb0-e3afce 1638->1647 1639->1638 1640 e3af8e-e3af9e call e3a1f0 call e3a200 1639->1640 1640->1638 1647->1646 1656 e3b0a0-e3b0cb GetModuleHandleW 1655->1656 1657 e3b09a-e3b09d 1655->1657 1658 e3b0d4-e3b0e8 1656->1658 1659 e3b0cd-e3b0d3 1656->1659 1657->1656 1659->1658 1661->1619 1662->1619
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B0BE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: e175fc06d727fdf4cf5c8a4ba23c9bbbbb6ad5e27d67a8ce35e35bf262ec8d7b
                                                • Instruction ID: 722bdf79015afb315c514f7cdd46c91d2649d862628815d31ee89cd85db9d296
                                                • Opcode Fuzzy Hash: e175fc06d727fdf4cf5c8a4ba23c9bbbbb6ad5e27d67a8ce35e35bf262ec8d7b
                                                • Instruction Fuzzy Hash: 719179B0A00B458FD724DF29C45879ABBF1FF88304F04892DD086EBA51D775E886CB91
                                                Function 02A4EE65 Relevance: 1.7, APIs: 1, Instructions: 164COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1663 2a4ee65-2a4ee91 1665 2a4eea7-2a4eead 1663->1665 1666 2a4ee93-2a4eea0 1663->1666 1667 2a4eece-2a4ef14 1665->1667 1668 2a4eeaf-2a4eeb5 1665->1668 1666->1665 1679 2a4ef16-2a4ef20 call 2a4e210 1667->1679 1680 2a4ef3d-2a4ef47 1667->1680 1668->1667 1669 2a4eeb7-2a4eec0 1668->1669 1669->1667 1671 2a4eec2-2a4eec8 1669->1671 1671->1667 1673 2a4efc3-2a4efd6 1671->1673 1675 2a4efd8-2a4eff0 call 2a4e220 1673->1675 1687 2a4f041 1675->1687 1688 2a4eff2-2a4f03a 1675->1688 1684 2a4ef25-2a4ef38 1679->1684 1680->1673 1682 2a4ef49-2a4ef56 1680->1682 1685 2a4ef64-2a4ef6d 1682->1685 1686 2a4ef58-2a4ef5e 1682->1686 1684->1675 1690 2a4ef6f-2a4ef75 1685->1690 1691 2a4ef7b-2a4efbe call 2a44370 KiUserCallbackDispatcher 1685->1691 1686->1685 1689 2a4ef60 1686->1689 1688->1687 1689->1685 1690->1691 1693 2a4ef77 1690->1693 1691->1673 1693->1691
                                                APIs
                                                • KiUserCallbackDispatcher.NTDLL(00000014,?,?,03A74104,02A90934,?,00000000), ref: 02A4EFBE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2202109111.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2a40000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: CallbackDispatcherUser
                                                • String ID:
                                                • API String ID: 2492992576-0
                                                • Opcode ID: 36aa66ecdc944c322f505cd419a36e459eb31c22c80787d140ffc67a98598ff3
                                                • Instruction ID: a36f6982a705445734a12e1af56a263c92079a5f579299b8754b71d69946987f
                                                • Opcode Fuzzy Hash: 36aa66ecdc944c322f505cd419a36e459eb31c22c80787d140ffc67a98598ff3
                                                • Instruction Fuzzy Hash: C7715B74A01208EFCB15DFA9D984DAEBBB2BF88714F114499F901AB361DB31E881CB50
                                                Function 02A41930 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1702 2a41930-2a41996 1703 2a419a1-2a419a8 1702->1703 1704 2a41998-2a4199e 1702->1704 1705 2a419b3-2a41a52 CreateWindowExW 1703->1705 1706 2a419aa-2a419b0 1703->1706 1704->1703 1708 2a41a54-2a41a5a 1705->1708 1709 2a41a5b-2a41a93 1705->1709 1706->1705 1708->1709 1713 2a41a95-2a41a98 1709->1713 1714 2a41aa0 1709->1714 1713->1714 1715 2a41aa1 1714->1715 1715->1715
                                                APIs
                                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02A41A42
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2202109111.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2a40000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: CreateWindow
                                                • String ID:
                                                • API String ID: 716092398-0
                                                • Opcode ID: 727a39ce9982ecca6e66153a03e97adcaeae59384d2d385644f1384ab8daa416
                                                • Instruction ID: 392bcb107c0e739c87e92ebcc37cc0de2298dae3f50c1c92ff62aaa317c4ac12
                                                • Opcode Fuzzy Hash: 727a39ce9982ecca6e66153a03e97adcaeae59384d2d385644f1384ab8daa416
                                                • Instruction Fuzzy Hash: 7141A0B1D10349DFDB14CF99C984ADEBBB5FF88314F24812AE819AB210DB759985CF90
                                                Function 00E3590D Relevance: 1.6, APIs: 1, Instructions: 101COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1716 e3590d-e35916 1717 e35918-e359d9 CreateActCtxA 1716->1717 1719 e359e2-e35a3c 1717->1719 1720 e359db-e359e1 1717->1720 1727 e35a4b-e35a4f 1719->1727 1728 e35a3e-e35a41 1719->1728 1720->1719 1729 e35a51-e35a5d 1727->1729 1730 e35a60 1727->1730 1728->1727 1729->1730 1732 e35a61 1730->1732 1732->1732
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00E359C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: cc5512a13b8e3ea5ae50a15d58da922a824fe58fb5de07b6ae2da231b977e44a
                                                • Instruction ID: 5560e8d7c13bd25c648124f1be82d18496eabf43f99e9a5d536dfc15a8d18d7c
                                                • Opcode Fuzzy Hash: cc5512a13b8e3ea5ae50a15d58da922a824fe58fb5de07b6ae2da231b977e44a
                                                • Instruction Fuzzy Hash: 7F41FFB1C0071DCBDB24CFA9C988B8EBBF5BF89304F20816AD408AB251DB756946CF50
                                                Function 00E344E0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1733 e344e0-e359d9 CreateActCtxA 1736 e359e2-e35a3c 1733->1736 1737 e359db-e359e1 1733->1737 1744 e35a4b-e35a4f 1736->1744 1745 e35a3e-e35a41 1736->1745 1737->1736 1746 e35a51-e35a5d 1744->1746 1747 e35a60 1744->1747 1745->1744 1746->1747 1749 e35a61 1747->1749 1749->1749
                                                APIs
                                                • CreateActCtxA.KERNEL32(?), ref: 00E359C9
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: Create
                                                • String ID:
                                                • API String ID: 2289755597-0
                                                • Opcode ID: 5635d48debb79d6f09fc80ae7fde0f62086d3d277fca2e0ba713e039889e9402
                                                • Instruction ID: f46a89c2641189fbde697c3b7a75a19a2e071a3aaa8c1fb3472410020f81f23d
                                                • Opcode Fuzzy Hash: 5635d48debb79d6f09fc80ae7fde0f62086d3d277fca2e0ba713e039889e9402
                                                • Instruction Fuzzy Hash: 5341FFB1C0071DCBDB24CFA9C988BDEBBB5BF88704F20816AD408AB251DB756945CF90
                                                Function 02A44090 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1750 2a44090-2a440cc 1751 2a440d2-2a440d7 1750->1751 1752 2a4417c-2a4419c 1750->1752 1753 2a440d9-2a44110 1751->1753 1754 2a4412a-2a44162 CallWindowProcW 1751->1754 1758 2a4419f-2a441ac 1752->1758 1761 2a44112-2a44118 1753->1761 1762 2a44119-2a44128 1753->1762 1755 2a44164-2a4416a 1754->1755 1756 2a4416b-2a4417a 1754->1756 1755->1756 1756->1758 1761->1762 1762->1758
                                                APIs
                                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 02A44151
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2202109111.0000000002A40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A40000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_2a40000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: CallProcWindow
                                                • String ID:
                                                • API String ID: 2714655100-0
                                                • Opcode ID: d032351efe8162200997c77fb8f6f8b99b1d78adfdff1af86deae0103e80d0ce
                                                • Instruction ID: 1c173423c6958ab8fbb1ccfc798c47bfae2cdc06bea17808281039507708ed62
                                                • Opcode Fuzzy Hash: d032351efe8162200997c77fb8f6f8b99b1d78adfdff1af86deae0103e80d0ce
                                                • Instruction Fuzzy Hash: 9F41F7B5A003099FDB14CF99C888B9ABBF5FF8C314F248459D519AB321DB74A845CBA0
                                                Function 00E3D738 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1764 e3d738-e3d7d4 DuplicateHandle 1765 e3d7d6-e3d7dc 1764->1765 1766 e3d7dd-e3d7fa 1764->1766 1765->1766
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7C7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: c2b3e09f31132ec741c096b1ef3d6cb4f568266f4de282d63f9ea1aced73e0b0
                                                • Instruction ID: 42ebc08f4953504ed4b468631bf50b9a37cf4948d120b3dabe9191312dc8a80a
                                                • Opcode Fuzzy Hash: c2b3e09f31132ec741c096b1ef3d6cb4f568266f4de282d63f9ea1aced73e0b0
                                                • Instruction Fuzzy Hash: C22103B5800248DFDB10CFAAD984AEEBFF4FB48320F14841AE954B7210D374A941CF60
                                                Function 00E3D740 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1769 e3d740-e3d7d4 DuplicateHandle 1770 e3d7d6-e3d7dc 1769->1770 1771 e3d7dd-e3d7fa 1769->1771 1770->1771
                                                APIs
                                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E3D7C7
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: DuplicateHandle
                                                • String ID:
                                                • API String ID: 3793708945-0
                                                • Opcode ID: 1e52391029b4b24b6cac177a7a6a2469a5605f23e8420b49198cc971b7f8de16
                                                • Instruction ID: 071f3ba6f3e9c31030d72b74a33080ca293fe65b65fae6d38712fa64320e3a7f
                                                • Opcode Fuzzy Hash: 1e52391029b4b24b6cac177a7a6a2469a5605f23e8420b49198cc971b7f8de16
                                                • Instruction Fuzzy Hash: 3421E4B5900249DFDB10CFAAD984ADEBFF4FB48320F14841AE914A3310D374A950CF64
                                                Function 00E3B058 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                Download Yara Rule

                                                Control-flow Graph

                                                • Executed
                                                • Not Executed
                                                control_flow_graph 1774 e3b058-e3b098 1775 e3b0a0-e3b0cb GetModuleHandleW 1774->1775 1776 e3b09a-e3b09d 1774->1776 1777 e3b0d4-e3b0e8 1775->1777 1778 e3b0cd-e3b0d3 1775->1778 1776->1775 1778->1777
                                                APIs
                                                • GetModuleHandleW.KERNELBASE(00000000), ref: 00E3B0BE
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2196395383.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_e30000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID: HandleModule
                                                • String ID:
                                                • API String ID: 4139908857-0
                                                • Opcode ID: d80b6992a1111dbe3aa7c578a6cb3bc1c20a8f9807c0e6174ab379eab393ad00
                                                • Instruction ID: 0e3677a05747704f1ff4ae2bf6ac02a38c4e91fab6aabfc87f1c0ed0ab5c7b16
                                                • Opcode Fuzzy Hash: d80b6992a1111dbe3aa7c578a6cb3bc1c20a8f9807c0e6174ab379eab393ad00
                                                • Instruction Fuzzy Hash: 47110FB6C00249CFCB14CF9AC544B9EFBF4AF88324F10841AD529B7610D3B9A545CFA1
                                                Function 04F5C998 Relevance: .7, Instructions: 735COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d041d51a3126ab5af78e7ad9eab799e4f2f1b309731d85fcd8d7713a39277e85
                                                • Instruction ID: aeefcae6384cd7fe04b93bfa683c805802f6a239b71d1a78f45293e603e9085b
                                                • Opcode Fuzzy Hash: d041d51a3126ab5af78e7ad9eab799e4f2f1b309731d85fcd8d7713a39277e85
                                                • Instruction Fuzzy Hash: C5722F31D00649CFDB14EF68D89469DB7B1FF45304F058299D94AA7265EF30AACACF81
                                                Function 04F5DE60 Relevance: .5, Instructions: 500COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a9b438f6e3b56efed474b246720c229d970d94a787f13b96e4df7a88b437793e
                                                • Instruction ID: f1a703b55bcecd6583ffeebff0ef4e7ceb5837895d69efbbee596e6d9aa70f80
                                                • Opcode Fuzzy Hash: a9b438f6e3b56efed474b246720c229d970d94a787f13b96e4df7a88b437793e
                                                • Instruction Fuzzy Hash: E0220A34A00214CFDB14EF69C984A9DBBB2FF89304F1485A9D90AAB365DB70ED45CF50
                                                Function 04F5ED80 Relevance: .2, Instructions: 198COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1e984eadb0cafa3da44aa4dd270049b5f0e583f403d50d342ac1ddb7fd13f72a
                                                • Instruction ID: bd572a65d1edb0b59ebbc66e664bb70e6fb7bea8aee0be9b2f4d71e79ed676b5
                                                • Opcode Fuzzy Hash: 1e984eadb0cafa3da44aa4dd270049b5f0e583f403d50d342ac1ddb7fd13f72a
                                                • Instruction Fuzzy Hash: 9E710A31B502588FCB05DBB8C59499EB7F2BF89300B15856AD916EB364EF71ED42CB80
                                                Function 04F5BF20 Relevance: .2, Instructions: 197COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c128a40c12962fe31d275f331d8d682e8d0a3a75e17c1290bd0802517f6e5150
                                                • Instruction ID: be17b4237986e64ed632306a6359eaca5b1159d518e224543c5696ab57aae830
                                                • Opcode Fuzzy Hash: c128a40c12962fe31d275f331d8d682e8d0a3a75e17c1290bd0802517f6e5150
                                                • Instruction Fuzzy Hash: 4391EA7590070ACFCB41EF68C880999FBF5FF49310B14879AE919EB265E770E985CB80
                                                Function 04F5E5C0 Relevance: .2, Instructions: 186COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a8c45b4c5a42b7539e8b2e373d425061ba92370c7bf5f7f710b872dcfe7a2606
                                                • Instruction ID: ea89faf341cdf5f185900e26fe04136144216c47b5b83586a7232d1fd13a5ecf
                                                • Opcode Fuzzy Hash: a8c45b4c5a42b7539e8b2e373d425061ba92370c7bf5f7f710b872dcfe7a2606
                                                • Instruction Fuzzy Hash: A4516734B002048FDB18DF68D8989AD7BF6BF89744B1540A9D906EB372DB39ED02CB50
                                                Function 04F5B291 Relevance: .2, Instructions: 183COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 21b6bbd7c5b311996bc20d20d7352985e633fcdb303fc26264f67b89cb487add
                                                • Instruction ID: a14c7e175a855510fbfe4b2365ef34affb80b455db67f0d2a142576594a3df24
                                                • Opcode Fuzzy Hash: 21b6bbd7c5b311996bc20d20d7352985e633fcdb303fc26264f67b89cb487add
                                                • Instruction Fuzzy Hash: 6C71BDB9600A00CFCB18DF29C488959BBF2FF8921471589A9E54ACB772DB71EC46CB50
                                                Function 04F5B0B0 Relevance: .2, Instructions: 172COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ec1816bc5e31d66993efd272238864777bcac9ccb70ae7c0df36728c6e5be71e
                                                • Instruction ID: 1060a66ff1a7d00df023be988942c71be4abb5a9d5e6cd659666fe97145bd39c
                                                • Opcode Fuzzy Hash: ec1816bc5e31d66993efd272238864777bcac9ccb70ae7c0df36728c6e5be71e
                                                • Instruction Fuzzy Hash: C771A174A006068FCB44CF69D584999FBF1FF4C310B0986A9E909DB326E734E886CF90
                                                Function 04F5DE50 Relevance: .2, Instructions: 169COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 95dab406022445ee1c34b34d8bae1c239581ef848cd8ad1da1b6e6adf646bd91
                                                • Instruction ID: bed2f210dc3ec05b674a3674b86aef3f8857e44162682b53f79b5927d471b73b
                                                • Opcode Fuzzy Hash: 95dab406022445ee1c34b34d8bae1c239581ef848cd8ad1da1b6e6adf646bd91
                                                • Instruction Fuzzy Hash: 0F616B30A00640CFDB14EF78C894B9D7BA2FF89314F1486B8D9469B3A5DF70A90ACB50
                                                Function 04F5ED70 Relevance: .2, Instructions: 156COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6125d26f2aa7d48101021e8ee1f619f568201fda05c6e14423c32300fa1cfc84
                                                • Instruction ID: c74ab21c4fc8e8d030ff6985cc10625c81df29199d58089ff6e59e2b6fa5e2cc
                                                • Opcode Fuzzy Hash: 6125d26f2aa7d48101021e8ee1f619f568201fda05c6e14423c32300fa1cfc84
                                                • Instruction Fuzzy Hash: 60514C31A002588FCB05DBB8C5549ADBBF2FF89300B15856AE915EB365EF31ED46CB80
                                                Function 04F5BF10 Relevance: .2, Instructions: 152COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6d8a1b32077055c16aa1716938477cc068bd91c74bd6c44c6c772b190182572d
                                                • Instruction ID: d7fad78ffcb662eaba9ac686a364d5f4cbd88bbb14fdebd62f6bf8080ce2bd7b
                                                • Opcode Fuzzy Hash: 6d8a1b32077055c16aa1716938477cc068bd91c74bd6c44c6c772b190182572d
                                                • Instruction Fuzzy Hash: 1261FA7591070ACFCB41EF68C880599FBB0FF59310B14879AE959AB255EB70E986CB80
                                                Function 04F5A5D0 Relevance: .1, Instructions: 110COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 65f334f9b1d1b32bd8e030e7b2e7e434a1ddc1959b4aaf82196e26042d0c6e87
                                                • Instruction ID: 7d70e6874608ff601e52d1a068fd0614ffbd29967df29d3871f3fcd35a73012c
                                                • Opcode Fuzzy Hash: 65f334f9b1d1b32bd8e030e7b2e7e434a1ddc1959b4aaf82196e26042d0c6e87
                                                • Instruction Fuzzy Hash: 67413E34A00709CFDB14DFB8D8949DDBBB2FF89304F018569E515AB325EB71A946CB81
                                                Function 04F5EB54 Relevance: .1, Instructions: 108COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 174cbac4e97cefbeef94008c9c7326b431a5ffd7da3394d1496a1fd8dc0afc2a
                                                • Instruction ID: d99b25955136f0fe12a9a4a9e8c1801f98d4b1166a11f003a83f2ed27881645b
                                                • Opcode Fuzzy Hash: 174cbac4e97cefbeef94008c9c7326b431a5ffd7da3394d1496a1fd8dc0afc2a
                                                • Instruction Fuzzy Hash: 01315E35B001048FCB24DB7DD844AAD77E6EF89725B1505BAEA1ACB3B1DB31E902CB51
                                                Function 04F5A5E0 Relevance: .1, Instructions: 101COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: e7cc3bb18d275672898f376ba4261999394472ba358c6cf7b67e4a702127efc2
                                                • Instruction ID: 93e1020dac793c71e657e7fcd0178396957ced52d8437ff3fdf0ce3ffdf0f815
                                                • Opcode Fuzzy Hash: e7cc3bb18d275672898f376ba4261999394472ba358c6cf7b67e4a702127efc2
                                                • Instruction Fuzzy Hash: 1F412E34A10709CFCB04EF78D9949DDBBB6FF89304F008569E615AB325EB71A946CB81
                                                Function 04F5B09F Relevance: .1, Instructions: 100COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8dcbb425a624099901d065fc91630bfeac9a71dec4b9145ed3899720fbd87456
                                                • Instruction ID: 1299461b07b7e8eefeeac67d704dad9805a09a27766427fbbb19347b5b0001ff
                                                • Opcode Fuzzy Hash: 8dcbb425a624099901d065fc91630bfeac9a71dec4b9145ed3899720fbd87456
                                                • Instruction Fuzzy Hash: 78413D75A042068FC755DF68D980999FBF1FF49300B1986AAD949CB366D730FC46CB90
                                                Function 04F5A4C9 Relevance: .1, Instructions: 94COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45faca82e1a93373361a208691392de21faf3f9840979ede2511e72b4610e4c2
                                                • Instruction ID: c806ff380f04a65294c49af912154b5ab0775b838056ae768f5d7c9ef1b2f45b
                                                • Opcode Fuzzy Hash: 45faca82e1a93373361a208691392de21faf3f9840979ede2511e72b4610e4c2
                                                • Instruction Fuzzy Hash: D7313A35A006158FCF04EF64E9508DCB7B2FF89214B058669E505AB361EF71ED56CB81
                                                Function 04F5F1E0 Relevance: .1, Instructions: 93COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 112a6ba90e1d8cf446e371d365168790962bde8c4c57eb1c0e674811e4085c74
                                                • Instruction ID: f58348995cc6c7ce14f0d4ddffbf3f1f05df4406154d7c6073985d1d5dc1cd45
                                                • Opcode Fuzzy Hash: 112a6ba90e1d8cf446e371d365168790962bde8c4c57eb1c0e674811e4085c74
                                                • Instruction Fuzzy Hash: 69317F75B005049FDB18DBA9D844AAEBBF5EF8C714F1540A9E906E7361DA31ED01CBA0
                                                Function 04F5E6CF Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6a4c152ddf80ba0fdbad703c7c0d152e94826ad844447e31d15265503e6556e8
                                                • Instruction ID: 1bb4ce51f65310f6fd0326337a11181d807a110a9d28852a9be5eb3f99788dc9
                                                • Opcode Fuzzy Hash: 6a4c152ddf80ba0fdbad703c7c0d152e94826ad844447e31d15265503e6556e8
                                                • Instruction Fuzzy Hash: 2A21C275B043808FDB1A9B74E89956D3BA2FFCA71431A44AAD446CB372DE289D07C750
                                                Function 00C8D1FC Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194703870.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c8d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8aaabd79320908dd6c444c5aef9213feee8289305aa8cf16c027c36a7e2f2dad
                                                • Instruction ID: 24569a17f2f08a1abd4bd9b0828c135448ee55367107d5eeda0551f0c3008be3
                                                • Opcode Fuzzy Hash: 8aaabd79320908dd6c444c5aef9213feee8289305aa8cf16c027c36a7e2f2dad
                                                • Instruction Fuzzy Hash: 5921F472504244EFDB05EF14D9C0B2ABB65FB88318F208569E90A0A296C376DC16CBA1
                                                Function 00C9D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194962946.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c9d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dca67bf22b4b2c9f766c940cfa839a0f83deb6b0e8ec26a246e9bc2240e8a023
                                                • Instruction ID: 1f1da6cdb8591060796a909981a68dac20dcc4d4fa7a4bf7d68e7b25c492eac4
                                                • Opcode Fuzzy Hash: dca67bf22b4b2c9f766c940cfa839a0f83deb6b0e8ec26a246e9bc2240e8a023
                                                • Instruction Fuzzy Hash: 58210075604300EFDF14DF24D9C8B26BB61FB84314F20C56DE90A1B292C37AD806CA61
                                                Function 00C9D1D4 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194962946.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c9d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 072d6fecbc10e8eacfa8f8d23445ca079f6b9a67a1f4df06c9304aa88f744406
                                                • Instruction ID: e289d531d9fedd535d5f633d07aa4464815b6fca5c1f6ed0fc2df4be90b660da
                                                • Opcode Fuzzy Hash: 072d6fecbc10e8eacfa8f8d23445ca079f6b9a67a1f4df06c9304aa88f744406
                                                • Instruction Fuzzy Hash: A2213475504700EFDF04DF10D9C8B26BBA1FB84314F20C5ADE90A5B292C376DC46CA61
                                                Function 04F5F1D1 Relevance: .1, Instructions: 71COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b48c96af7cfca32cd5c109d20e2b878099844789ee31ebab5e82e6a46b1e6731
                                                • Instruction ID: 1371076c945506030b13de46eccb6cdee162674f5c3d5cf059fbe0a1e1105095
                                                • Opcode Fuzzy Hash: b48c96af7cfca32cd5c109d20e2b878099844789ee31ebab5e82e6a46b1e6731
                                                • Instruction Fuzzy Hash: 97116676B001049FDB18CB69D845DAAB7F5EF8C720B1580E9E91AE7771DA31EC02CB60
                                                Function 04F5D4D8 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 34da54115573e6fee09d6f9fde6158b648e99aa0e1803589ec138e85f81aca29
                                                • Instruction ID: 372a8c7c2a85a1735fa42d006ecf174ed7deeb40e89a50745462a507167a0a32
                                                • Opcode Fuzzy Hash: 34da54115573e6fee09d6f9fde6158b648e99aa0e1803589ec138e85f81aca29
                                                • Instruction Fuzzy Hash: 4B212F35A106099FCB11EF6CD840999FBF4FF49315F50C26AE958A7210EB30E995CB91
                                                Function 04F570F4 Relevance: .1, Instructions: 64COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b060e04d738ab83743ee6616d7a15e4b2d0f683a9d1d8a4a9056329911fc3bb3
                                                • Instruction ID: 52c42ac264d2d2e1a044b9b7cc60d89b99c2d9863b2d0a94b075d12eaf1bf61b
                                                • Opcode Fuzzy Hash: b060e04d738ab83743ee6616d7a15e4b2d0f683a9d1d8a4a9056329911fc3bb3
                                                • Instruction Fuzzy Hash: 6511E9367426014F9B2CDA2AD88897A73B5EFC6721308847DDA42C7670DA60F882D750
                                                Function 00C9D005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194962946.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c9d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d3f64030213ae3c52b3e780db21b7bcc63b2fcf57f1d9042332f5e5315c6e0f1
                                                • Instruction ID: 0d027b02c21dbebefad7fad10504c92434b3cbc914e07b582631de04e2b98531
                                                • Opcode Fuzzy Hash: d3f64030213ae3c52b3e780db21b7bcc63b2fcf57f1d9042332f5e5315c6e0f1
                                                • Instruction Fuzzy Hash: 62215E755093C08FDB12CF24D994715BF71EB46314F28C5EAD84A8B6A7C33A990ACB62
                                                Function 04F5FCD0 Relevance: .1, Instructions: 60COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3bc67494eb4f0ae1a06460e6eb541b98460f1ef722c5a66255fc856973a1aa30
                                                • Instruction ID: 77e12343614aaf233471eabddcecfdc1ba980acaa43fb7ccbca1024a2cbfa58c
                                                • Opcode Fuzzy Hash: 3bc67494eb4f0ae1a06460e6eb541b98460f1ef722c5a66255fc856973a1aa30
                                                • Instruction Fuzzy Hash: 1511E333704A018FE3249B24D85274BBBDAFBCE744F10446AE286EB7A2DB70B8058750
                                                Function 04F5ECE5 Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7cdaec821ea0ab7f5d62dfc940db55402fdf039f48057e07cbf49cff3883e957
                                                • Instruction ID: 58d0d16e04010e846e3d4dd28cdfc732b1ee7f56ba2767025a9cd62da2d5a400
                                                • Opcode Fuzzy Hash: 7cdaec821ea0ab7f5d62dfc940db55402fdf039f48057e07cbf49cff3883e957
                                                • Instruction Fuzzy Hash: DC01F531B006200FD7199B38D85469D7BA1AF8AA0470544A6DD15CB372DF25DF03C3C1
                                                Function 00C8D1F7 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194703870.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c8d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                                • Instruction ID: 9ae2f44eca0b59705d72b3233df709411a78934c38342528ce911447c820c4f6
                                                • Opcode Fuzzy Hash: 45d2786e60e1e4201bb004dcd9f59ae96814e242b2a6b2dda49e09682ea99c03
                                                • Instruction Fuzzy Hash: F521B176504284DFCB06DF50D9C4B56BF72FB84314F24C6A9DC094B696C33AD926CBA1
                                                Function 04F5FCE0 Relevance: .1, Instructions: 55COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 72aebe82ea6d019d06acd59aecde33ad69541b6a097741fccdf30c65bee9ae59
                                                • Instruction ID: b55758191ecf6fef07a9228032a55867909db1ea8fb0c0c962ee36c3b17b41cb
                                                • Opcode Fuzzy Hash: 72aebe82ea6d019d06acd59aecde33ad69541b6a097741fccdf30c65bee9ae59
                                                • Instruction Fuzzy Hash: 0B11C432714A008FE7249B69D84275FBBDAFBCD704F104429E286E7795DBB0B8058790
                                                Function 00C9D1CF Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194962946.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c9d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction ID: f00f6daab4224ad1f9c5f8e14f8246488c10441c12d1a4cf6be225489e053064
                                                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                • Instruction Fuzzy Hash: 96118B75504684DFCB15CF10D6C4B15BBA1FB84314F24C6A9D84A4B6A6C33AD94ACB61
                                                Function 04F5FF30 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 029c72b495668f92509771c7dcbc7afa291c5ffc2ded51526c074f82bc24c9e4
                                                • Instruction ID: 041150c400dccfc0d71ea774602f894f24cdfabe840015f116b6a814892891e2
                                                • Opcode Fuzzy Hash: 029c72b495668f92509771c7dcbc7afa291c5ffc2ded51526c074f82bc24c9e4
                                                • Instruction Fuzzy Hash: 50018C32B042049BEB14A775890476BB7E99F46308F0402E99F46C6AA2EF34F943C772
                                                Function 00C8D745 Relevance: .0, Instructions: 45COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194703870.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c8d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8134fd6b8e94f0b9c8d05f62bf521e05fcde44693d16cd8a26f401559a297f9
                                                • Instruction ID: 65f7a49cd8705a7d6b2226c0e1ea9a544627aed0efb416818ae71161492fb47a
                                                • Opcode Fuzzy Hash: f8134fd6b8e94f0b9c8d05f62bf521e05fcde44693d16cd8a26f401559a297f9
                                                • Instruction Fuzzy Hash: 87012B71004344DAE7106E26CD84B26BF98EF41378F18C56AEE1A4A2CAD6799D40C779
                                                Function 04F5A818 Relevance: .0, Instructions: 44COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6cd78aae3886c4e9129c6ce10a40cb800893cedba6b20f7497a4e840ec2d926a
                                                • Instruction ID: 29bf02e195f043c74236e8571f8af3f1a4df18e230b1b21fc6572d6369f99fc8
                                                • Opcode Fuzzy Hash: 6cd78aae3886c4e9129c6ce10a40cb800893cedba6b20f7497a4e840ec2d926a
                                                • Instruction Fuzzy Hash: 10011B31A00704CFD728EF25C40055A7BF6AF85345F10866EDA465B670EB75E952CB40
                                                Function 04F5ABD9 Relevance: .0, Instructions: 42COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 93471457bb1e3ac3dd539ed9b04aa7841eb3f2547168513b5e56ede9c71429c3
                                                • Instruction ID: b7b3b0cc92876c280b3953798ccb2d4d1ed7f7e0989e92744ffe7fc975bd3636
                                                • Opcode Fuzzy Hash: 93471457bb1e3ac3dd539ed9b04aa7841eb3f2547168513b5e56ede9c71429c3
                                                • Instruction Fuzzy Hash: 2901D132A08B04CFDB1A777498144EEBBB2AFC1215F05466ECA8557360EB34A5938792
                                                Function 04F5A808 Relevance: .0, Instructions: 38COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 01e6cdb52889942ea8197975e631c5181a66fa9f4013899e52a7c19204ca5328
                                                • Instruction ID: 1361d0783c4dd53710aaf3a707b82191fb8d12a485ab575ba66499ea74db612b
                                                • Opcode Fuzzy Hash: 01e6cdb52889942ea8197975e631c5181a66fa9f4013899e52a7c19204ca5328
                                                • Instruction Fuzzy Hash: A301A271E047458FEB15EF34D80049B7BB2EF82304B41896EDA858B165FB30E963CB41
                                                Function 04F5DC5F Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d7617ea8ed15f09481e0ee23fee690bdd586ab0324edbfe6323c8cf59d54ae0
                                                • Instruction ID: 67c460242c576911d074c6b71f258dbf97b0866123ad55c3ff427dcdfab2304c
                                                • Opcode Fuzzy Hash: 5d7617ea8ed15f09481e0ee23fee690bdd586ab0324edbfe6323c8cf59d54ae0
                                                • Instruction Fuzzy Hash: 1CF0B4357056104FD718DB3AE858D163BF4EFC571431A80ADEA46CB271DA60EC02C750
                                                Function 04F5AFF0 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4491312f8b8faf0fe826e093bc0ee5e7d7ba4858c39710c9d1a0aac60b8589a0
                                                • Instruction ID: 95a7bbc72d7e33fa3ebd7af8a6b457d60cc33de834dd0f511e5008f715b5a32c
                                                • Opcode Fuzzy Hash: 4491312f8b8faf0fe826e093bc0ee5e7d7ba4858c39710c9d1a0aac60b8589a0
                                                • Instruction Fuzzy Hash: 1BF089727446154F9714AB6EF89485ABBE9EFC8365300463EE20AC7321CF75EC078794
                                                Function 04F5ABE8 Relevance: .0, Instructions: 37COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 732673da34a1affec464cb69b844243e49788c46374d8d0e3c172e4e41295a89
                                                • Instruction ID: e92e947216b9387e728c44d3d1ae542fdac0f89f5c3a4dabd062d5c392e11368
                                                • Opcode Fuzzy Hash: 732673da34a1affec464cb69b844243e49788c46374d8d0e3c172e4e41295a89
                                                • Instruction Fuzzy Hash: 5AF0C231A00B04CBDB197A7488048EEBBB5EFC1215F00466DDE4527220EF74F59287D5
                                                Function 00C8D744 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2194703870.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_c8d000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1108328623841bbeb94730307ca252429452852ac9dde716eeefbf9594f69a54
                                                • Instruction ID: f6707c64b6850c15e306f29224e90a4471b80a18962f80087195377b65a90d01
                                                • Opcode Fuzzy Hash: 1108328623841bbeb94730307ca252429452852ac9dde716eeefbf9594f69a54
                                                • Instruction Fuzzy Hash: 4EF0C272404344AAE7109E16C984B66FF98EB81738F18C05AED094A28AC2799D40CBB1
                                                Function 04F5B047 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 2b7a08d82c8d828ee720a4aafe8ca156c41202036060d73a7713f8eb5b3d0be1
                                                • Instruction ID: 9371d01696d53e148dee9ade6dc38f5b8cf2eb1c3ca000dcd87b601be9e91a45
                                                • Opcode Fuzzy Hash: 2b7a08d82c8d828ee720a4aafe8ca156c41202036060d73a7713f8eb5b3d0be1
                                                • Instruction Fuzzy Hash: 5EF0F4352406108FC718DB68D4989997BF6EF4A71530284A9E50ACB372DBB6EC86CB40
                                                Function 04F5AFDF Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 356ede60ad1586df43d00d84b22ef1877b1361499c0f68cf108fcf02512eb470
                                                • Instruction ID: 3f6c593903e397f061e7aef76287a1b2fcfe749610fa77b22917e5323c9771ae
                                                • Opcode Fuzzy Hash: 356ede60ad1586df43d00d84b22ef1877b1361499c0f68cf108fcf02512eb470
                                                • Instruction Fuzzy Hash: 4DF0E2723042455FD714AB69F8A985ABFE9EFC972430145BEE146CB322CEA4EC078790
                                                Function 04F5AC66 Relevance: .0, Instructions: 35COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fac09c4da26eaecb913313bfd5539dd9fb10146ff56ec5b5a68b126c6b1c269a
                                                • Instruction ID: 5c0852e1ce0f8d3a6643227e6c732e87398492dab2cc8712284158dbe4334d33
                                                • Opcode Fuzzy Hash: fac09c4da26eaecb913313bfd5539dd9fb10146ff56ec5b5a68b126c6b1c269a
                                                • Instruction Fuzzy Hash: E0F062312006008FC7149F29E48896AB7B6EFC9315714056DE50987221DB32EC42C790
                                                Function 04F5FDB8 Relevance: .0, Instructions: 29COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b7d7320b5f055eb78bb0b14a6d95c44267d32a75a90f320e29d176c4767a1668
                                                • Instruction ID: 1fe7751d21f5b8200cf58e2a88b23d1ce71c43f531ef6c4b0e0341260fdd898f
                                                • Opcode Fuzzy Hash: b7d7320b5f055eb78bb0b14a6d95c44267d32a75a90f320e29d176c4767a1668
                                                • Instruction Fuzzy Hash: 97F0E231E001969FCB10DB78D8085DABBB0FB88314F0048AAD999D3241E330661ACB81
                                                Function 04F5F2DE Relevance: .0, Instructions: 26COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                • Instruction ID: fdd79635b80bbd91e7161547765e2632eec8b8b52ead9004431ff1a46645aa8d
                                                • Opcode Fuzzy Hash: b76efb86478ed585aa3c42f5ad032f6160e85d6d8c10c8dcfeb221de0f3c143d
                                                • Instruction Fuzzy Hash: A2E0ED767001049FCB08CF5DD484DAEB7F5FB8C224B2140A9E619D7321E631AD058A50
                                                Function 04F5FDC8 Relevance: .0, Instructions: 25COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 0697667190d1daaa8b063c7ccfe088fd3a7157f78b4f8a922bb440bb14ba5c54
                                                • Instruction ID: 319254d9003d287bbcf1c9a6822cfb827d27205c68d19211a924f60ae9cc1e80
                                                • Opcode Fuzzy Hash: 0697667190d1daaa8b063c7ccfe088fd3a7157f78b4f8a922bb440bb14ba5c54
                                                • Instruction Fuzzy Hash: ECE06D35E001199FCB50EB6DD8086DEB7F4EB88315F00496ADA5AD3340E730AA1ACFD1
                                                Function 04F5FD91 Relevance: .0, Instructions: 12COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f8d5f83c0134c184345aaf4d60e65923392b920f2cce9cad833c22e1e3b82972
                                                • Instruction ID: 07f1c595cc9b85434b539f626efa1043328083b8dd7902de0f96bd6bd029bbde
                                                • Opcode Fuzzy Hash: f8d5f83c0134c184345aaf4d60e65923392b920f2cce9cad833c22e1e3b82972
                                                • Instruction Fuzzy Hash: ADD0C7B14097C35FE7029B205441145FFA19F51104B5684AAC5928B597E6359556C711
                                                Function 04F5FCCA Relevance: .0, Instructions: 2COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000B.00000002.2211589545.0000000004F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F50000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_11_2_4f50000_FriQTglEtYKsd.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 742b09d2bca33db69b603e2f3a5a24ceedf1dc73c5cf4e6bc4bcd521bfcb9936
                                                • Instruction ID: ba17d19b2bfa9b57cd5e3da67858ffae407106247c935c7915ebd858bcc24e1d
                                                • Opcode Fuzzy Hash: 742b09d2bca33db69b603e2f3a5a24ceedf1dc73c5cf4e6bc4bcd521bfcb9936
                                                • Instruction Fuzzy Hash:

                                                Executed Functions

                                                Function 00EE9B38 Relevance: 2.8, Instructions: 2817COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 63353e2835f25bf785c33b4a0afe58a171f3996cd873942b88ef1006e18aebf6
                                                • Instruction ID: a16c6f9702cbdacc9f33cf1d392402a163eda380072277b994035f2f09e15e9d
                                                • Opcode Fuzzy Hash: 63353e2835f25bf785c33b4a0afe58a171f3996cd873942b88ef1006e18aebf6
                                                • Instruction Fuzzy Hash: 16530731C10B5A8ACB11EF69C8805A9F7B1FF99300F15D79AE458B7121FB70AAD5CB81
                                                Function 00EECDB0 Relevance: 2.3, Instructions: 2312COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 41c7a37502bd09a4a6627850acc3df07f6f2734dae2d17d6f68cf5e87d16360b
                                                • Instruction ID: 9bedf1edcabd73e07de2c8982974a1bbb4dfecf320e57de1b003aa0e56ee8726
                                                • Opcode Fuzzy Hash: 41c7a37502bd09a4a6627850acc3df07f6f2734dae2d17d6f68cf5e87d16360b
                                                • Instruction Fuzzy Hash: 8E332B31D107598ADB11EF69C8806ADF7B1FF99300F15D79AE448B7221EB70AAC5CB81
                                                Function 00EE3E80 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n
                                                • API String ID: 0-1005319620
                                                • Opcode ID: 8a39566f66eb8312281814bdedda161c274b6e9d4b29df069868a5ef15d0606a
                                                • Instruction ID: 5c5b434f1cd8f9d08ac9255b2d9f51733e21cf001e31555e84e1476bb2e369c3
                                                • Opcode Fuzzy Hash: 8a39566f66eb8312281814bdedda161c274b6e9d4b29df069868a5ef15d0606a
                                                • Instruction Fuzzy Hash: 86915EB0E0028D8FDF10CFAAC9957DDBBF2AF88314F149129E415B7294EB749985CB81
                                                Function 00EE4A98 Relevance: .3, Instructions: 266COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d26106de704a1d95133b0edf31e88dfb951a3d93d75e9700846734dc7c581591
                                                • Instruction ID: 4a9ad6fd9bc2f03c17bd56ae113a87fedd4a1c178b699ebada06d71374ac5d42
                                                • Opcode Fuzzy Hash: d26106de704a1d95133b0edf31e88dfb951a3d93d75e9700846734dc7c581591
                                                • Instruction Fuzzy Hash: 2EB14DB0E0024D8FDB10CFAAD89579DBBF2AF88714F249529D815F7294EB749845CB81
                                                Function 00EE3E74 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                Download Yara Rule
                                                Strings
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID: \V[n
                                                • API String ID: 0-1005319620
                                                • Opcode ID: e0d5ccc49eb7344bd3ff7e421f7996ad46c75fecf574467751c18429c89a5074
                                                • Instruction ID: af6fd4965e8a19f77a8ba734a26bf0e58102823e9568a7c8d0ea0dd34e4e0ba6
                                                • Opcode Fuzzy Hash: e0d5ccc49eb7344bd3ff7e421f7996ad46c75fecf574467751c18429c89a5074
                                                • Instruction Fuzzy Hash: 6DA149B0E0028D8FDF10CFAAC9857DEBBF1AF88314F149129E415B7294EB749985CB91
                                                Function 00EE7908 Relevance: .6, Instructions: 556COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 08c6e66b6f7fd46896bef1cfb033c6fa43adac5c3875827e373306ca635b4479
                                                • Instruction ID: 7a8d3a147da9aa48ca4557f7821bb2810911013cd8a4b84a2062dd9bc051a637
                                                • Opcode Fuzzy Hash: 08c6e66b6f7fd46896bef1cfb033c6fa43adac5c3875827e373306ca635b4479
                                                • Instruction Fuzzy Hash: 36124F30740106CFDB29ABB9E45122976A2EBC9304F60A93DE509EB355CFB5EC47DB80
                                                Function 00EE9364 Relevance: .4, Instructions: 389COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: fbc562953fa0da78c397feef4d72c512556c7e5c8c625c9cce402d0cf00f8a71
                                                • Instruction ID: 22fe9006f60698ae51aa7d77d59843f63a7d678646a651555d7f5b4bcde9f3dc
                                                • Opcode Fuzzy Hash: fbc562953fa0da78c397feef4d72c512556c7e5c8c625c9cce402d0cf00f8a71
                                                • Instruction Fuzzy Hash: 80E19D34B002498FDB14DFAAD594AADB7F2EF88314F205529E906EB3A5DB35DC42CB40
                                                Function 00EE96E0 Relevance: .4, Instructions: 358COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f69b9c6e9d8a0cd516c64ae43ca83b7e1787b617ffcf4ed61a0a300fcb1ae285
                                                • Instruction ID: d5f186ed6b70ed62b06a858b006bf07bfb25a65ffc89d4f504ff5ca7c15f9cb9
                                                • Opcode Fuzzy Hash: f69b9c6e9d8a0cd516c64ae43ca83b7e1787b617ffcf4ed61a0a300fcb1ae285
                                                • Instruction Fuzzy Hash: 46D19C30A002498FDB14DFAAD8807AEB7F1FF89314F20956AD909EB396D7759C45CB90
                                                Function 00EE4A8E Relevance: .3, Instructions: 261COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ed5534691fc1603e92146d3a98843d2a4b8b8440f290a7ad55a20dc3377146a1
                                                • Instruction ID: b3c4ce2e048b66711d5410c2e9dd13a2c4eef559fd1a0225093fffa5fa8fe891
                                                • Opcode Fuzzy Hash: ed5534691fc1603e92146d3a98843d2a4b8b8440f290a7ad55a20dc3377146a1
                                                • Instruction Fuzzy Hash: 0DB15DB0E0029D8FDB10CFAAD8857DDBBF1AF48318F249129D815F7294EB749845CB81
                                                Function 00EE6ED8 Relevance: .1, Instructions: 148COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 1a10d8d43c69589cc42fa78d523eae6058ce52b9b93d2b8c3f49ffbfe32eba3c
                                                • Instruction ID: 46e980d300f6b5fe7c94adf658acc02ccaf10810c518dbf88320a8b58550db75
                                                • Opcode Fuzzy Hash: 1a10d8d43c69589cc42fa78d523eae6058ce52b9b93d2b8c3f49ffbfe32eba3c
                                                • Instruction Fuzzy Hash: B051BC30B002998FDB15DF79D8106AEBBB6EF85344F20852AE405FB291DB759C46CB90
                                                Function 00EE6CDE Relevance: .1, Instructions: 136COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 070ee60187dbdcb59268c86379ea72c943e4b58342125fdae494da09c65d927d
                                                • Instruction ID: 0bacda99f543bbeaa87d59ae23c280b260c6f1086b60b6dfb688bda1ebb89df4
                                                • Opcode Fuzzy Hash: 070ee60187dbdcb59268c86379ea72c943e4b58342125fdae494da09c65d927d
                                                • Instruction Fuzzy Hash: ED514474E002588FDB18CFAAC845BDDBBB1BF48314F14912AE815BB3A1D774A840CF90
                                                Function 00EE6CE8 Relevance: .1, Instructions: 132COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 76c4a81f270ace0f0f0d03a2e3c223ee6309318cefd6b4359b8c46e2d1dee761
                                                • Instruction ID: 97b6bb67353ddde6ef9ff1b5eb27fb6fa5d8c8d873d8b0bdbdb5de8a825b31d3
                                                • Opcode Fuzzy Hash: 76c4a81f270ace0f0f0d03a2e3c223ee6309318cefd6b4359b8c46e2d1dee761
                                                • Instruction Fuzzy Hash: 2F513674E002588FDB18DFAAC845B9DFBB1BF48314F54902AE815BB3A1D774A844CF90
                                                Function 00EE1128 Relevance: .1, Instructions: 129COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b077e2f4fc67a64910bd8e00caa4495bbc90c294d39d768e8a4b9cfce4767d60
                                                • Instruction ID: 163bf59f67fee3557b20da252edae7aac47ad4c70e2625678cca0d2478f1bc9b
                                                • Opcode Fuzzy Hash: b077e2f4fc67a64910bd8e00caa4495bbc90c294d39d768e8a4b9cfce4767d60
                                                • Instruction Fuzzy Hash: FC51DFB5506257CFCB09EF2AF8819553FA1EBD13053059B6ED2006B2BADBE46909CB40
                                                Function 00EEF2ED Relevance: .1, Instructions: 113COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b6c228823a060179d3c7a9f7e183e40614354e7e4e110a17723dd3b7423807a7
                                                • Instruction ID: d8d9f199b28dd24a54553f622401eca3d890ceff66857fe975f5ec0669c61320
                                                • Opcode Fuzzy Hash: b6c228823a060179d3c7a9f7e183e40614354e7e4e110a17723dd3b7423807a7
                                                • Instruction Fuzzy Hash: 8C41EC307002498FCB09AB36C45466E7BE2AF89754F245578C406EB395EE75CC468BD1
                                                Function 00EE1138 Relevance: .1, Instructions: 112COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 6bd057d78e4156af6acb1026cd7259b8d66c28d9c6154340827efcf54919766f
                                                • Instruction ID: 94bf33461fd4027e38d8f86b28907ca0208c3dc8e25a3096374780f381d7bf83
                                                • Opcode Fuzzy Hash: 6bd057d78e4156af6acb1026cd7259b8d66c28d9c6154340827efcf54919766f
                                                • Instruction Fuzzy Hash: F7519AB9616153CFCA09EF2AF8819553FA1EBD13053059B6ED2046B2BEDBE07909CB40
                                                Function 00EEF1B0 Relevance: .1, Instructions: 97COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c63423d8f4f3218cd933d673f060bde36d10cc24fadf030584fd9eb6ab93bdf8
                                                • Instruction ID: 5c71873e9b7f3761da186dedbd45c288e381eb3a4c848229ed727073b847b095
                                                • Opcode Fuzzy Hash: c63423d8f4f3218cd933d673f060bde36d10cc24fadf030584fd9eb6ab93bdf8
                                                • Instruction Fuzzy Hash: 28317E34E0064A9BCB15CFA5D45469EB7B2FF89300F20C92AE806FB750DB71AC82CB40
                                                Function 00EE26DC Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 098a8062de0141e28b36a24cad7113c1a77e023644814f57668c23ee8b84ea34
                                                • Instruction ID: d58ad94e2f62fe6c6be07e5f755c2d9b482d87cf980e55dce9101f85b8ca433a
                                                • Opcode Fuzzy Hash: 098a8062de0141e28b36a24cad7113c1a77e023644814f57668c23ee8b84ea34
                                                • Instruction Fuzzy Hash: 6141E0B0D0034DDFDB14CFAAC580ADEBBB5BF88314F20802AE509AB254DB759945CB90
                                                Function 00EE6F78 Relevance: .1, Instructions: 95COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24da0972315c76b34290d72816687dfc76193159d707d775dbaa808d029d9f88
                                                • Instruction ID: 932b45675e8f506de2ac818194d48e98cb53e02bc31eca94eeb59f950542e6dc
                                                • Opcode Fuzzy Hash: 24da0972315c76b34290d72816687dfc76193159d707d775dbaa808d029d9f88
                                                • Instruction Fuzzy Hash: 6C31AF30E0025D8BDB14CFA6E45479EB7B6FF89344F209525E806FB240EB71AD46CB50
                                                Function 00EEF1C0 Relevance: .1, Instructions: 91COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3c95708171406f48904309ef32aa19b23566757988c696ca8d9a0b5fbe6088af
                                                • Instruction ID: 1ff7131a2e2dfa8d45bba22ed5bbc8f0971eba569a5448a64e3b45a37c55ccac
                                                • Opcode Fuzzy Hash: 3c95708171406f48904309ef32aa19b23566757988c696ca8d9a0b5fbe6088af
                                                • Instruction Fuzzy Hash: FB316134E406499BCB15DFA6D45469EB7B2FF89300F20D929E906F7750DB71AC42CB40
                                                Function 00EE26E8 Relevance: .1, Instructions: 90COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7e023989c711068fb1e003b9234917f33e945555df5296869336fe1a406de63c
                                                • Instruction ID: 9b34436dede5696ad0e0a1bc750fa7e20bbc9f45c47e78639b0b0f2dc6c83385
                                                • Opcode Fuzzy Hash: 7e023989c711068fb1e003b9234917f33e945555df5296869336fe1a406de63c
                                                • Instruction Fuzzy Hash: D741EFB1D0034DDFDB14CFAAC980ADEBBB5FF48314F20802AE509AB254DB75A945CB90
                                                Function 00EE9250 Relevance: .1, Instructions: 83COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: ad8c64d597db31221e4281b9915d50ede03fc016df3e4fb7bc151ab5a1078b38
                                                • Instruction ID: 44818976665d650b6d1305abc3862c6f8d8ae06d34ca52c3d796991257cec54f
                                                • Opcode Fuzzy Hash: ad8c64d597db31221e4281b9915d50ede03fc016df3e4fb7bc151ab5a1078b38
                                                • Instruction Fuzzy Hash: D5317F71E0025A9BCF05CFA5D55069EB7F2FF89304F14D62AE905BB251DB719882CB80
                                                Function 00EE9260 Relevance: .1, Instructions: 78COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: c2e9a7843a3a88b7c3593dc94b885debccb533fd249c91d78e3cf419a66792de
                                                • Instruction ID: d5deaa5a077962013522005c70c2d2a1fbc623aea81813068f7330810c0467ed
                                                • Opcode Fuzzy Hash: c2e9a7843a3a88b7c3593dc94b885debccb533fd249c91d78e3cf419a66792de
                                                • Instruction Fuzzy Hash: 1B217E30E0024A9BDF05CFA5D55069EF7B2FF89304F20D629E905BB251DB719882CB90
                                                Function 00EE6BA0 Relevance: .1, Instructions: 76COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: aabcf660489fb8b83bdea0c682fe23b79a65d8c04978db1fd481886e3db62826
                                                • Instruction ID: edc905bd23d4e1dc7937dc7ac09692bf88831b52ba4f473cbcc8d9e7c9c4e358
                                                • Opcode Fuzzy Hash: aabcf660489fb8b83bdea0c682fe23b79a65d8c04978db1fd481886e3db62826
                                                • Instruction Fuzzy Hash: AD2134307043969FC316BB39D0506AE7BF1EFC6310B1182AAD008CB296EB758C46CB91
                                                Function 00EE9150 Relevance: .1, Instructions: 75COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 340206e2fe0b57c0c91e5ae2c9d720a54c89f6c775a57228df5127fb639d4bb5
                                                • Instruction ID: a94afa049494c19012a7c4928f50642c2377cca24d768dfd11754bcfed3246a5
                                                • Opcode Fuzzy Hash: 340206e2fe0b57c0c91e5ae2c9d720a54c89f6c775a57228df5127fb639d4bb5
                                                • Instruction Fuzzy Hash: 36219230E0025A9BDB19CFA5D8446DEB7F2AF89304F20862AE815BB351EB709D46CB50
                                                Function 00EE16A0 Relevance: .1, Instructions: 74COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 11adf7b1816bb2511d92cc394f07330347d33e64916cc42d569bfb30c1a55949
                                                • Instruction ID: cef63cfa5a8c2ef57ab1ab3dc752fbecdb444b9053e538ed48d6f9775544394f
                                                • Opcode Fuzzy Hash: 11adf7b1816bb2511d92cc394f07330347d33e64916cc42d569bfb30c1a55949
                                                • Instruction Fuzzy Hash: 6421FC345001928FEF21E735F844B693B66F7C2308F1067AAD406DB259EBB4DC85CB91
                                                Function 00EE4F88 Relevance: .1, Instructions: 73COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 59d73ad6b393ce7b89847bb8d5ea0e9c5d4401b5a36dd6f31224aae703e70186
                                                • Instruction ID: 83e9e475371fa436b6036894de96a06ae29e0e4e9209288d72f1d24d4302a699
                                                • Opcode Fuzzy Hash: 59d73ad6b393ce7b89847bb8d5ea0e9c5d4401b5a36dd6f31224aae703e70186
                                                • Instruction Fuzzy Hash: D3211635A00649CFCB54EB7AD99869D77F1AF8D308F204468E506EB3A0EB719D00CB90
                                                Function 00E9D01C Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367466304.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_e9d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5d895bfa5b748e133b7e0f8ecbf44fed22fc124bdea4a33060dd3ebeec9b08f2
                                                • Instruction ID: ea8bcf2a07a50697610b7dca2197099d740a66cde260bcdddedf727209ab2802
                                                • Opcode Fuzzy Hash: 5d895bfa5b748e133b7e0f8ecbf44fed22fc124bdea4a33060dd3ebeec9b08f2
                                                • Instruction Fuzzy Hash: 75212275608300EFDF14DF24D9C0B26BB66FB84318F20C56DD90A5B292C37AD847CA61
                                                Function 00EE1380 Relevance: .1, Instructions: 72COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 679e9feb9bc15dfaa69937dc7e00c32967d2afb15e585889801eb86c2490a3d9
                                                • Instruction ID: 3711249577a708df35c0f34298b01c6d244bff5859ceeeef8fee42d49b25defc
                                                • Opcode Fuzzy Hash: 679e9feb9bc15dfaa69937dc7e00c32967d2afb15e585889801eb86c2490a3d9
                                                • Instruction Fuzzy Hash: 422124706003848FDF316A3AE44876C3764E79631CF2064AAE41AEB7D4DA798DC5C742
                                                Function 00EE9160 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: a2cff5db8afef1c5975245f9fdd6bf745d8f4e9cd078b24166d79d157d82e7e7
                                                • Instruction ID: 6ff38fbbb970b8b31c4d8a236933f17955efb061081fdd6bc4512e12041fef12
                                                • Opcode Fuzzy Hash: a2cff5db8afef1c5975245f9fdd6bf745d8f4e9cd078b24166d79d157d82e7e7
                                                • Instruction Fuzzy Hash: 57215330E0025A9BCB18CFA5D8549DEB7F2AF89314F20952AE915B7351DB709D46CB50
                                                Function 00EE1888 Relevance: .1, Instructions: 70COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: f6d14adaf77d356ad519a3f67e0111c5ca1d3766ddafe9535ad2a8725b8b4dd4
                                                • Instruction ID: 06e5febe7fe315c96ff93e973d2ff0a6732c3fb758c440c82e2afebaf69a5667
                                                • Opcode Fuzzy Hash: f6d14adaf77d356ad519a3f67e0111c5ca1d3766ddafe9535ad2a8725b8b4dd4
                                                • Instruction Fuzzy Hash: EC214C30B00299CFDB64EB75C5646AD77F2AF89304F1004A8D106FB391DB329D81CB61
                                                Function 00EE16B0 Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: dbb267185c4ade16e54f0ccf3e515b1172015d57253c7a01ae82a246a835c021
                                                • Instruction ID: ee8650c9d87d248c48822a374d31bd5db3c9e595f53b9ef487af2844a6ac5756
                                                • Opcode Fuzzy Hash: dbb267185c4ade16e54f0ccf3e515b1172015d57253c7a01ae82a246a835c021
                                                • Instruction Fuzzy Hash: AA21D5342001568FEF21E72AE884B693B6AE7C5708F10676AD406DB259EBB4DC848B90
                                                Function 00EE187A Relevance: .1, Instructions: 69COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 049b7255244837e386522cd105710d3a0faa94001d7cceaba38c4a410ad368b7
                                                • Instruction ID: 39f0df28e97e40dbbe3337566bf422474d7fae621fdd4e56abf9ba3ce63a7a33
                                                • Opcode Fuzzy Hash: 049b7255244837e386522cd105710d3a0faa94001d7cceaba38c4a410ad368b7
                                                • Instruction Fuzzy Hash: 4E214A30B00299CFDB64EB75C5656AD77F2AF89304F1005A9D106FB3A1DB369D81CB51
                                                Function 00EE4F98 Relevance: .1, Instructions: 68COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: b9c4702928287918d6e064777c1570925e7efade4727ea77c507bd14215bdd52
                                                • Instruction ID: 2987876e2c534a137f9b5b3866e7325606ef74887821004b37451f3f100ce3e8
                                                • Opcode Fuzzy Hash: b9c4702928287918d6e064777c1570925e7efade4727ea77c507bd14215bdd52
                                                • Instruction Fuzzy Hash: D3213935700249CFCB14EB7AC958AAD77F1AB8D304F104868E506EB3A0EB71AD44CB90
                                                Function 00E9D005 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367466304.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_e9d000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8bdc80ae08ba64fef5293fe956bdf601fb44ab4749c4c271ad172840fd8c8488
                                                • Instruction ID: 62d47d4d00e7a50c0714c4248275e442e7916753dcf541bc6dc1a54f84d00d6a
                                                • Opcode Fuzzy Hash: 8bdc80ae08ba64fef5293fe956bdf601fb44ab4749c4c271ad172840fd8c8488
                                                • Instruction Fuzzy Hash: E721537550D3C08FDB12CF24D994715BF71EB46318F28C5DAD8498B6A7C33A984ACB62
                                                Function 00EE0848 Relevance: .1, Instructions: 62COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5b4b7c4b8cb295168a6dd1787105877d0e48630ec3d351252110900f48da8a03
                                                • Instruction ID: 6431bcfb61bcb78a504192dd095bd4c47878ecb9828924f153acddb463e968d2
                                                • Opcode Fuzzy Hash: 5b4b7c4b8cb295168a6dd1787105877d0e48630ec3d351252110900f48da8a03
                                                • Instruction Fuzzy Hash: 2A119130B0024D8BEF28AB7BD45476A3695FBD1718F209939D046EF25ADAE5CCC18BC5
                                                Function 00EE80F1 Relevance: .1, Instructions: 61COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: d1c373590aed18fec40b1b3d79eaf416d049ae7119a579b59202b8cfe56be867
                                                • Instruction ID: 77f7e901aff0444e6a378ed762c98c48ed23ef2648312c68c8a9951bc2a2ac8a
                                                • Opcode Fuzzy Hash: d1c373590aed18fec40b1b3d79eaf416d049ae7119a579b59202b8cfe56be867
                                                • Instruction Fuzzy Hash: 8411E230A0014ACFEF01EBB9F94069D7BA1EBC4300F10967ED508EB2A0DF759E468B41
                                                Function 00EE148A Relevance: .1, Instructions: 58COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 8a90b7687863252d385c116e3c067c2553feb40d0c043cae63aef1ee5b1c4caf
                                                • Instruction ID: 965aae85610ba9b1c98dc0d75c040dab97d8c9f269b01339a1fed68ffda9e536
                                                • Opcode Fuzzy Hash: 8a90b7687863252d385c116e3c067c2553feb40d0c043cae63aef1ee5b1c4caf
                                                • Instruction Fuzzy Hash: 58111C31A007698FCB61EFB984515AE77F5EB88324B1454BAD805FB241E635DC82CB91
                                                Function 00EE17C2 Relevance: .1, Instructions: 57COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 4f41a1408adbd0439da511b65c1520fed1b5f64b62eef34c0b652aeb3d6975a0
                                                • Instruction ID: c9ccd1250d771e852b3ff75c5cd775bda456d94b9715db2f35ef69102357385e
                                                • Opcode Fuzzy Hash: 4f41a1408adbd0439da511b65c1520fed1b5f64b62eef34c0b652aeb3d6975a0
                                                • Instruction Fuzzy Hash: 9F11C279F002628FCF10AB76A84829E77F9FB88354F10856ADA06E3344E734D941CB81
                                                Function 00EE1498 Relevance: .1, Instructions: 53COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 24f7680d0730a00bf710ceb40f3f99ce63adb9edf7a98bb454f2f1f646130e17
                                                • Instruction ID: a9990c4ae060898ee4752a4f92419295d48d3ddf21faebe251cce4a2efba0c7a
                                                • Opcode Fuzzy Hash: 24f7680d0730a00bf710ceb40f3f99ce63adb9edf7a98bb454f2f1f646130e17
                                                • Instruction Fuzzy Hash: 18014031B006699FCB21EFBA84515AE7BF5EB48314F2414BAD805F7341E635DD81CB91
                                                Function 00EE1524 Relevance: .0, Instructions: 36COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 5351f0ea2501db4515634bfdcc841b244d6288b4803dbfbce31ccec0e85fc158
                                                • Instruction ID: e3ac2c249faa4b45e435294c7760f8052449bf33cda36a73f927bcce65d9d121
                                                • Opcode Fuzzy Hash: 5351f0ea2501db4515634bfdcc841b244d6288b4803dbfbce31ccec0e85fc158
                                                • Instruction Fuzzy Hash: 24F02B37B041E8CFC7228BE684911AC7BB1FAD431575820D7D406FB356D635D886CB11
                                                Function 00EE7090 Relevance: .0, Instructions: 34COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 7eacad88b1fea79c7b666c7402d567736547b235b030bbc8b2e9f71430e4bc29
                                                • Instruction ID: db35f014f3b3b6dbe54cd48e7a3b3e29da1c08920df6967ab116445ca6fdf446
                                                • Opcode Fuzzy Hash: 7eacad88b1fea79c7b666c7402d567736547b235b030bbc8b2e9f71430e4bc29
                                                • Instruction Fuzzy Hash: 3CF0F939B40118CFCB14DB75D598B6D77B2EF88715F5140A8E6069B3A4DB31AD42CB40
                                                Function 00EE8100 Relevance: .0, Instructions: 33COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 269db2b7811e23b56feb930efc9c9ca5a43cfb65591f46650b448bae0c2a24fd
                                                • Instruction ID: 0d9b9182b6c97bdb97a22b33fc7fc11b1a4e95bfae3917ede8e490e540903d40
                                                • Opcode Fuzzy Hash: 269db2b7811e23b56feb930efc9c9ca5a43cfb65591f46650b448bae0c2a24fd
                                                • Instruction Fuzzy Hash: 5FF04F3090115AEFDF05FBB8F94159D7BB1EBC0300F1096ADC508AB254EEB52E459B81
                                                Function 00EE099B Relevance: .0, Instructions: 28COMMON
                                                Download Yara Rule
                                                Memory Dump Source
                                                • Source File: 0000000F.00000002.3367723831.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                                Joe Sandbox IDA Plugin
                                                • Snapshot File: hcaresult_15_2_ee0000_RegSvcs.jbxd
                                                Similarity
                                                • API ID:
                                                • String ID:
                                                • API String ID:
                                                • Opcode ID: 3822fab155e510ac8b0dd9a0778974b936935f0278010f2fd59ed00be04c937e
                                                • Instruction ID: 0b741fab457ff756b32892fd740bd639ee5753f23dfff9f3bf69d063b5d1eb64
                                                • Opcode Fuzzy Hash: 3822fab155e510ac8b0dd9a0778974b936935f0278010f2fd59ed00be04c937e
                                                • Instruction Fuzzy Hash: 15E02B62A091ECCAFF3159655854335774187E173DF08609DC18CE711BD08388CCA3B2