Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
INV0062180.exe

Overview

General Information

Sample name:INV0062180.exe
Analysis ID:1415798
MD5:6aef5f1931bd1407f891b037b994414e
SHA1:a12e03d4a77c16cc9265edfc14ddc3e42ae1818e
SHA256:3510d84f8b7c07db80eaf1f190ff3727c3ae95921cab2d308a711b1e14f62099
Tags:exe
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • INV0062180.exe (PID: 1512 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • powershell.exe (PID: 3984 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4920 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5280 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6628 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • INV0062180.exe (PID: 2268 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • INV0062180.exe (PID: 2244 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • INV0062180.exe (PID: 5912 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • INV0062180.exe (PID: 5088 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • INV0062180.exe (PID: 5360 cmdline: "C:\Users\user\Desktop\INV0062180.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
  • iqKlcCJyhhi.exe (PID: 2912 cmdline: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe MD5: 6AEF5F1931BD1407F891B037B994414E)
    • schtasks.exe (PID: 5952 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • iqKlcCJyhhi.exe (PID: 5040 cmdline: "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • iqKlcCJyhhi.exe (PID: 6868 cmdline: "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • iqKlcCJyhhi.exe (PID: 5036 cmdline: "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • iqKlcCJyhhi.exe (PID: 5948 cmdline: "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
    • iqKlcCJyhhi.exe (PID: 5088 cmdline: "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe" MD5: 6AEF5F1931BD1407F891B037B994414E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "jenny@surnvang.com", "Password": "zhBHMq@2", "Host": "smtp.surnvang.com", "Port": "587"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14c72:$a1: get_encryptedPassword
      • 0x35492:$a1: get_encryptedPassword
      • 0x14f68:$a2: get_encryptedUsername
      • 0x35788:$a2: get_encryptedUsername
      • 0x14a6e:$a3: get_timePasswordChanged
      • 0x3528e:$a3: get_timePasswordChanged
      • 0x14b69:$a4: get_passwordField
      • 0x35389:$a4: get_passwordField
      • 0x14c88:$a5: set_encryptedPassword
      • 0x354a8:$a5: set_encryptedPassword
      • 0x162a1:$a7: get_logins
      • 0x36ac1:$a7: get_logins
      • 0x16204:$a10: KeyLoggerEventArgs
      • 0x36a24:$a10: KeyLoggerEventArgs
      • 0x15e9d:$a11: KeyLoggerEventArgsEventHandler
      • 0x366bd:$a11: KeyLoggerEventArgsEventHandler
      0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x1853c:$x1: $%SMTPDV$
      • 0x38d5c:$x1: $%SMTPDV$
      • 0x185a0:$x2: $#TheHashHere%&
      • 0x38dc0:$x2: $#TheHashHere%&
      • 0x19bc7:$x3: %FTPDV$
      • 0x3a3e7:$x3: %FTPDV$
      • 0x19cbb:$x4: $%TelegramDv$
      • 0x3a4db:$x4: $%TelegramDv$
      • 0x15e9d:$x5: KeyLoggerEventArgs
      • 0x16204:$x5: KeyLoggerEventArgs
      • 0x366bd:$x5: KeyLoggerEventArgs
      • 0x36a24:$x5: KeyLoggerEventArgs
      • 0x19beb:$m2: Clipboard Logs ID
      • 0x19db7:$m2: Screenshot Logs ID
      • 0x19e83:$m2: keystroke Logs ID
      • 0x3a40b:$m2: Clipboard Logs ID
      • 0x3a5d7:$m2: Screenshot Logs ID
      • 0x3a6a3:$m2: keystroke Logs ID
      • 0x19d8f:$m4: \SnakeKeylogger\
      • 0x3a5af:$m4: \SnakeKeylogger\
      00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.INV0062180.exe.3ceb7a8.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0.2.INV0062180.exe.3ceb7a8.3.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
            0.2.INV0062180.exe.3ceb7a8.3.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
            • 0x12d02:$a1: get_encryptedPassword
            • 0x12ff8:$a2: get_encryptedUsername
            • 0x12afe:$a3: get_timePasswordChanged
            • 0x12bf9:$a4: get_passwordField
            • 0x12d18:$a5: set_encryptedPassword
            • 0x14331:$a7: get_logins
            • 0x14294:$a10: KeyLoggerEventArgs
            • 0x13f2d:$a11: KeyLoggerEventArgsEventHandler
            0.2.INV0062180.exe.3ceb7a8.3.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
            • 0x1a55b:$a2: \Comodo\Dragon\User Data\Default\Login Data
            • 0x1978d:$a3: \Google\Chrome\User Data\Default\Login Data
            • 0x19bc0:$a4: \Orbitum\User Data\Default\Login Data
            • 0x1abff:$a5: \Kometa\User Data\Default\Login Data
            0.2.INV0062180.exe.3ceb7a8.3.unpackINDICATOR_SUSPICIOUS_EXE_DotNetProcHookDetects executables with potential process hoockingditekSHen
            • 0x138b4:$s1: UnHook
            • 0x138bb:$s2: SetHook
            • 0x138c3:$s3: CallNextHook
            • 0x138d0:$s4: _hook
            Click to see the 43 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV0062180.exe", ParentImage: C:\Users\user\Desktop\INV0062180.exe, ParentProcessId: 1512, ParentProcessName: INV0062180.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", ProcessId: 3984, ProcessName: powershell.exe
            Sigma detected: Powershell Defender Exclusion
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV0062180.exe", ParentImage: C:\Users\user\Desktop\INV0062180.exe, ParentProcessId: 1512, ParentProcessName: INV0062180.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", ProcessId: 3984, ProcessName: powershell.exe
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe, ParentImage: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe, ParentProcessId: 2912, ParentProcessName: iqKlcCJyhhi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp", ProcessId: 5952, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INV0062180.exe", ParentImage: C:\Users\user\Desktop\INV0062180.exe, ParentProcessId: 1512, ParentProcessName: INV0062180.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", ProcessId: 6628, ProcessName: schtasks.exe
            Sigma detected: Non Interactive PowerShell Process Spawned
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\INV0062180.exe", ParentImage: C:\Users\user\Desktop\INV0062180.exe, ParentProcessId: 1512, ParentProcessName: INV0062180.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe", ProcessId: 3984, ProcessName: powershell.exe

            Persistence and Installation Behavior

            barindex
            Sigma detected: Scheduled temp file as task from temp location
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\INV0062180.exe", ParentImage: C:\Users\user\Desktop\INV0062180.exe, ParentProcessId: 1512, ParentProcessName: INV0062180.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp", ProcessId: 6628, ProcessName: schtasks.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "jenny@surnvang.com", "Password": "zhBHMq@2", "Host": "smtp.surnvang.com", "Port": "587"}
            Multi AV Scanner detection for domain / URL
            Source: https://scratchdreams.tkVirustotal: Detection: 13%Perma Link
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeReversingLabs: Detection: 18%
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeVirustotal: Detection: 30%Perma Link
            Multi AV Scanner detection for submitted file
            Source: INV0062180.exeReversingLabs: Detection: 18%
            Source: INV0062180.exeVirustotal: Detection: 30%Perma Link
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: INV0062180.exeJoe Sandbox ML: detected
            Source: INV0062180.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: INV0062180.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Source: INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: iqKlcCJyhhi.exe.0.drString found in binary or memory: http://dev.neptuo.com
            Source: INV0062180.exe, 00000000.00000002.2123632910.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2166996658.0000000002552000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scratchdreams.tk

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_0103E06C0_2_0103E06C
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF3EC00_2_06EF3EC0
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFD7000_2_06EFD700
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF34170_2_06EF3417
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFB2180_2_06EFB218
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFD1EB0_2_06EFD1EB
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFD1F00_2_06EFD1F0
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF3EB20_2_06EF3EB2
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF2E280_2_06EF2E28
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF2E180_2_06EF2E18
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFADD90_2_06EFADD9
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFCDA80_2_06EFCDA8
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFCDB80_2_06EFCDB8
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF48E80_2_06EF48E8
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF48F80_2_06EF48F8
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF09C10_2_06EF09C1
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EF09D00_2_06EF09D0
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_08F439A80_2_08F439A8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0234E06C15_2_0234E06C
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_023425D815_2_023425D8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_06853EC015_2_06853EC0
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685D70015_2_0685D700
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685341715_2_06853417
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685B21815_2_0685B218
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685D1EA15_2_0685D1EA
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685D1F015_2_0685D1F0
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_06853EB215_2_06853EB2
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_06852E1815_2_06852E18
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_06852E2815_2_06852E28
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685CDA815_2_0685CDA8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685CDB815_2_0685CDB8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685ADD915_2_0685ADD9
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685ADE015_2_0685ADE0
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_068548E815_2_068548E8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_068548F815_2_068548F8
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_068509D015_2_068509D0
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_08AF2C8815_2_08AF2C88
            Source: INV0062180.exe, 00000000.00000002.2122739544.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs INV0062180.exe
            Source: INV0062180.exe, 00000000.00000002.2129529492.00000000075B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs INV0062180.exe
            Source: INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefbXfjPLUOxpHounQOLpg.exeX vs INV0062180.exe
            Source: INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs INV0062180.exe
            Source: INV0062180.exeBinary or memory string: OriginalFilenameAnQd.exeB vs INV0062180.exe
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
            Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: INV0062180.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
            Source: INV0062180.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: iqKlcCJyhhi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, --m.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, --m.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, --m.csCryptographic APIs: 'TransformFinalBlock'
            Source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, --m.csCryptographic APIs: 'TransformFinalBlock'
            Source: INV0062180.exe, ScheduledTaskManager.csTask registration methods: 'CreateOrUpdateTask', 'CreateOrUpdateTaskUsingStartAt'
            Source: INV0062180.exe, MainForm.csTask registration methods: 'SaveChangesAndCreateTasks'
            Source: iqKlcCJyhhi.exe.0.dr, ScheduledTaskManager.csTask registration methods: 'CreateOrUpdateTask', 'CreateOrUpdateTaskUsingStartAt'
            Source: iqKlcCJyhhi.exe.0.dr, MainForm.csTask registration methods: 'SaveChangesAndCreateTasks'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, Xlpxv7SKIIhupSm8vT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, Xlpxv7SKIIhupSm8vT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: _0020.SetAccessControl
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, iksJTtWRndJrRiNTKN.csSecurity API names: _0020.AddAccessRule
            Source: 0.2.INV0062180.exe.29fc434.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.INV0062180.exe.2a0444c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: 0.2.INV0062180.exe.6ed0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
            Source: classification engineClassification label: mal100.troj.evad.winEXE@35/15@0/0
            Source: C:\Users\user\Desktop\INV0062180.exeFile created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMutant created: NULL
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMutant created: \Sessions\1\BaseNamedObjects\EkyjihnCNCkVdCvnrxHFZzC
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5160:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_03
            Source: C:\Users\user\Desktop\INV0062180.exeFile created: C:\Users\user\AppData\Local\Temp\tmp1E43.tmpJump to behavior
            Source: INV0062180.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: INV0062180.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.79%
            Source: C:\Users\user\Desktop\INV0062180.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: INV0062180.exeReversingLabs: Detection: 18%
            Source: INV0062180.exeVirustotal: Detection: 30%
            Source: C:\Users\user\Desktop\INV0062180.exeFile read: C:\Users\user\Desktop\INV0062180.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp"
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\Desktop\INV0062180.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: INV0062180.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: INV0062180.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: INV0062180.exe, MainForm.cs.Net Code: InitializeComponent
            Source: iqKlcCJyhhi.exe.0.dr, MainForm.cs.Net Code: InitializeComponent
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, iksJTtWRndJrRiNTKN.cs.Net Code: QeTGmISYZu System.Reflection.Assembly.Load(byte[])
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, iksJTtWRndJrRiNTKN.cs.Net Code: QeTGmISYZu System.Reflection.Assembly.Load(byte[])
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFE7A3 push esp; retf 0_2_06EFE7A9
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_06EFEBD0 push eax; iretd 0_2_06EFEBD5
            Source: C:\Users\user\Desktop\INV0062180.exeCode function: 0_2_08F41DCE push ds; retf 0_2_08F41DCF
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_04BAB3E0 push eax; ret 15_2_04BAB413
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_04BAA8F1 push eax; mov dword ptr [esp], ecx15_2_04BAA904
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_04BAA900 push eax; mov dword ptr [esp], ecx15_2_04BAA904
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeCode function: 15_2_0685E7A2 push esp; retf 15_2_0685E7A9
            Source: INV0062180.exeStatic PE information: section name: .text entropy: 7.860016994420722
            Source: iqKlcCJyhhi.exe.0.drStatic PE information: section name: .text entropy: 7.860016994420722
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
            Source: 0.2.INV0062180.exe.6eb0000.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, b2URMXH7d6wXagD8lk.csHigh entropy of concatenated method names: 'ipSBAHjDci', 'g7jBOLtr8r', 'BGcBFx03jU', 'yvuBWafxHE', 'EusB7r9WNt', 'fy5BcQarlU', 'ly8BfS0jcF', 'sLjBJbKrAi', 'hcjBEWQ8mn', 'JmRBqGhRCm'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, LLQWvGzOa9M6402gO9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm8V2B3ZRlC', 'JEJ2eiJ5ym', 'SgO24ktBAR', 'iP62hGlTqV', 'fIo2y4hmZj', 'g7g22Vb76v', 'Ka72C8bgTq'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, YcM1OmiAMsZHY1N2rL.csHigh entropy of concatenated method names: 'x1K6n03RQE', 'sPD60eFHJN', 'bib6rDn4Yf', 'nuM6aifRYT', 'QUJ6YMNUOt', 'T9hro9G8UF', 'qdTr5rjP7R', 'BDGrT8eEPK', 'NBNrDi4mB2', 'kUMrKes6YZ'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, KGsyVKlnfjessdMfha.csHigh entropy of concatenated method names: 'hdprt1Vccw', 'XZFrQXMfSS', 'x9cP8wmZDo', 'AxQP7D43MQ', 'EyKPcNw4UK', 'd6bPuHkeQr', 'gW1Pf8NAcV', 'p3uPJplQ5a', 'qRDPUCouQG', 'uYMPEFEjQx'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, GfSCTcaM4beVMfVvVE.csHigh entropy of concatenated method names: 'zfkeEp0fol', 'vwaeMpEwoj', 'XXweSlYmJX', 'PA8exDJUko', 'UngeWMrxcV', 'KTte8VU5Tu', 'Qshe7OM1OP', 'ENrecSb0Ov', 'M8AeuDIuCP', 'K8Yefn9cMW'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, Xlpxv7SKIIhupSm8vT.csHigh entropy of concatenated method names: 'Ifn0SvUb9w', 'WWR0xD6DSI', 'PxM01dORcD', 'yQa0lw7mL2', 'Hhy0okYuLo', 'kZx05rvIkQ', 'XtM0T52sGb', 'Bhf0DdNpsV', 'CAm0Ks0ys5', 'W8X0VBM4nZ'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, WXcS0UkUF4Ln84ubP1.csHigh entropy of concatenated method names: 'LfehDun2d0', 'DNEhVrSRep', 'jJOyZych6F', 'K8Iy3uXuHx', 'ivmhqIKaly', 'r5BhMWN6yk', 'fZyhwm66hL', 'JuuhSMUrAu', 'JSZhxRVSYJ', 'Ih0h1WLr6i'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, Jj75kMsOXJM206xGaj.csHigh entropy of concatenated method names: 'Dispose', 'GHN3K4VMg4', 'tRLIWyFuVY', 'aENRR1tjAs', 'u6Q3VOpBwZ', 'QDU3zeaiU8', 'ProcessDialogKey', 'q14IZP22Ab', 'vpVI3aRSTE', 'OTnII5wsZL'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, Qv80YWxeePkMTWbGMC.csHigh entropy of concatenated method names: 'Lq0233Mcdy', 'UUH2gfxJWK', 'SlU2G7XWeQ', 'fyj29Eb2hS', 'Pv420y1C5U', 'UDJ2rA95KE', 'UOf26nVk9Q', 'JhoyTWBfPo', 'v1syD15wkv', 'PEsyK6p449'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, XGoZsef1qOI6fn4P3q.csHigh entropy of concatenated method names: 'TOwajrAXLg', 'MVQabmBhLH', 'dRaamORnxj', 'g4IaduWlJ3', 'yqratSLPm6', 'gv5akbA0HS', 'vilaQi5qFS', 'J1haA2weGw', 'uB9aOujeyj', 'e3yain1rv1'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, JnRvWVUVUHFRPDMhtf.csHigh entropy of concatenated method names: 'MxByFA2yEQ', 'zfdyWtKQqN', 'u08y8ZbcWP', 'omGy7cbBUB', 'Q7xyS9CGkL', 'UfcycILKal', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, fHVPK5eaZAyYUNB5py.csHigh entropy of concatenated method names: 'Skfmg7cKl', 'TLddeT7Nj', 'qokkw7uTY', 'yiLQ1Pmbk', 'jkBOqUDMV', 'DhyiUcEpK', 'HDPdQ5FWJTNCxYhory', 'SHuPCyncXUIBYeWOxH', 'SbjygmtZw', 'vsuCdB1gS'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, I8qvdG4w8vQ48fQL69.csHigh entropy of concatenated method names: 'jW33aKoFZT', 'o4C3YIkcJ3', 'rQZ3LUBeQh', 'Qht3NqwJ52', 'B3q3e1h5BN', 'bsn34fnIcp', 'piQ1kMHGXAxoZZZYR8', 'lC8aaXkJ91xd9iCTel', 'pQJ33wp0VO', 'MOu3g7q8vP'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, iksJTtWRndJrRiNTKN.csHigh entropy of concatenated method names: 'H44gn784lF', 'egkg9Ha8bi', 'qQXg0HyNj2', 'sF7gPhO64K', 'z2MgrJmdH0', 'T7rg6wQwOG', 'y1AgaNgKkk', 'QZKgYgr05C', 'blBgpJSrhX', 'F8dgLKY9of'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, etypiHgDyU0WdGhoUx.csHigh entropy of concatenated method names: 'KUNhLmocoi', 'hC7hNRcTLV', 'ToString', 'dYeh9EhkQX', 'Enih04mfuJ', 'ng6hPpLLRY', 'bRJhryraJ9', 'PSEh6a5COG', 'N8bhaIEfnp', 'gbehYk2seQ'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, PnJfdBDpF6tMmwkjDx.csHigh entropy of concatenated method names: 'ToString', 'sq64q2lOrR', 'veq4W87jnX', 'HaL48NCWiK', 'M1S47oZXOr', 'RsR4cA2cdk', 'p9b4uZNSd2', 'APV4fqCwjV', 'uyC4J613le', 'Gvl4UTLWcV'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, orDyxlObkavATTLWBM.csHigh entropy of concatenated method names: 'PRdy92YnqB', 'ekFy0s0dty', 'YXTyPjnJMQ', 'ulmyrr5kG6', 'FC5y6dIYVw', 'P6TyaOk7m8', 'l2CyYbEdSv', 'UkZypTdijk', 'AanyLgOW4K', 'XqByNfeMV6'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, jW0RenmmBSnn4UVy2g.csHigh entropy of concatenated method names: 'XiDPd5sS1u', 'vU9PkA1Vfu', 'geqPAiBHZx', 'RS4POP5xF7', 'Y3JPe6SbV0', 'cH7P4EweKy', 'kg9PhnZFoA', 'dUvPyYuIoP', 'UZ7P2OYpUL', 'CsDPCfSTiS'
            Source: 0.2.INV0062180.exe.3d393a0.5.raw.unpack, elDUQFyrSITPACXNlLO.csHigh entropy of concatenated method names: 'WLJ2jCQSGL', 'GCS2bgSEyG', 'Jno2m1PJ9K', 'EoY2dv9JD4', 'X552t48y2r', 'oaQ2kV8eWu', 'T1e2QQeChe', 'WFD2AbsJEy', 'M3B2OX7TVk', 'HR12iy6aPk'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, b2URMXH7d6wXagD8lk.csHigh entropy of concatenated method names: 'ipSBAHjDci', 'g7jBOLtr8r', 'BGcBFx03jU', 'yvuBWafxHE', 'EusB7r9WNt', 'fy5BcQarlU', 'ly8BfS0jcF', 'sLjBJbKrAi', 'hcjBEWQ8mn', 'JmRBqGhRCm'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, LLQWvGzOa9M6402gO9.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'm8V2B3ZRlC', 'JEJ2eiJ5ym', 'SgO24ktBAR', 'iP62hGlTqV', 'fIo2y4hmZj', 'g7g22Vb76v', 'Ka72C8bgTq'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, YcM1OmiAMsZHY1N2rL.csHigh entropy of concatenated method names: 'x1K6n03RQE', 'sPD60eFHJN', 'bib6rDn4Yf', 'nuM6aifRYT', 'QUJ6YMNUOt', 'T9hro9G8UF', 'qdTr5rjP7R', 'BDGrT8eEPK', 'NBNrDi4mB2', 'kUMrKes6YZ'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, KGsyVKlnfjessdMfha.csHigh entropy of concatenated method names: 'hdprt1Vccw', 'XZFrQXMfSS', 'x9cP8wmZDo', 'AxQP7D43MQ', 'EyKPcNw4UK', 'd6bPuHkeQr', 'gW1Pf8NAcV', 'p3uPJplQ5a', 'qRDPUCouQG', 'uYMPEFEjQx'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, GfSCTcaM4beVMfVvVE.csHigh entropy of concatenated method names: 'zfkeEp0fol', 'vwaeMpEwoj', 'XXweSlYmJX', 'PA8exDJUko', 'UngeWMrxcV', 'KTte8VU5Tu', 'Qshe7OM1OP', 'ENrecSb0Ov', 'M8AeuDIuCP', 'K8Yefn9cMW'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, Xlpxv7SKIIhupSm8vT.csHigh entropy of concatenated method names: 'Ifn0SvUb9w', 'WWR0xD6DSI', 'PxM01dORcD', 'yQa0lw7mL2', 'Hhy0okYuLo', 'kZx05rvIkQ', 'XtM0T52sGb', 'Bhf0DdNpsV', 'CAm0Ks0ys5', 'W8X0VBM4nZ'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, WXcS0UkUF4Ln84ubP1.csHigh entropy of concatenated method names: 'LfehDun2d0', 'DNEhVrSRep', 'jJOyZych6F', 'K8Iy3uXuHx', 'ivmhqIKaly', 'r5BhMWN6yk', 'fZyhwm66hL', 'JuuhSMUrAu', 'JSZhxRVSYJ', 'Ih0h1WLr6i'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, Jj75kMsOXJM206xGaj.csHigh entropy of concatenated method names: 'Dispose', 'GHN3K4VMg4', 'tRLIWyFuVY', 'aENRR1tjAs', 'u6Q3VOpBwZ', 'QDU3zeaiU8', 'ProcessDialogKey', 'q14IZP22Ab', 'vpVI3aRSTE', 'OTnII5wsZL'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, Qv80YWxeePkMTWbGMC.csHigh entropy of concatenated method names: 'Lq0233Mcdy', 'UUH2gfxJWK', 'SlU2G7XWeQ', 'fyj29Eb2hS', 'Pv420y1C5U', 'UDJ2rA95KE', 'UOf26nVk9Q', 'JhoyTWBfPo', 'v1syD15wkv', 'PEsyK6p449'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, XGoZsef1qOI6fn4P3q.csHigh entropy of concatenated method names: 'TOwajrAXLg', 'MVQabmBhLH', 'dRaamORnxj', 'g4IaduWlJ3', 'yqratSLPm6', 'gv5akbA0HS', 'vilaQi5qFS', 'J1haA2weGw', 'uB9aOujeyj', 'e3yain1rv1'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, JnRvWVUVUHFRPDMhtf.csHigh entropy of concatenated method names: 'MxByFA2yEQ', 'zfdyWtKQqN', 'u08y8ZbcWP', 'omGy7cbBUB', 'Q7xyS9CGkL', 'UfcycILKal', 'Next', 'Next', 'Next', 'NextBytes'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, fHVPK5eaZAyYUNB5py.csHigh entropy of concatenated method names: 'Skfmg7cKl', 'TLddeT7Nj', 'qokkw7uTY', 'yiLQ1Pmbk', 'jkBOqUDMV', 'DhyiUcEpK', 'HDPdQ5FWJTNCxYhory', 'SHuPCyncXUIBYeWOxH', 'SbjygmtZw', 'vsuCdB1gS'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, I8qvdG4w8vQ48fQL69.csHigh entropy of concatenated method names: 'jW33aKoFZT', 'o4C3YIkcJ3', 'rQZ3LUBeQh', 'Qht3NqwJ52', 'B3q3e1h5BN', 'bsn34fnIcp', 'piQ1kMHGXAxoZZZYR8', 'lC8aaXkJ91xd9iCTel', 'pQJ33wp0VO', 'MOu3g7q8vP'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, iksJTtWRndJrRiNTKN.csHigh entropy of concatenated method names: 'H44gn784lF', 'egkg9Ha8bi', 'qQXg0HyNj2', 'sF7gPhO64K', 'z2MgrJmdH0', 'T7rg6wQwOG', 'y1AgaNgKkk', 'QZKgYgr05C', 'blBgpJSrhX', 'F8dgLKY9of'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, etypiHgDyU0WdGhoUx.csHigh entropy of concatenated method names: 'KUNhLmocoi', 'hC7hNRcTLV', 'ToString', 'dYeh9EhkQX', 'Enih04mfuJ', 'ng6hPpLLRY', 'bRJhryraJ9', 'PSEh6a5COG', 'N8bhaIEfnp', 'gbehYk2seQ'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, PnJfdBDpF6tMmwkjDx.csHigh entropy of concatenated method names: 'ToString', 'sq64q2lOrR', 'veq4W87jnX', 'HaL48NCWiK', 'M1S47oZXOr', 'RsR4cA2cdk', 'p9b4uZNSd2', 'APV4fqCwjV', 'uyC4J613le', 'Gvl4UTLWcV'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, orDyxlObkavATTLWBM.csHigh entropy of concatenated method names: 'PRdy92YnqB', 'ekFy0s0dty', 'YXTyPjnJMQ', 'ulmyrr5kG6', 'FC5y6dIYVw', 'P6TyaOk7m8', 'l2CyYbEdSv', 'UkZypTdijk', 'AanyLgOW4K', 'XqByNfeMV6'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, jW0RenmmBSnn4UVy2g.csHigh entropy of concatenated method names: 'XiDPd5sS1u', 'vU9PkA1Vfu', 'geqPAiBHZx', 'RS4POP5xF7', 'Y3JPe6SbV0', 'cH7P4EweKy', 'kg9PhnZFoA', 'dUvPyYuIoP', 'UZ7P2OYpUL', 'CsDPCfSTiS'
            Source: 0.2.INV0062180.exe.75b0000.8.raw.unpack, elDUQFyrSITPACXNlLO.csHigh entropy of concatenated method names: 'WLJ2jCQSGL', 'GCS2bgSEyG', 'Jno2m1PJ9K', 'EoY2dv9JD4', 'X552t48y2r', 'oaQ2kV8eWu', 'T1e2QQeChe', 'WFD2AbsJEy', 'M3B2OX7TVk', 'HR12iy6aPk'
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
            Source: 0.2.INV0062180.exe.29e8424.0.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
            Source: C:\Users\user\Desktop\INV0062180.exeFile created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTR
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: FC0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: 2910000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: 7620000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: 8620000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: 7620000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 2340000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 44F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 6DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 7DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeMemory allocated: 6DA0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5755Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1027Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6307Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 650Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exe TID: 3800Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4832Thread sleep count: 5755 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3472Thread sleep time: -3689348814741908s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7008Thread sleep count: 1027 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1592Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3744Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 424Thread sleep time: -1844674407370954s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe TID: 4948Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\INV0062180.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: iqKlcCJyhhi.exe, 0000000F.00000002.2166365857.00000000008D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
            Source: C:\Users\user\Desktop\INV0062180.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Adds a directory exclusion to Windows Defender
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeProcess created: C:\Users\user\Desktop\INV0062180.exe "C:\Users\user\Desktop\INV0062180.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeProcess created: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"Jump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Users\user\Desktop\INV0062180.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeQueries volume information: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\INV0062180.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTR
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected Snake Keylogger
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.381b990.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 15.2.iqKlcCJyhhi.exe.37fb170.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ceb7a8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.INV0062180.exe.3ccaf88.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: INV0062180.exe PID: 1512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: iqKlcCJyhhi.exe PID: 2912, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Scheduled Task/Job            		11
            Scheduled Task/Job            		11
            Process Injection            		1
            Masquerading            		OS Credential Dumping11
            Security Software Discovery            		Remote Services11
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		11
            Scheduled Task/Job            		11
            Disable or Modify Tools            		LSASS Memory1
            Process Discovery            		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		31
            Virtualization/Sandbox Evasion            		Security Account Manager31
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Process Injection            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Deobfuscate/Decode Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
            Obfuscated Files or Information            		Cached Domain Credentials12
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Software Packing            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
            DLL Side-Loading            		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1415798 Sample: INV0062180.exe Startdate: 26/03/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for domain / URL 2->43 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 7 other signatures 2->49 7 INV0062180.exe 7 2->7         started        11 iqKlcCJyhhi.exe 5 2->11         started        process3 file4 39 C:\Users\user\AppData\...\iqKlcCJyhhi.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmp1E43.tmp, XML 7->41 dropped 51 Uses schtasks.exe or at.exe to add and modify task schedules 7->51 53 Adds a directory exclusion to Windows Defender 7->53 13 powershell.exe 22 7->13         started        15 powershell.exe 23 7->15         started        17 schtasks.exe 1 7->17         started        25 5 other processes 7->25 55 Multi AV Scanner detection for dropped file 11->55 57 Machine Learning detection for dropped file 11->57 19 schtasks.exe 1 11->19         started        21 iqKlcCJyhhi.exe 11->21         started        23 iqKlcCJyhhi.exe 11->23         started        27 3 other processes 11->27 signatures5 process6 process7 29 WmiPrvSE.exe 13->29         started        31 conhost.exe 13->31         started        33 conhost.exe 15->33         started        35 conhost.exe 17->35         started        37 conhost.exe 19->37         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            INV0062180.exe18%ReversingLabsByteCode-MSIL.Trojan.Generic
            INV0062180.exe31%VirustotalBrowse
            INV0062180.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe18%ReversingLabsByteCode-MSIL.Trojan.Generic
            C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe31%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://checkip.dyndns.org/q0%URL Reputationsafe
            https://reallyfreegeoip.org/xml/0%URL Reputationsafe
            http://dev.neptuo.com0%Avira URL Cloudsafe
            https://scratchdreams.tk0%Avira URL Cloudsafe
            http://dev.neptuo.com0%VirustotalBrowse
            https://scratchdreams.tk14%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameINV0062180.exe, 00000000.00000002.2123632910.0000000002A22000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2166996658.0000000002552000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://dev.neptuo.comiqKlcCJyhhi.exe.0.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://checkip.dyndns.org/qINV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://scratchdreams.tkINV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • 14%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://reallyfreegeoip.org/xml/INV0062180.exe, 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, iqKlcCJyhhi.exe, 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1415798
              Start date and time:2024-03-26 13:55:21 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 20s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:27
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:INV0062180.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@35/15@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 149
              • Number of non-executed functions: 16
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size getting too big, too many NtCreateKey calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              13:56:09API Interceptor1x Sleep call for process: INV0062180.exe modified
              13:56:11API Interceptor26x Sleep call for process: powershell.exe modified
              13:56:13Task SchedulerRun new task: iqKlcCJyhhi path: C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              13:56:13API Interceptor1x Sleep call for process: iqKlcCJyhhi.exe modified

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\INV0062180.exe.log

              Download File
              Process:C:\Users\user\Desktop\INV0062180.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
              MD5:1330C80CAAC9A0FB172F202485E9B1E8
              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
              Malicious:false
              Reputation:high, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\iqKlcCJyhhi.exe.log

              Download File
              Process:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):1216
              Entropy (8bit):5.34331486778365
              Encrypted:false
              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
              MD5:1330C80CAAC9A0FB172F202485E9B1E8
              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
              Malicious:false
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:data
              Category:dropped
              Size (bytes):2232
              Entropy (8bit):5.380805901110357
              Encrypted:false
              SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeC/ZPUyus:lGLHyIFKL3IZ2KRH9Oug8s
              MD5:16AD599332DD2FF94DA0787D71688B62
              SHA1:02F738694B02E84FFE3BAB7DE5709001823C6E40
              SHA-256:452876FE504FC0DBEDBD7F8467E94F6E80002DB4572D02C723ABC69F8DF0B367
              SHA-512:A96158FDFFA424A4AC01220EDC789F3236C03AAA6A7C1A3D8BE62074B4923957E6CFEEB6E8852F9064093E0A290B0E56E4B5504D18113A7983F48D5388CEC747
              Malicious:false
              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_coocotsl.bbr.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_dinwdip5.btf.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hfl2xo1l.chz.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_inddqjh0.u4i.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqhnxaxh.y5b.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tmsl30gx.mit.ps1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_u5sc3zda.az5.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zw0qf0gj.zip.psm1

              Download File
              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              File Type:ASCII text, with no line terminators
              Category:dropped
              Size (bytes):60
              Entropy (8bit):4.038920595031593
              Encrypted:false
              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
              MD5:D17FE0A3F47BE24A6453E9EF58C94641
              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
              Malicious:false
              Preview:# PowerShell test file to determine AppLocker lockdown mode

              C:\Users\user\AppData\Local\Temp\tmp1E43.tmp

              Download File
              Process:C:\Users\user\Desktop\INV0062180.exe
              File Type:XML 1.0 document, ASCII text
              Category:dropped
              Size (bytes):1598
              Entropy (8bit):5.102269561634269
              Encrypted:false
              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLTxvn:cge7QYrFdOFzOzN33ODOiDdKrsuThv
              MD5:3F886CF3DAD34404894140351E999DDE
              SHA1:4656CDF785A47479A66026AB25F52A46638213C1
              SHA-256:4143158429615B630DEEABDBD17C4391CA68A565EE026F1C18FCF4F6EA176312
              SHA-512:B2668B1D8E3AA294C955DB82277B61594AE4B3B2F368F5D99046C9A076D4E668DEEB78CA54DBFE308265C6BD4C02B005BB3B6038C510FFBD146A983FBD23F91D
              Malicious:true
              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

              C:\Users\user\AppData\Local\Temp\tmp2D85.tmp

              Download File
              Process:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              File Type:XML 1.0 document, ASCII text
              Category:dropped
              Size (bytes):1598
              Entropy (8bit):5.102269561634269
              Encrypted:false
              SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLTxvn:cge7QYrFdOFzOzN33ODOiDdKrsuThv
              MD5:3F886CF3DAD34404894140351E999DDE
              SHA1:4656CDF785A47479A66026AB25F52A46638213C1
              SHA-256:4143158429615B630DEEABDBD17C4391CA68A565EE026F1C18FCF4F6EA176312
              SHA-512:B2668B1D8E3AA294C955DB82277B61594AE4B3B2F368F5D99046C9A076D4E668DEEB78CA54DBFE308265C6BD4C02B005BB3B6038C510FFBD146A983FBD23F91D
              Malicious:false
              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

              C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe

              Download File
              Process:C:\Users\user\Desktop\INV0062180.exe
              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Category:dropped
              Size (bytes):609280
              Entropy (8bit):7.840578969294862
              Encrypted:false
              SSDEEP:12288:0CJakWa5WOUDYTYoieWKMQUs31FjKQYObJKekDP3Z9:L0ky5Dbo7WKMxsFQ/OdKr9
              MD5:6AEF5F1931BD1407F891B037B994414E
              SHA1:A12E03D4A77C16CC9265EDFC14DDC3E42AE1818E
              SHA-256:3510D84F8B7C07DB80EAF1F190FF3727C3AE95921CAB2D308A711B1E14F62099
              SHA-512:2B8F5216562E8495E5C7D5A6CC88363C2730318D32F0EDBAA135C51812D64C77682A73E2A6C67B525543F05C59026ECC549D063D4B207FA9C9210AC1294C4C1D
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 18%
              • Antivirus: Virustotal, Detection: 31%, Browse
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2/.f..............0..4...........S... ...`....@.. ....................................@..................................S..O....`..L............................................................................ ............... ..H............text....3... ...4.................. ..`.rsrc...L....`.......8..............@..@.reloc...............H..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe:Zone.Identifier

              Download File
              Process:C:\Users\user\Desktop\INV0062180.exe
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:3:ggPYV:rPYV
              MD5:187F488E27DB4AF347237FE461A079AD
              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
              Malicious:false
              Preview:[ZoneTransfer]....ZoneId=0

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.840578969294862
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 49.79%
              • Win32 Executable (generic) a (10002005/4) 49.75%
              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
              • Windows Screen Saver (13104/52) 0.07%
              • Win16/32 Executable Delphi generic (2074/23) 0.01%
              File name:INV0062180.exe
              File size:609'280 bytes
              MD5:6aef5f1931bd1407f891b037b994414e
              SHA1:a12e03d4a77c16cc9265edfc14ddc3e42ae1818e
              SHA256:3510d84f8b7c07db80eaf1f190ff3727c3ae95921cab2d308a711b1e14f62099
              SHA512:2b8f5216562e8495e5c7d5a6cc88363c2730318d32f0edbaa135c51812d64c77682a73e2a6c67b525543f05c59026ecc549d063d4b207fa9c9210ac1294c4c1d
              SSDEEP:12288:0CJakWa5WOUDYTYoieWKMQUs31FjKQYObJKekDP3Z9:L0ky5Dbo7WKMxsFQ/OdKr9
              TLSH:FFD4015437E84B29D4BE0BFA66B1008047B1791D24B3D34D6ED271DE1E32B42CA5AB67
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2/.f..............0..4...........S... ...`....@.. ....................................@................................

              File Icon

              Icon Hash:c5c4c5a4a5a5a4a4

              Static PE Info

              General

              Entrypoint:0x4953de
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x66022F32 [Tue Mar 26 02:13:06 2024 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

              Entrypoint Preview

              Instruction
              jmp dword ptr [00402000h]
              inc edi
              dec eax
              xor al, 43h
              dec edx
              aaa
              xor eax, 38473535h
              inc edi
              push ebp
              xor eax, 4A534B35h
              pop ecx
              inc edi
              inc ebp
              dec ebx
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x9538c0x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x960000xe4c.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x980000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x933fc0x934003eb1422f064637f271dcba8ccccf3492False0.8890631632003395data7.860016994420722IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x960000xe4c0x10004046ca17cbbe3115651fcb7d410d5f28False0.5458984375data5.6910586254213795IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x980000xc0x400597ace621537488b8e5fcdbfb50e8a28False0.025390625data0.05585530805374581IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0x960c80x96ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.7120961060480531
              RT_GROUP_ICON0x96a480x14data1.05
              RT_VERSION0x96a6c0x3dadata0.4290060851926978

              Imports

              DLLImport
              mscoree.dll_CorExeMain

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:13:56:08
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0x610000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2124375456.0000000003CCA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
              Reputation:low
              Has exited:true

              General

              Target ID:3
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0x4d0000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:5
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0x4d0000
              File size:433'152 bytes
              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:6
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:7
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp1E43.tmp"
              Imagebase:0x7c0000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:8
              Start time:13:56:10
              Start date:26/03/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:9
              Start time:13:56:11
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0xd80000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:10
              Start time:13:56:11
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0xe30000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:11
              Start time:13:56:11
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0xdb0000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:12
              Start time:13:56:11
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0xcd0000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:13
              Start time:13:56:11
              Start date:26/03/2024
              Path:C:\Users\user\Desktop\INV0062180.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\Desktop\INV0062180.exe"
              Imagebase:0xf00000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:14
              Start time:13:56:12
              Start date:26/03/2024
              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Imagebase:0x7ff717f30000
              File size:496'640 bytes
              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
              Has elevated privileges:true
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:15
              Start time:13:56:13
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Imagebase:0x1c0000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000F.00000002.2167752600.00000000037FB000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 18%, ReversingLabs
              • Detection: 31%, Virustotal, Browse
              Reputation:low
              Has exited:true

              General

              Target ID:16
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Windows\SysWOW64\schtasks.exe
              Wow64 process (32bit):true
              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iqKlcCJyhhi" /XML "C:\Users\user\AppData\Local\Temp\tmp2D85.tmp"
              Imagebase:0x7c0000
              File size:187'904 bytes
              MD5 hash:48C2FE20575769DE916F48EF0676A965
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:17
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:18
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0x240000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:19
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0x9e0000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:20
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0x1c0000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:21
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0xe50000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:22
              Start time:13:56:14
              Start date:26/03/2024
              Path:C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe
              Wow64 process (32bit):false
              Commandline:"C:\Users\user\AppData\Roaming\iqKlcCJyhhi.exe"
              Imagebase:0x290000
              File size:609'280 bytes
              MD5 hash:6AEF5F1931BD1407F891B037B994414E
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:10.6%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:130
                Total number of Limit Nodes:15
                execution_graph 27556 103d500 27557 103d546 27556->27557 27560 103d6e0 27557->27560 27563 103d2d8 27560->27563 27564 103d748 DuplicateHandle 27563->27564 27565 103d633 27564->27565 27670 8f42310 27671 8f4249b 27670->27671 27672 8f42336 27670->27672 27672->27671 27675 8f42590 PostMessageW 27672->27675 27677 8f42588 27672->27677 27676 8f425fc 27675->27676 27676->27672 27678 8f42590 PostMessageW 27677->27678 27679 8f425fc 27678->27679 27679->27672 27680 1034668 27681 103467a 27680->27681 27682 1034686 27681->27682 27684 1034779 27681->27684 27685 1034783 27684->27685 27689 1034887 27685->27689 27693 1034888 27685->27693 27690 10348af 27689->27690 27691 103498c 27690->27691 27697 1034538 27690->27697 27694 10348af 27693->27694 27695 103498c 27694->27695 27696 1034538 CreateActCtxA 27694->27696 27696->27695 27698 1035d18 CreateActCtxA 27697->27698 27700 1035ddb 27698->27700 27701 103b178 27702 103b187 27701->27702 27705 103b262 27701->27705 27712 103b267 27701->27712 27706 103b26b 27705->27706 27707 103b2a4 27706->27707 27719 103b508 27706->27719 27707->27702 27708 103b29c 27708->27707 27709 103b4a8 GetModuleHandleW 27708->27709 27710 103b4d5 27709->27710 27710->27702 27713 103b281 27712->27713 27714 103b2a4 27712->27714 27713->27714 27718 103b508 LoadLibraryExW 27713->27718 27714->27702 27715 103b29c 27715->27714 27716 103b4a8 GetModuleHandleW 27715->27716 27717 103b4d5 27716->27717 27717->27702 27718->27715 27721 103b51c 27719->27721 27720 103b541 27720->27708 27721->27720 27723 103af88 27721->27723 27724 103b6e8 LoadLibraryExW 27723->27724 27726 103b761 27724->27726 27726->27720 27566 6efe323 27570 8f41120 27566->27570 27583 8f41110 27566->27583 27567 6efe332 27571 8f4113a 27570->27571 27578 8f4115e 27571->27578 27596 8f41934 27571->27596 27601 8f4198a 27571->27601 27606 8f4174f 27571->27606 27611 8f4151e 27571->27611 27616 8f4163d 27571->27616 27621 8f41b63 27571->27621 27626 8f41581 27571->27626 27631 8f415c1 27571->27631 27636 8f41621 27571->27636 27641 8f41a75 27571->27641 27578->27567 27584 8f41120 27583->27584 27585 8f41934 2 API calls 27584->27585 27586 8f41a75 2 API calls 27584->27586 27587 8f41621 2 API calls 27584->27587 27588 8f415c1 2 API calls 27584->27588 27589 8f41581 2 API calls 27584->27589 27590 8f41b63 2 API calls 27584->27590 27591 8f4115e 27584->27591 27592 8f4163d 2 API calls 27584->27592 27593 8f4151e 2 API calls 27584->27593 27594 8f4174f 2 API calls 27584->27594 27595 8f4198a 2 API calls 27584->27595 27585->27591 27586->27591 27587->27591 27588->27591 27589->27591 27590->27591 27591->27567 27592->27591 27593->27591 27594->27591 27595->27591 27597 8f4193a 27596->27597 27646 6efdce3 27597->27646 27650 6efdce8 27597->27650 27598 8f4195d 27602 8f41629 27601->27602 27602->27601 27603 8f4163b 27602->27603 27654 6efd628 27602->27654 27658 6efd627 27602->27658 27603->27578 27607 8f41629 27606->27607 27608 8f4163b 27607->27608 27609 6efd628 Wow64GetThreadContext 27607->27609 27610 6efd627 Wow64GetThreadContext 27607->27610 27608->27578 27609->27607 27610->27607 27612 8f41529 27611->27612 27613 8f41601 27612->27613 27662 6efde77 27612->27662 27666 6efde80 27612->27666 27613->27578 27618 8f41629 27616->27618 27617 8f4163b 27617->27578 27618->27578 27618->27617 27619 6efd628 Wow64GetThreadContext 27618->27619 27620 6efd627 Wow64GetThreadContext 27618->27620 27619->27618 27620->27618 27623 8f41629 27621->27623 27622 8f4163b 27622->27578 27623->27578 27623->27622 27624 6efd628 Wow64GetThreadContext 27623->27624 27625 6efd627 Wow64GetThreadContext 27623->27625 27624->27623 27625->27623 27627 8f4151f 27626->27627 27628 8f41601 27627->27628 27629 6efde77 CreateProcessA 27627->27629 27630 6efde80 CreateProcessA 27627->27630 27628->27578 27629->27628 27630->27628 27632 8f415c7 27631->27632 27634 6efde77 CreateProcessA 27632->27634 27635 6efde80 CreateProcessA 27632->27635 27633 8f41601 27633->27578 27634->27633 27635->27633 27637 8f41629 27636->27637 27638 8f4163b 27637->27638 27639 6efd628 Wow64GetThreadContext 27637->27639 27640 6efd627 Wow64GetThreadContext 27637->27640 27638->27578 27639->27637 27640->27637 27643 8f41629 27641->27643 27642 8f4163b 27642->27578 27643->27642 27644 6efd628 Wow64GetThreadContext 27643->27644 27645 6efd627 Wow64GetThreadContext 27643->27645 27644->27643 27645->27643 27647 6efdce8 ReadProcessMemory 27646->27647 27649 6efdd77 27647->27649 27649->27598 27651 6efdd33 ReadProcessMemory 27650->27651 27653 6efdd77 27651->27653 27653->27598 27655 6efd66d Wow64GetThreadContext 27654->27655 27657 6efd6b5 27655->27657 27657->27602 27659 6efd628 Wow64GetThreadContext 27658->27659 27661 6efd6b5 27659->27661 27661->27602 27663 6efde80 CreateProcessA 27662->27663 27665 6efe0cb 27663->27665 27667 6efdf09 CreateProcessA 27666->27667 27669 6efe0cb 27667->27669

                Executed Functions

                Function 06EF3EB2 Relevance: .3, Instructions: 269COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1a9c43936de93919aac874e2383e1e3e696f17ddf740101b2a676d4942eb8941
                • Instruction ID: c20ed0a6b4092c5bf496abf2b1fda3b0eefddb386683d711377c139325e148ee
                • Opcode Fuzzy Hash: 1a9c43936de93919aac874e2383e1e3e696f17ddf740101b2a676d4942eb8941
                • Instruction Fuzzy Hash: 43B1C571D15328CFEBA4CFA5C8447EEBBB2BF49304F1091AAD509A7251D7740A86CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF3EC0 Relevance: .3, Instructions: 266COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3f5485c238bb7092cc45cd48897ae06a8d19d1f42f6c3ca077cb2de8d2a2a1fb
                • Instruction ID: 4c3a40e1db10955a3936a13e16b830f993bbf2d16f06d369008f83f8f6815368
                • Opcode Fuzzy Hash: 3f5485c238bb7092cc45cd48897ae06a8d19d1f42f6c3ca077cb2de8d2a2a1fb
                • Instruction Fuzzy Hash: E4B1C371D14328CFEBA4CFA6C8447EEBBB2BF49304F10A1AAD509A7251DB740985CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFDE77 Relevance: 1.7, APIs: 1, Instructions: 249processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 0 6efde77-6efdf15 3 6efdf4e-6efdf6e 0->3 4 6efdf17-6efdf21 0->4 11 6efdfa7-6efdfd6 3->11 12 6efdf70-6efdf7a 3->12 4->3 5 6efdf23-6efdf25 4->5 6 6efdf48-6efdf4b 5->6 7 6efdf27-6efdf31 5->7 6->3 9 6efdf35-6efdf44 7->9 10 6efdf33 7->10 9->9 13 6efdf46 9->13 10->9 18 6efe00f-6efe0c9 CreateProcessA 11->18 19 6efdfd8-6efdfe2 11->19 12->11 14 6efdf7c-6efdf7e 12->14 13->6 16 6efdfa1-6efdfa4 14->16 17 6efdf80-6efdf8a 14->17 16->11 20 6efdf8e-6efdf9d 17->20 21 6efdf8c 17->21 32 6efe0cb-6efe0d1 18->32 33 6efe0d2-6efe158 18->33 19->18 23 6efdfe4-6efdfe6 19->23 20->20 22 6efdf9f 20->22 21->20 22->16 24 6efe009-6efe00c 23->24 25 6efdfe8-6efdff2 23->25 24->18 27 6efdff6-6efe005 25->27 28 6efdff4 25->28 27->27 30 6efe007 27->30 28->27 30->24 32->33 43 6efe15a-6efe15e 33->43 44 6efe168-6efe16c 33->44 43->44 45 6efe160 43->45 46 6efe16e-6efe172 44->46 47 6efe17c-6efe180 44->47 45->44 46->47 48 6efe174 46->48 49 6efe182-6efe186 47->49 50 6efe190-6efe194 47->50 48->47 49->50 51 6efe188 49->51 52 6efe1a6-6efe1ad 50->52 53 6efe196-6efe19c 50->53 51->50 54 6efe1af-6efe1be 52->54 55 6efe1c4 52->55 53->52 54->55 57 6efe1c5 55->57 57->57
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EFE0B6
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: d4125f76044d29ae8706b96434be87be7832c04edaab691c089282704c736e9d
                • Instruction ID: 7b2fc8520d706d74513b63b658d5616718ce28e3774ad82a38b338fb7d4dc3ca
                • Opcode Fuzzy Hash: d4125f76044d29ae8706b96434be87be7832c04edaab691c089282704c736e9d
                • Instruction Fuzzy Hash: C4A15871D103199FEF60CF69CC41BEEBBB2AF88314F148569E908A7250DB749985CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFDE80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 58 6efde80-6efdf15 60 6efdf4e-6efdf6e 58->60 61 6efdf17-6efdf21 58->61 68 6efdfa7-6efdfd6 60->68 69 6efdf70-6efdf7a 60->69 61->60 62 6efdf23-6efdf25 61->62 63 6efdf48-6efdf4b 62->63 64 6efdf27-6efdf31 62->64 63->60 66 6efdf35-6efdf44 64->66 67 6efdf33 64->67 66->66 70 6efdf46 66->70 67->66 75 6efe00f-6efe0c9 CreateProcessA 68->75 76 6efdfd8-6efdfe2 68->76 69->68 71 6efdf7c-6efdf7e 69->71 70->63 73 6efdfa1-6efdfa4 71->73 74 6efdf80-6efdf8a 71->74 73->68 77 6efdf8e-6efdf9d 74->77 78 6efdf8c 74->78 89 6efe0cb-6efe0d1 75->89 90 6efe0d2-6efe158 75->90 76->75 80 6efdfe4-6efdfe6 76->80 77->77 79 6efdf9f 77->79 78->77 79->73 81 6efe009-6efe00c 80->81 82 6efdfe8-6efdff2 80->82 81->75 84 6efdff6-6efe005 82->84 85 6efdff4 82->85 84->84 87 6efe007 84->87 85->84 87->81 89->90 100 6efe15a-6efe15e 90->100 101 6efe168-6efe16c 90->101 100->101 102 6efe160 100->102 103 6efe16e-6efe172 101->103 104 6efe17c-6efe180 101->104 102->101 103->104 105 6efe174 103->105 106 6efe182-6efe186 104->106 107 6efe190-6efe194 104->107 105->104 106->107 108 6efe188 106->108 109 6efe1a6-6efe1ad 107->109 110 6efe196-6efe19c 107->110 108->107 111 6efe1af-6efe1be 109->111 112 6efe1c4 109->112 110->109 111->112 114 6efe1c5 112->114 114->114
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EFE0B6
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: 4928bf8a4d7cdf8347127e4e72dbb9f93423e87b4f5fddc6bd63f55bd69e34b8
                • Instruction ID: e130d1969423fc1bac33da23a77db45c7ca31b065234c19e8538d8d47fc8e700
                • Opcode Fuzzy Hash: 4928bf8a4d7cdf8347127e4e72dbb9f93423e87b4f5fddc6bd63f55bd69e34b8
                • Instruction Fuzzy Hash: 1B914871D103199FEF60CF69CC41BEEBAB2AF48314F1485A9E908A7250DB749985CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103B262 Relevance: 1.7, APIs: 1, Instructions: 200COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 115 103b262-103b27f 117 103b281-103b28e call 103af24 115->117 118 103b2ab-103b2af 115->118 124 103b290-103b29e call 103b508 117->124 125 103b2a4 117->125 120 103b2c3-103b304 118->120 121 103b2b1-103b2bb 118->121 127 103b311-103b31f 120->127 128 103b306-103b30e 120->128 121->120 124->125 134 103b3e0-103b4a0 124->134 125->118 129 103b343-103b345 127->129 130 103b321-103b326 127->130 128->127 135 103b348-103b34f 129->135 132 103b331 130->132 133 103b328-103b32f call 103af30 130->133 137 103b333-103b341 132->137 133->137 166 103b4a2-103b4a5 134->166 167 103b4a8-103b4d3 GetModuleHandleW 134->167 138 103b351-103b359 135->138 139 103b35c-103b363 135->139 137->135 138->139 140 103b370-103b379 call 103af40 139->140 141 103b365-103b36d 139->141 147 103b386-103b38b 140->147 148 103b37b-103b383 140->148 141->140 149 103b3a9-103b3b6 147->149 150 103b38d-103b394 147->150 148->147 157 103b3d9-103b3df 149->157 158 103b3b8-103b3d6 149->158 150->149 152 103b396-103b3a6 call 103af50 call 103af60 150->152 152->149 158->157 166->167 168 103b4d5-103b4db 167->168 169 103b4dc-103b4f0 167->169 168->169
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0103B4C6
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 61dc1905b7322551ad0970e8349c8e4efbe020b5a3d09328c6216dc340bd63cc
                • Instruction ID: f01526f26551265fa5b78058df2ca24d3839a824bccfbf546767cc094aacfd98
                • Opcode Fuzzy Hash: 61dc1905b7322551ad0970e8349c8e4efbe020b5a3d09328c6216dc340bd63cc
                • Instruction Fuzzy Hash: 218147B0A00B058FDB64DF6AD44179ABBF5FF88304F008A6DD49AD7A40DB75E949CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 01034538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 172 1034538-1035dd9 CreateActCtxA 175 1035de2-1035e3c 172->175 176 1035ddb-1035de1 172->176 183 1035e4b-1035e4f 175->183 184 1035e3e-1035e41 175->184 176->175 185 1035e51-1035e5d 183->185 186 1035e60 183->186 184->183 185->186 187 1035e61 186->187 187->187
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 01035DC9
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: efab6c7bdba16ca998ee31540baf6a1ac925e937e029bcb002bd5a40680be1e7
                • Instruction ID: 2e7c3366f9440c394c4d5f1347f1d3b0d045ce27171967799a0081f1f36b7824
                • Opcode Fuzzy Hash: efab6c7bdba16ca998ee31540baf6a1ac925e937e029bcb002bd5a40680be1e7
                • Instruction Fuzzy Hash: 2A41F5B0C0071DCBEB24DFA9C94479EBBF5BF88704F20805AD448AB255DB756945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFDCE3 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 189 6efdce3-6efdd75 ReadProcessMemory 193 6efdd7e-6efddae 189->193 194 6efdd77-6efdd7d 189->194 194->193
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EFDD68
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 2b83e273459fa43a515975f672c6de9ac7a8dfb05e02a630770e45915e1b187b
                • Instruction ID: 4cebf4759192321bbb16b8ef2ec622397418f72f729bb138604db8e41ced8ece
                • Opcode Fuzzy Hash: 2b83e273459fa43a515975f672c6de9ac7a8dfb05e02a630770e45915e1b187b
                • Instruction Fuzzy Hash: CA2119B18003499FDF10DFAAC881ADEBBF5FF48320F54842AE958A7240C7799554CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103D2D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 198 103d2d8-103d7dc DuplicateHandle 200 103d7e5-103d802 198->200 201 103d7de-103d7e4 198->201 201->200
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0103D70E,?,?,?,?,?), ref: 0103D7CF
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: d99f48b8621237b54a343eb15ef03171d5b0daaf25e77246a5c836b63e7cfaf3
                • Instruction ID: 1ca6d968bf16516e8dcc0b75974ba591b974cad7a48f3fbbc67a34caf9700577
                • Opcode Fuzzy Hash: d99f48b8621237b54a343eb15ef03171d5b0daaf25e77246a5c836b63e7cfaf3
                • Instruction Fuzzy Hash: F421E3B59002499FDB10CF9AD984ADEBFF8FB48320F14805AE954A7310D374A954CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFD627 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 204 6efd627-6efd673 207 6efd675-6efd681 204->207 208 6efd683-6efd6b3 Wow64GetThreadContext 204->208 207->208 210 6efd6bc-6efd6ec 208->210 211 6efd6b5-6efd6bb 208->211 211->210
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06EFD6A6
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: c00ab1c4d809257fbe195ea57a197440d29e9d49b2a274c362410285b9124e9b
                • Instruction ID: c8f23bb7bff59d89cfe588f2b07eba446f1e16c910960d1c9772584c7e5482fe
                • Opcode Fuzzy Hash: c00ab1c4d809257fbe195ea57a197440d29e9d49b2a274c362410285b9124e9b
                • Instruction Fuzzy Hash: EC213771D103098FDB10DFAAC8857EEBBF4AF88324F148429E559A7240DBB89944CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFD628 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 215 6efd628-6efd673 217 6efd675-6efd681 215->217 218 6efd683-6efd6b3 Wow64GetThreadContext 215->218 217->218 220 6efd6bc-6efd6ec 218->220 221 6efd6b5-6efd6bb 218->221 221->220
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 06EFD6A6
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: c954486182fcf4acb4da538eedc041510e76e25b7a0dbf5a13147e2012608222
                • Instruction ID: f2325cbfabcbed25b099769925f2ea88fd1aadc5ca404ee75d44a81afec1e48f
                • Opcode Fuzzy Hash: c954486182fcf4acb4da538eedc041510e76e25b7a0dbf5a13147e2012608222
                • Instruction Fuzzy Hash: D6213871D103098FDB10DFAAC8857EEBBF4EF88324F148429D559A7240DBB89944CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFDCE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 225 6efdce8-6efdd75 ReadProcessMemory 228 6efdd7e-6efddae 225->228 229 6efdd77-6efdd7d 225->229 229->228
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EFDD68
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 61455f311581bfff350c7a19a8d782fc31bc980a563dbc5721622973f0df8b64
                • Instruction ID: fe01a94c4f5c4886c5bc44a4d57a80e0d33d6827e830094d639d105a1ba21057
                • Opcode Fuzzy Hash: 61455f311581bfff350c7a19a8d782fc31bc980a563dbc5721622973f0df8b64
                • Instruction Fuzzy Hash: 912116B18003499FDB10CFAAC881ADEBBF5FF48320F10842AE558A7240C7799550CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103AF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 233 103af88-103b728 235 103b730-103b75f LoadLibraryExW 233->235 236 103b72a-103b72d 233->236 237 103b761-103b767 235->237 238 103b768-103b785 235->238 236->235 237->238
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103B541,00000800,00000000,00000000), ref: 0103B752
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: f8d026ade13d456b682a7e38214b54f1661caf29f46b7c42fe9f99ff261d4100
                • Instruction ID: 5f228f3b1ce15cab55967e9497960f7bc8f44e1034b9ff76a54d8a567bd85e00
                • Opcode Fuzzy Hash: f8d026ade13d456b682a7e38214b54f1661caf29f46b7c42fe9f99ff261d4100
                • Instruction Fuzzy Hash: 6E11E7B69003499FDB10CF9AC544BDEFBF8FB88314F14845AD559A7200C3B5A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103B6E7 Relevance: 1.6, APIs: 1, Instructions: 52libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 241 103b6e7-103b728 242 103b730-103b75f LoadLibraryExW 241->242 243 103b72a-103b72d 241->243 244 103b761-103b767 242->244 245 103b768-103b785 242->245 243->242 244->245
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0103B541,00000800,00000000,00000000), ref: 0103B752
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 961e4509e1cdbdbb540282276dc1d4e80ac8515930a8d4bb4c29d06d4d9d931c
                • Instruction ID: 7c2b606271b3446f119d6f705f5d29a6f4147590d9d76c56e3252a9a242c99a6
                • Opcode Fuzzy Hash: 961e4509e1cdbdbb540282276dc1d4e80ac8515930a8d4bb4c29d06d4d9d931c
                • Instruction Fuzzy Hash: AD11E2B68003498FDB10CF9AD584ADEFBF4FB88324F14842AD559A7200C3B5A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 08F42588 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 248 8f42588-8f425fa PostMessageW 250 8f42603-8f42617 248->250 251 8f425fc-8f42602 248->251 251->250
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 08F425ED
                Memory Dump Source
                • Source File: 00000000.00000002.2130279639.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8f40000_INV0062180.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 8c1fe76e520dab3bf2fcbcfd046d1b365aa6feb37fd452a3d4149b884368adff
                • Instruction ID: cfb9856d775728b608e38c8226e4304b227f79f57329ab392ca61f9b3ad6eeb3
                • Opcode Fuzzy Hash: 8c1fe76e520dab3bf2fcbcfd046d1b365aa6feb37fd452a3d4149b884368adff
                • Instruction Fuzzy Hash: B011F2B58003499FDB10DF9AD945BDEBFF8EB48320F24841AE958A7200D3B9A554CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103B460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 253 103b460-103b4a0 254 103b4a2-103b4a5 253->254 255 103b4a8-103b4d3 GetModuleHandleW 253->255 254->255 256 103b4d5-103b4db 255->256 257 103b4dc-103b4f0 255->257 256->257
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0103B4C6
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: ef85825c33e5087ec4e493b9a57adca7b417e7709d93c240bb9101d0dc01a428
                • Instruction ID: 371fdeee2f0eec93b83f9b0929d18924dc24d500a559c34ef0a7abec448012d1
                • Opcode Fuzzy Hash: ef85825c33e5087ec4e493b9a57adca7b417e7709d93c240bb9101d0dc01a428
                • Instruction Fuzzy Hash: 2B110FB6C003498FDB10CF9AC444ADEFBF8EF88224F10845AD958B7200C7B9A545CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 08F42590 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 259 8f42590-8f425fa PostMessageW 260 8f42603-8f42617 259->260 261 8f425fc-8f42602 259->261 261->260
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 08F425ED
                Memory Dump Source
                • Source File: 00000000.00000002.2130279639.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8f40000_INV0062180.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 6e7ed3140f973b8ea6cb356fea955fc50468526e9a869131b3aaf509c8037bd1
                • Instruction ID: f43e1a642df6d7e2d31ff244c987a18d12e90308e95594a0783c3f04783c6d9e
                • Opcode Fuzzy Hash: 6e7ed3140f973b8ea6cb356fea955fc50468526e9a869131b3aaf509c8037bd1
                • Instruction Fuzzy Hash: 7011C2B58003499FDB10DF9AD945BDEBFF8EB48320F20841AE558A7200D3B5A554CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C5D4C4 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122337960.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c5d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d34385527f53f5950805c822fd801ba43e89cd670da6d847345d6b65c1471120
                • Instruction ID: 24fba34707f79d008822c4f48c1b4faaae46d9d2059662fec7acc86523f590d1
                • Opcode Fuzzy Hash: d34385527f53f5950805c822fd801ba43e89cd670da6d847345d6b65c1471120
                • Instruction Fuzzy Hash: 282148BA500340DFCB25DF14D9C0B26BF61FB84319F60C169ED0A0B256C336D89ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C5D3D8 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122337960.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c5d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b431030f8200e888e40111555d8e1804d557e8bcba8d75353b396f5a8bff4805
                • Instruction ID: b058f2963ee423dcb722596758a5469ccc01bd634c01aaf7b398ec44d7959701
                • Opcode Fuzzy Hash: b431030f8200e888e40111555d8e1804d557e8bcba8d75353b396f5a8bff4805
                • Instruction Fuzzy Hash: 7C21067A504304DFDB24DF14D9C0B26BF65FB94325F20C169ED0A0B256C336E89ACAA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C7D1D4 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122390339.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c7d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7d96df4aff4359b6f690b6f8b19d0586b56bad9edb51b7cec6fd23268f09eba
                • Instruction ID: a9692442f906108a90e414ac705a9781c748c3fc2cae5a369141224aa58420a8
                • Opcode Fuzzy Hash: d7d96df4aff4359b6f690b6f8b19d0586b56bad9edb51b7cec6fd23268f09eba
                • Instruction Fuzzy Hash: C421CF75604204EFDB05DF15D980B26BBB5FF84314F24C5ADE90E4B292C776D846CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C7D01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122390339.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c7d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 22be891f79eb52622dd459b74f54d27f574b531b0024f722bf7da02199965962
                • Instruction ID: f464e870fe345a669b942724ad60b144a0e24e6acd5f1fc2a35c4c4ffc6403fd
                • Opcode Fuzzy Hash: 22be891f79eb52622dd459b74f54d27f574b531b0024f722bf7da02199965962
                • Instruction Fuzzy Hash: AA210E75604200EFCB14DF24D9C0B26BBB5FF88314F20C5ADE90E0B292C37AD806CA62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C7D005 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122390339.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c7d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c9ce4858ae806de8486d5374956c4ec10fd4b40a34770a2b9d1ee4de3af0eae1
                • Instruction ID: 5cec60e2bcafa82b706e9c1f838cac977180200baee3628b077021c11ed93c65
                • Opcode Fuzzy Hash: c9ce4858ae806de8486d5374956c4ec10fd4b40a34770a2b9d1ee4de3af0eae1
                • Instruction Fuzzy Hash: 6D215E755093C08FCB12CF24D994B15BF71EF46314F28C5EAD8498B6A7C33A990ACB62
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C5D3D3 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122337960.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c5d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: b3e9f0448d0f5b21246ed6f52df07157f59a8102ac1f9f5978f655e01f351f67
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: DC119DB6504380DFDB15CF10D5C4B16BF62FB94324F24C6A9DC4A0A656C33AE99ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C5D4BF Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122337960.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c5d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: 5a7cf3e3e412b46d3e23147c749501baa05aa47c01e1b754808849a74bb0fe52
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: DC11AFB6504284CFCB15CF10D5C4B16BF71FB94318F24C6A9DC4A0B656C33AD99ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00C7D1CF Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2122390339.0000000000C7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C7D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_c7d000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: fa697c868ae0464cb1421276ed79f9b8d2fe01a25a6e6f881ab1022093923410
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 91118B75504284DFCB15CF10D5C4B15BBB1FF84314F28C6A9D84A4B6A6C33AD94ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 06EF09D0 Relevance: 3.0, Strings: 2, Instructions: 495COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID: :$~
                • API String ID: 0-2431124681
                • Opcode ID: 369a65308791c5084943a9d95b03bcb1458386829806b725d826d564bc8bace3
                • Instruction ID: 0e0c0a9875653209c49cf3cfa5d72cf0ef3b6444cb4bb80ff22dfeac62b69df6
                • Opcode Fuzzy Hash: 369a65308791c5084943a9d95b03bcb1458386829806b725d826d564bc8bace3
                • Instruction Fuzzy Hash: E4320675A00218DFDB55CFA9C840F99BBB2FF88304F1580E9E609AB266DB319D91DF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 08F439A8 Relevance: .6, Instructions: 559COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2130279639.0000000008F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F40000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_8f40000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c3dbb0ae4a579246d1c0d96973733d5e09d05d439964b8f49ef324afdeeb29f
                • Instruction ID: 05366565a27fdabcfcf01e0104d8a74bbdae2fbaed3adb3bf30654de6833e485
                • Opcode Fuzzy Hash: 0c3dbb0ae4a579246d1c0d96973733d5e09d05d439964b8f49ef324afdeeb29f
                • Instruction Fuzzy Hash: 4A229D71B002048FDB19DB79C450BAEBBF6AF88301F1485AAD559EB3A1DB35EC46CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFADD9 Relevance: .3, Instructions: 313COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5116a3e6daba0361ded304869e05f676529b184dbdd1caac6ecdfc9ffef8f114
                • Instruction ID: 99d3aac1f45767de4513fb5fe7e3390c887c73362bfac1ef2dd0286ce1cab795
                • Opcode Fuzzy Hash: 5116a3e6daba0361ded304869e05f676529b184dbdd1caac6ecdfc9ffef8f114
                • Instruction Fuzzy Hash: 69E14874E10259CFDB14DFA8C580AAEFBB2FF89304F249269D515AB356D730A942CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFD700 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4217be26048213a2940daf967d0129806ead081d60a0e082e75286b7ba539f97
                • Instruction ID: 34780ef488566ec697f5665c096310ab298382534d404e83442e2058ddfcdb63
                • Opcode Fuzzy Hash: 4217be26048213a2940daf967d0129806ead081d60a0e082e75286b7ba539f97
                • Instruction Fuzzy Hash: E5E13B74E102598FDB14DFA9C990AAEFBF2FF88304F249269D504AB355D730A942CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFB218 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3c856bac8473d8e4f9bae8d237a10a615500e26a1da4162581f17032e6c53ddd
                • Instruction ID: cc9d22b5a1c61d266d3454c94ff90532f86fe43fb403850b07a3c0bb4fad3c11
                • Opcode Fuzzy Hash: 3c856bac8473d8e4f9bae8d237a10a615500e26a1da4162581f17032e6c53ddd
                • Instruction Fuzzy Hash: 44E12874E10259CFDB14DFA9C580AAEFBB2FF88304F249269D515AB355D730A942CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFD1F0 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 212d7fc7587a3a3de1e4603b3364eabfa743bf2cd6b55be36a9c6850de109c56
                • Instruction ID: 398bae3783eef1c025bec663f10f75e9f03f92d0db180b4dd59d865b769cba8c
                • Opcode Fuzzy Hash: 212d7fc7587a3a3de1e4603b3364eabfa743bf2cd6b55be36a9c6850de109c56
                • Instruction Fuzzy Hash: 71E12A74E102598FDB14DFA8C984AAEFBF2FF89304F249269D505AB355D730A942CF60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFCDB8 Relevance: .3, Instructions: 312COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 158e8feb19398f6bee4fc4c0f7a81c129ef097c5f374eacf6a949f5e630c4bc1
                • Instruction ID: 6e0f8833e2121c7a01148fbdc6484968fdf57dfc80123cb2ebdb403758a1998f
                • Opcode Fuzzy Hash: 158e8feb19398f6bee4fc4c0f7a81c129ef097c5f374eacf6a949f5e630c4bc1
                • Instruction Fuzzy Hash: 9CE13B74E102598FDB14DFA9C580AAEFBF2FF89304F249269D504AB355D770A942CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF2E18 Relevance: .3, Instructions: 282COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbf48e1b1391cd32b364143fb6af99b64cc20f935a8a2d40f6dad81e4e3cd7bb
                • Instruction ID: 05fc9dda57ea6e09a2d43fbcabf9ef1da54af098f35ca070c59d39092692a9e4
                • Opcode Fuzzy Hash: dbf48e1b1391cd32b364143fb6af99b64cc20f935a8a2d40f6dad81e4e3cd7bb
                • Instruction Fuzzy Hash: 23E1143482075BCADB05EF64D950AA9B771FFD5300F20979AE10A3B255EFB06AC5CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF2E28 Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d84d3f445e491ac35a2c5f74ed4093a6d7c42db878aed95acf72ca6ac8daa404
                • Instruction ID: 70b07e7508f61f9e69c10732b19139e11edb61a0eaa5ac6ff66f7424228dfdf5
                • Opcode Fuzzy Hash: d84d3f445e491ac35a2c5f74ed4093a6d7c42db878aed95acf72ca6ac8daa404
                • Instruction Fuzzy Hash: 14D1133482075BCADB04EF64D950A99B771FFD5300F20879AE10A3B255EFB06AC4CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0103E06C Relevance: .3, Instructions: 264COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2123402308.0000000001030000.00000040.00000800.00020000.00000000.sdmp, Offset: 01030000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_1030000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8964f72044b30c2c17394ac68034d85e5c1625e2c45f74da51ab0f95b42f2e9b
                • Instruction ID: ed16c3197fd5ba3d6478beab937c387c27decc8fdefc933e725a80454da9df29
                • Opcode Fuzzy Hash: 8964f72044b30c2c17394ac68034d85e5c1625e2c45f74da51ab0f95b42f2e9b
                • Instruction Fuzzy Hash: C4A17D32E0021A9FCF19DFB4C8805DEBBB6FFC5300B1545AAE945AB265DB71E945CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF3417 Relevance: .2, Instructions: 207COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 080c0dce455954c565a86391ec0bccb2f3555b7479c85069aa88313ce3691177
                • Instruction ID: eb8f8e7c70bfafbba5fa797041c4d52ae4b235bf6fa8cc7a60a71bfd7582f3f0
                • Opcode Fuzzy Hash: 080c0dce455954c565a86391ec0bccb2f3555b7479c85069aa88313ce3691177
                • Instruction Fuzzy Hash: 1B913470D15318DFEB65CFAAD4887EDBBB2BF49304F10A02AD619A7251DB750986CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF48F8 Relevance: .2, Instructions: 160COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0447a02d3625b7e58837bd735b9bff5dcc5b94cd0ba22bc4d623652f50b45539
                • Instruction ID: 3506675394c994aa7fecebc371ded3161715a9ff53de0bcc0c801bf19855400f
                • Opcode Fuzzy Hash: 0447a02d3625b7e58837bd735b9bff5dcc5b94cd0ba22bc4d623652f50b45539
                • Instruction Fuzzy Hash: 4F61C074E056199FDB44DFA9C5809AEFBF2FF88300F24D169D918A7356D730A942CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFCDA8 Relevance: .1, Instructions: 136COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09ebb717c0e68b3416bc5454d7023543062ab5eb987034977bd4aacb76ca625f
                • Instruction ID: 0132ed5827a451a657ee7e3747733e16ad097a97255046ffb112c602e11140ec
                • Opcode Fuzzy Hash: 09ebb717c0e68b3416bc5454d7023543062ab5eb987034977bd4aacb76ca625f
                • Instruction Fuzzy Hash: 5F514C74E102198FDB14DFA9C9405AEFBF2FF89304F248169D518AB356D7319A42CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EFD1EB Relevance: .1, Instructions: 131COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6634c1a24fa43191e199d4ca9a6fa449135f004359d5579f705bd2bb975f56df
                • Instruction ID: 67af03ace91ad8e4727e00e7f634ffb6b05cc6588b81d1645698df42edd3b921
                • Opcode Fuzzy Hash: 6634c1a24fa43191e199d4ca9a6fa449135f004359d5579f705bd2bb975f56df
                • Instruction Fuzzy Hash: 43512C70E102198FDB14DFA9C9845AEFBF2FF89304F248269D518AB355D7319A42CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF48E8 Relevance: .1, Instructions: 120COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89c59315e26cf252bc07867f8917935a32d6578e3e71f1b08ef531540b5a01e6
                • Instruction ID: 9c9a3d2a03ef8348a75cd33bb152c9dd73b2f85369407177a94ad2855b46300a
                • Opcode Fuzzy Hash: 89c59315e26cf252bc07867f8917935a32d6578e3e71f1b08ef531540b5a01e6
                • Instruction Fuzzy Hash: 0C410874E05659DFDB08DFAAC9405AEFBF2EF88300F14C169E518AB355DB309942CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 06EF09C1 Relevance: .1, Instructions: 97COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.2128837878.0000000006EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_6ef0000_INV0062180.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 92a2e1cf74dedf27b00326da536770fe8264ce22dfe785fe887fe8dc4f03b945
                • Instruction ID: 6404f396f66b5386317e7493e1c27da993f32658186a96a0f678e150934e809a
                • Opcode Fuzzy Hash: 92a2e1cf74dedf27b00326da536770fe8264ce22dfe785fe887fe8dc4f03b945
                • Instruction Fuzzy Hash: B241A7B1E016189FEB58CF6BD8407DABBF7AFC9300F14D1AAD508A6215DB3059858F51
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:10.3%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:85
                Total number of Limit Nodes:7
                execution_graph 38652 685e323 38657 8af0368 38652->38657 38666 8af03f8 38652->38666 38674 8af03e8 38652->38674 38653 685e332 38658 8af0376 38657->38658 38659 8af03ef 38657->38659 38658->38653 38660 8af0436 38659->38660 38682 8af0c0c 38659->38682 38687 8af0c62 38659->38687 38692 8af07f6 38659->38692 38697 8af0859 38659->38697 38702 8af0899 38659->38702 38660->38653 38667 8af0412 38666->38667 38668 8af0c0c 2 API calls 38667->38668 38669 8af0899 2 API calls 38667->38669 38670 8af0859 2 API calls 38667->38670 38671 8af07f6 2 API calls 38667->38671 38672 8af0436 38667->38672 38673 8af0c62 2 API calls 38667->38673 38668->38672 38669->38672 38670->38672 38671->38672 38672->38653 38673->38672 38675 8af03f8 38674->38675 38676 8af0436 38675->38676 38677 8af0c0c 2 API calls 38675->38677 38678 8af0899 2 API calls 38675->38678 38679 8af0859 2 API calls 38675->38679 38680 8af07f6 2 API calls 38675->38680 38681 8af0c62 2 API calls 38675->38681 38676->38653 38677->38676 38678->38676 38679->38676 38680->38676 38681->38676 38683 8af0c12 38682->38683 38707 685dce2 38683->38707 38711 685dce8 38683->38711 38684 8af0c35 38688 8af11fd 38687->38688 38715 685d620 38688->38715 38719 685d628 38688->38719 38689 8af0901 38689->38660 38693 8af0801 38692->38693 38694 8af08d9 38693->38694 38723 685de76 38693->38723 38727 685de80 38693->38727 38694->38660 38698 8af07f7 38697->38698 38699 8af08d9 38698->38699 38700 685de76 CreateProcessA 38698->38700 38701 685de80 CreateProcessA 38698->38701 38699->38660 38700->38699 38701->38699 38703 8af089f 38702->38703 38705 685de76 CreateProcessA 38703->38705 38706 685de80 CreateProcessA 38703->38706 38704 8af08d9 38704->38660 38705->38704 38706->38704 38708 685dce8 ReadProcessMemory 38707->38708 38710 685dd77 38708->38710 38710->38684 38712 685dd33 ReadProcessMemory 38711->38712 38714 685dd77 38712->38714 38714->38684 38716 685d628 Wow64GetThreadContext 38715->38716 38718 685d6b5 38716->38718 38718->38689 38720 685d66d Wow64GetThreadContext 38719->38720 38722 685d6b5 38720->38722 38722->38689 38724 685de80 CreateProcessA 38723->38724 38726 685e0cb 38724->38726 38728 685df09 CreateProcessA 38727->38728 38730 685e0cb 38728->38730 38619 8af15e8 38620 8af1773 38619->38620 38621 8af160e 38619->38621 38621->38620 38624 8af1868 PostMessageW 38621->38624 38626 8af1860 38621->38626 38625 8af18d4 38624->38625 38625->38621 38627 8af1868 PostMessageW 38626->38627 38628 8af18d4 38627->38628 38628->38621 38629 234b178 38632 234b263 38629->38632 38630 234b187 38633 234b281 38632->38633 38634 234b2a4 38632->38634 38633->38634 38640 234b4f8 38633->38640 38644 234b508 38633->38644 38634->38630 38635 234b29c 38635->38634 38636 234b4a8 GetModuleHandleW 38635->38636 38637 234b4d5 38636->38637 38637->38630 38641 234b51c 38640->38641 38643 234b541 38641->38643 38648 234af88 38641->38648 38643->38635 38645 234b51c 38644->38645 38646 234af88 LoadLibraryExW 38645->38646 38647 234b541 38645->38647 38646->38647 38647->38635 38649 234b6e8 LoadLibraryExW 38648->38649 38651 234b761 38649->38651 38651->38643

                Executed Functions

                Function 04BA1148 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                Download Yara Rule

                Control-flow Graph

                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID: $
                • API String ID: 0-227171996
                • Opcode ID: eea3348f0aa4ef53b7706f9d8b2aeed813f51e433f76f3c6de2ad0051edccc49
                • Instruction ID: d721ac596353459710545396bfe57eaf0fb66226ca5ca9cb50780f639976a324
                • Opcode Fuzzy Hash: eea3348f0aa4ef53b7706f9d8b2aeed813f51e433f76f3c6de2ad0051edccc49
                • Instruction Fuzzy Hash: D971BF70900B01CFEB10EF28D89555577FAFF85304F418AA8D949AB326EB31E999CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0178 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 24 4ba0178-4ba1259 48 4ba125c call 4ba1c6f 24->48 49 4ba125c call 4ba1c80 24->49 31 4ba1262-4ba127b 35 4ba12dd-4ba13c2 call 4ba01a8 call 4ba01b8 31->35 36 4ba127d-4ba12d5 31->36 36->35 48->31 49->31
                Strings
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID: $
                • API String ID: 0-227171996
                • Opcode ID: 7d08d49374c0f8d9a2727a41a25ae08f5bafeff8dd55f44c4893953adb6074db
                • Instruction ID: ebaf10f1a9a171c7e919f32f4a560f01cfa225a493f60b5c021d6183dbc17826
                • Opcode Fuzzy Hash: 7d08d49374c0f8d9a2727a41a25ae08f5bafeff8dd55f44c4893953adb6074db
                • Instruction Fuzzy Hash: 6871AC70900A01CFEB10EF28D895655B7F9FF85314F408AA8D949AB316EB71F998CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685DE76 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 50 685de76-685df15 53 685df17-685df21 50->53 54 685df4e-685df6e 50->54 53->54 55 685df23-685df25 53->55 59 685dfa7-685dfd6 54->59 60 685df70-685df7a 54->60 57 685df27-685df31 55->57 58 685df48-685df4b 55->58 61 685df35-685df44 57->61 62 685df33 57->62 58->54 70 685e00f-685e0c9 CreateProcessA 59->70 71 685dfd8-685dfe2 59->71 60->59 63 685df7c-685df7e 60->63 61->61 64 685df46 61->64 62->61 65 685dfa1-685dfa4 63->65 66 685df80-685df8a 63->66 64->58 65->59 68 685df8c 66->68 69 685df8e-685df9d 66->69 68->69 69->69 72 685df9f 69->72 82 685e0d2-685e158 70->82 83 685e0cb-685e0d1 70->83 71->70 73 685dfe4-685dfe6 71->73 72->65 75 685e009-685e00c 73->75 76 685dfe8-685dff2 73->76 75->70 77 685dff4 76->77 78 685dff6-685e005 76->78 77->78 78->78 79 685e007 78->79 79->75 93 685e168-685e16c 82->93 94 685e15a-685e15e 82->94 83->82 95 685e17c-685e180 93->95 96 685e16e-685e172 93->96 94->93 97 685e160 94->97 99 685e190-685e194 95->99 100 685e182-685e186 95->100 96->95 98 685e174 96->98 97->93 98->95 102 685e1a6-685e1ad 99->102 103 685e196-685e19c 99->103 100->99 101 685e188 100->101 101->99 104 685e1c4 102->104 105 685e1af-685e1be 102->105 103->102 106 685e1c5 104->106 105->104 106->106
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0685E0B6
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: e523eedda535fd308f2477994656d4165de274401c3a775e49f53b52b5ac4e7a
                • Instruction ID: 1ad06d8d767ec3ad3b7445fb2186556e19d436ec8e50d00ddd2cd0417fa1cd72
                • Opcode Fuzzy Hash: e523eedda535fd308f2477994656d4165de274401c3a775e49f53b52b5ac4e7a
                • Instruction Fuzzy Hash: 5BA14971D002198FEB64CF68CC45B9EBAB2BF48310F1585A9ED48E7240DB759A85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685DE80 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 108 685de80-685df15 110 685df17-685df21 108->110 111 685df4e-685df6e 108->111 110->111 112 685df23-685df25 110->112 116 685dfa7-685dfd6 111->116 117 685df70-685df7a 111->117 114 685df27-685df31 112->114 115 685df48-685df4b 112->115 118 685df35-685df44 114->118 119 685df33 114->119 115->111 127 685e00f-685e0c9 CreateProcessA 116->127 128 685dfd8-685dfe2 116->128 117->116 120 685df7c-685df7e 117->120 118->118 121 685df46 118->121 119->118 122 685dfa1-685dfa4 120->122 123 685df80-685df8a 120->123 121->115 122->116 125 685df8c 123->125 126 685df8e-685df9d 123->126 125->126 126->126 129 685df9f 126->129 139 685e0d2-685e158 127->139 140 685e0cb-685e0d1 127->140 128->127 130 685dfe4-685dfe6 128->130 129->122 132 685e009-685e00c 130->132 133 685dfe8-685dff2 130->133 132->127 134 685dff4 133->134 135 685dff6-685e005 133->135 134->135 135->135 136 685e007 135->136 136->132 150 685e168-685e16c 139->150 151 685e15a-685e15e 139->151 140->139 152 685e17c-685e180 150->152 153 685e16e-685e172 150->153 151->150 154 685e160 151->154 156 685e190-685e194 152->156 157 685e182-685e186 152->157 153->152 155 685e174 153->155 154->150 155->152 159 685e1a6-685e1ad 156->159 160 685e196-685e19c 156->160 157->156 158 685e188 157->158 158->156 161 685e1c4 159->161 162 685e1af-685e1be 159->162 160->159 163 685e1c5 161->163 162->161 163->163
                APIs
                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0685E0B6
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: ff3dc2b20661563b5e75a30154b27ac80e41ad9ff04ae7ca35ae7c920ac86418
                • Instruction ID: 91e32bb3c1e5a3b78ee14f957c48e59e91c466df220f9580fe686627c49a7f2d
                • Opcode Fuzzy Hash: ff3dc2b20661563b5e75a30154b27ac80e41ad9ff04ae7ca35ae7c920ac86418
                • Instruction Fuzzy Hash: F0914971D002198FEB64DF68CC45B9EBAB2BF48310F1585A9ED08E7240DB759A85CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234B263 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 165 234b263-234b27f 166 234b281-234b28e call 234af24 165->166 167 234b2ab-234b2af 165->167 173 234b2a4 166->173 174 234b290 166->174 169 234b2b1-234b2bb 167->169 170 234b2c3-234b304 167->170 169->170 176 234b306-234b30e 170->176 177 234b311-234b31f 170->177 173->167 220 234b296 call 234b4f8 174->220 221 234b296 call 234b508 174->221 176->177 178 234b321-234b326 177->178 179 234b343-234b345 177->179 181 234b331 178->181 182 234b328-234b32f call 234af30 178->182 184 234b348-234b34f 179->184 180 234b29c-234b29e 180->173 183 234b3e0-234b4a0 180->183 186 234b333-234b341 181->186 182->186 215 234b4a2-234b4a5 183->215 216 234b4a8-234b4d3 GetModuleHandleW 183->216 187 234b351-234b359 184->187 188 234b35c-234b363 184->188 186->184 187->188 191 234b365-234b36d 188->191 192 234b370-234b379 call 234af40 188->192 191->192 196 234b386-234b38b 192->196 197 234b37b-234b383 192->197 198 234b38d-234b394 196->198 199 234b3a9-234b3b6 196->199 197->196 198->199 201 234b396-234b3a6 call 234af50 call 234af60 198->201 206 234b3b8-234b3d6 199->206 207 234b3d9-234b3df 199->207 201->199 206->207 215->216 217 234b4d5-234b4db 216->217 218 234b4dc-234b4f0 216->218 217->218 220->180 221->180
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0234B4C6
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: 8178a64a713612847400e4cca1d1b6eed256035ab180c856bd4547b4be28e151
                • Instruction ID: afb859285c8b5c850b538f937d79f0f04bd3df71e50b0c259fecbcf3eced669e
                • Opcode Fuzzy Hash: 8178a64a713612847400e4cca1d1b6eed256035ab180c856bd4547b4be28e151
                • Instruction Fuzzy Hash: 388125B0A00B058FD724DF6AD45575ABBF2FF88308F008A6DD48AD7A50DB75E846CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02345D0C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 222 2345d0c-2345dd9 CreateActCtxA 224 2345de2-2345e3c 222->224 225 2345ddb-2345de1 222->225 232 2345e3e-2345e41 224->232 233 2345e4b-2345e4f 224->233 225->224 232->233 234 2345e60 233->234 235 2345e51-2345e5d 233->235 237 2345e61 234->237 235->234 237->237
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 02345DC9
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: f783e987b7696cd06a3da45a9c6ac0c23cddc9ea18e1df36c64a2e80d84d98ea
                • Instruction ID: a76366d5198a740db9584c552def151359d99e80177406ae275e494cbf178dc6
                • Opcode Fuzzy Hash: f783e987b7696cd06a3da45a9c6ac0c23cddc9ea18e1df36c64a2e80d84d98ea
                • Instruction Fuzzy Hash: 4641E0B0C00719CBEB24CFA9C9847DEBBF1BF49704F60816AD408AB251DB75694ACF50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 02344538 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 238 2344538-2345dd9 CreateActCtxA 241 2345de2-2345e3c 238->241 242 2345ddb-2345de1 238->242 249 2345e3e-2345e41 241->249 250 2345e4b-2345e4f 241->250 242->241 249->250 251 2345e60 250->251 252 2345e51-2345e5d 250->252 254 2345e61 251->254 252->251 254->254
                APIs
                • CreateActCtxA.KERNEL32(?), ref: 02345DC9
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: Create
                • String ID:
                • API String ID: 2289755597-0
                • Opcode ID: 72781055c720d3351b204076247f6b6a620f3ebef2a0a9e22964ba7db576a3a5
                • Instruction ID: da6860af8c351cd575ae8ddb5224490add58bb645f36f092a1cf8c96e2acdaac
                • Opcode Fuzzy Hash: 72781055c720d3351b204076247f6b6a620f3ebef2a0a9e22964ba7db576a3a5
                • Instruction Fuzzy Hash: F841D1B0C0071DCBEB24CFA9C984B9EBBF5BF49704F60816AD408AB251DB756945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685DCE2 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 255 685dce2-685dd75 ReadProcessMemory 259 685dd77-685dd7d 255->259 260 685dd7e-685ddae 255->260 259->260
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0685DD68
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 00cdc8b51a6a677da7ce4d48ff1ef5c1f24060a88f40769281d01444a9e05b2a
                • Instruction ID: 600566d6f7ba1cf382fc32ef4bfd263cdea0fc13bf7cc9fbf365664e2cebd33b
                • Opcode Fuzzy Hash: 00cdc8b51a6a677da7ce4d48ff1ef5c1f24060a88f40769281d01444a9e05b2a
                • Instruction Fuzzy Hash: 222119B180034A9FDB10CFAAC881BDEBBF5FF88310F10842AE958A7240C7799554DBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685D620 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 264 685d620-685d673 267 685d675-685d681 264->267 268 685d683-685d6b3 Wow64GetThreadContext 264->268 267->268 270 685d6b5-685d6bb 268->270 271 685d6bc-685d6ec 268->271 270->271
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0685D6A6
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 5cbd805a0c988d74d4efbb39832fc28da715b2f5cd5fdacc2e13238a1515bb50
                • Instruction ID: 8e5a310e57dfd259bdd34f84c547d50fde5a0ea0f0d5c0ddf184d9b5d409f0d8
                • Opcode Fuzzy Hash: 5cbd805a0c988d74d4efbb39832fc28da715b2f5cd5fdacc2e13238a1515bb50
                • Instruction Fuzzy Hash: BC215C71D003098FEB10DFAAC8457DEBBF4EF88314F108429DA59A7240D7789945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234D2D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 275 234d2d8-234d7dc DuplicateHandle 277 234d7e5-234d802 275->277 278 234d7de-234d7e4 275->278 278->277
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0234D70E,?,?,?,?,?), ref: 0234D7CF
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: b126e28e7c768cdbfd096d01c3a60cd361b5990960baf2fc6bde1e6f30f1b7f3
                • Instruction ID: b4b15e599114510c3aabad4dcf6fcc41579ed571ca875b44d8a474d70194066c
                • Opcode Fuzzy Hash: b126e28e7c768cdbfd096d01c3a60cd361b5990960baf2fc6bde1e6f30f1b7f3
                • Instruction Fuzzy Hash: 2121D2B590024DAFDB10CF9AD984ADEBFF8EB48320F14805AE954A3210D779A950CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234D740 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 281 234d740-234d7dc DuplicateHandle 282 234d7e5-234d802 281->282 283 234d7de-234d7e4 281->283 283->282
                APIs
                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0234D70E,?,?,?,?,?), ref: 0234D7CF
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: DuplicateHandle
                • String ID:
                • API String ID: 3793708945-0
                • Opcode ID: e706decda2ee35cb8ed58543fa03d230a937ad663ff6227ccc02207e76ae6bf2
                • Instruction ID: 6e6e85179935809f3e8de720d57b6cee4ed6896a7658dd803b7f6d62bd374e70
                • Opcode Fuzzy Hash: e706decda2ee35cb8ed58543fa03d230a937ad663ff6227ccc02207e76ae6bf2
                • Instruction Fuzzy Hash: 1421D2B590124D9FDB10CFAAD584ADEBFF5FB48320F14805AE918A7210D379A954CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685D628 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 286 685d628-685d673 288 685d675-685d681 286->288 289 685d683-685d6b3 Wow64GetThreadContext 286->289 288->289 291 685d6b5-685d6bb 289->291 292 685d6bc-685d6ec 289->292 291->292
                APIs
                • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 0685D6A6
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: 18fd0fac5b7967bb1b825e868b63a5f4d07c86877a33699260ccad9fa26bc58f
                • Instruction ID: 520039ecf25aded40e8baef6340789160e6b9dd158c0605b77200f60bba54393
                • Opcode Fuzzy Hash: 18fd0fac5b7967bb1b825e868b63a5f4d07c86877a33699260ccad9fa26bc58f
                • Instruction Fuzzy Hash: CD212971D003098FEB50DFAAC4857EEBBF4EF88324F148429DA59A7240DB789945CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0685DCE8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 296 685dce8-685dd75 ReadProcessMemory 299 685dd77-685dd7d 296->299 300 685dd7e-685ddae 296->300 299->300
                APIs
                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0685DD68
                Memory Dump Source
                • Source File: 0000000F.00000002.2169861544.0000000006850000.00000040.00000800.00020000.00000000.sdmp, Offset: 06850000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_6850000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 1a30641a6074d7de60bf33023cad365153b65c1a1f3cacec762b52caed2f6f02
                • Instruction ID: 93129bfa0681c1f4341cdd899cef62bdb08d822f63d9ae09b22c88d48fe5aa7f
                • Opcode Fuzzy Hash: 1a30641a6074d7de60bf33023cad365153b65c1a1f3cacec762b52caed2f6f02
                • Instruction Fuzzy Hash: EF2128B18003499FDB10CFAAC881BDEBBF5FF48310F10842AEA58A7240C7799514CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234AF88 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 304 234af88-234b728 306 234b730-234b75f LoadLibraryExW 304->306 307 234b72a-234b72d 304->307 308 234b761-234b767 306->308 309 234b768-234b785 306->309 307->306 308->309
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0234B541,00000800,00000000,00000000), ref: 0234B752
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 9cfe6d7da61eac8a4411bbebef52f44be927616f5873247afd9fc51c3ebf566e
                • Instruction ID: e85a81a7a59d5f3f60e336f89dd4deca033758ca5d5875eea9eaf328bc236e71
                • Opcode Fuzzy Hash: 9cfe6d7da61eac8a4411bbebef52f44be927616f5873247afd9fc51c3ebf566e
                • Instruction Fuzzy Hash: D81133B6C003098FDB10CF9AC544A9EFBF5AB88324F10806AE519A7200C779A505CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234B6E3 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 312 234b6e3-234b728 313 234b730-234b75f LoadLibraryExW 312->313 314 234b72a-234b72d 312->314 315 234b761-234b767 313->315 316 234b768-234b785 313->316 314->313 315->316
                APIs
                • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0234B541,00000800,00000000,00000000), ref: 0234B752
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: LibraryLoad
                • String ID:
                • API String ID: 1029625771-0
                • Opcode ID: 3d51105d1ec1f42c2827caa96fd664341fc1b039f727622bd8969dabc9e4e5ca
                • Instruction ID: e991849973eefa083a1f462cd4c4601f5a5ea5e37efdd66a362cda31d9dac70d
                • Opcode Fuzzy Hash: 3d51105d1ec1f42c2827caa96fd664341fc1b039f727622bd8969dabc9e4e5ca
                • Instruction Fuzzy Hash: FA1130B6C003498FDB10CFAAC484ADEFBF5AF88324F10806AD518A7200C779A506CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 08AF1860 Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 08AF18C5
                Memory Dump Source
                • Source File: 0000000F.00000002.2170869006.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_8af0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: ed6dc73688c1dc5b1d62bf12a55bc72b89bc4c885b341ff6f2854364c6ec8651
                • Instruction ID: 8f08e7b51253f818bc8a7b6b9266b2b72148562a12aaef251199e03fe7b7eace
                • Opcode Fuzzy Hash: ed6dc73688c1dc5b1d62bf12a55bc72b89bc4c885b341ff6f2854364c6ec8651
                • Instruction Fuzzy Hash: 7911F5B5800349DFDB10CF9AD545BDEBFF8EB48324F10881AE994A7601C375A554CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0234B460 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNELBASE(00000000), ref: 0234B4C6
                Memory Dump Source
                • Source File: 0000000F.00000002.2166682342.0000000002340000.00000040.00000800.00020000.00000000.sdmp, Offset: 02340000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_2340000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: HandleModule
                • String ID:
                • API String ID: 4139908857-0
                • Opcode ID: b9ced5f18f4adcaa392c831430d82df9d54afa12d717a3daa9e1bfd4542384e6
                • Instruction ID: 9f06e82c96df02288d4769f91bcfb4848dc88badd8ed8a0a71b18b4667b5c1ac
                • Opcode Fuzzy Hash: b9ced5f18f4adcaa392c831430d82df9d54afa12d717a3daa9e1bfd4542384e6
                • Instruction Fuzzy Hash: 11110FB6D003498FDB10CF9AD544B9EFBF9EF88224F10845AD518A7200C779A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 08AF1868 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,?,?,?), ref: 08AF18C5
                Memory Dump Source
                • Source File: 0000000F.00000002.2170869006.0000000008AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 08AF0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_8af0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID: MessagePost
                • String ID:
                • API String ID: 410705778-0
                • Opcode ID: 3d7a78313385051bde924e9363523f7dbd9422cacbc755772833b40ba0002e96
                • Instruction ID: 715f6fbecbcb53eeee62a9027e035c8e198001ee1dc1169900a860fc113a31b0
                • Opcode Fuzzy Hash: 3d7a78313385051bde924e9363523f7dbd9422cacbc755772833b40ba0002e96
                • Instruction Fuzzy Hash: 181103B5800349DFDB10CF9AC544BDEBBF8EB48320F108419E558A3600C375A544CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAC370 Relevance: .7, Instructions: 729COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75b60978a387fed1611629cc26ead4bf34613c334b62b88e4479f89595c10f44
                • Instruction ID: e94d7de5114fe505871c8e38ff0c7e4442ec1e64c15758f47abebd1ea9240ab5
                • Opcode Fuzzy Hash: 75b60978a387fed1611629cc26ead4bf34613c334b62b88e4479f89595c10f44
                • Instruction Fuzzy Hash: 38723D31D00609CFDB14EF68C8946ADBBB1FF55304F048699D54AAB265EF30AAD9CF81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA92F0 Relevance: .6, Instructions: 551COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dbfe46f6ba6d3fd619b09fa87cb4a67af241a48807917f5df33bb0b626a9e0d4
                • Instruction ID: 8aaa8f02d8af3eb08e262ba2e4245e45868ce4ccac7c7e551aa1347b6d2a7a13
                • Opcode Fuzzy Hash: dbfe46f6ba6d3fd619b09fa87cb4a67af241a48807917f5df33bb0b626a9e0d4
                • Instruction Fuzzy Hash: C142E771E146198FCB24EF68C8946DDF7B1FF89304F108A99D459BB261EB30AA95CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAE008 Relevance: .5, Instructions: 500COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c99fdec56f522fde5788e8e019d7e8e98e9e753c3ae127c3c8850cba89fbe815
                • Instruction ID: 7e8648eb76fe22870a1a6c86fffdc570db4a7fb12e31efa8f52824948c98b9c4
                • Opcode Fuzzy Hash: c99fdec56f522fde5788e8e019d7e8e98e9e753c3ae127c3c8850cba89fbe815
                • Instruction Fuzzy Hash: 5C220730A04614CFDB14EF69C894BADB7B2FF88304F1485A8E51AAB361DB70ED55CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA92E1 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bb24afa4524c82e6de0ccc7c1d3b5c93bb48f93be78c78f8d9ffe6a53c48f704
                • Instruction ID: ad612885084411bb9621d1e86a41a66c1ef576c434f926ad12e7fdd04776664e
                • Opcode Fuzzy Hash: bb24afa4524c82e6de0ccc7c1d3b5c93bb48f93be78c78f8d9ffe6a53c48f704
                • Instruction Fuzzy Hash: 27E1E771E046198FDB24DF68C8946EDB7B1FF89304F148AA9D419BB251EB30AD95CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA92C0 Relevance: .3, Instructions: 331COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ffdf0280295a4d3778c8d270bd6e545fc3abbaf564278aa527b0a9c8e17cfaf4
                • Instruction ID: 7ea3fb829ad4d451703fd8994084fafd75413d03156ded768659a7eca24b2fe4
                • Opcode Fuzzy Hash: ffdf0280295a4d3778c8d270bd6e545fc3abbaf564278aa527b0a9c8e17cfaf4
                • Instruction Fuzzy Hash: 3AE11671E046198FCB24EFA8C8946EDB7B1FF49304F158AA9D419BB251EB30AD95CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BADC40 Relevance: .3, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 66e0a3987a4f7929f3e539624b04ddb7bf4828ac2302970839e746be1f3ca8be
                • Instruction ID: 3a15d3f36866befd4fdadb3a604d37e471dc282ccf87d5a2bc1635ed754e2080
                • Opcode Fuzzy Hash: 66e0a3987a4f7929f3e539624b04ddb7bf4828ac2302970839e746be1f3ca8be
                • Instruction Fuzzy Hash: F4C11730E10609CFCB14DF68C894A9DF7B6FF89304F1586E9E449AB661EB31A985CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA55D8 Relevance: .2, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 274d75ce1907bcd375d0a64aaccd7f15a799b28b6e048d6da2ae5a6faa4b281d
                • Instruction ID: 309095ab8a3692aaf6a33e510a0a6bf5855cd77a6923c3b17234fee78d99891e
                • Opcode Fuzzy Hash: 274d75ce1907bcd375d0a64aaccd7f15a799b28b6e048d6da2ae5a6faa4b281d
                • Instruction Fuzzy Hash: C881E170B04219DFDB14DFA8C4546AEBBF6EFC8300F1884A9E445AB391DB34AD168B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BADC11 Relevance: .2, Instructions: 224COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5662d1660c96e430d345db7a50fdf051aad7dbf628b2611542711093a2342ce7
                • Instruction ID: 1608efa4eacbe7bebb9e8dbb6f02bbb84a33b428a076088b5b57574ccdd3b802
                • Opcode Fuzzy Hash: 5662d1660c96e430d345db7a50fdf051aad7dbf628b2611542711093a2342ce7
                • Instruction Fuzzy Hash: FDA1F635A10619CFCB14DF64C884A9DF7B2FF89304F1586E9E549AB221EB31AE85CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5A08 Relevance: .2, Instructions: 212COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1ea132e1e453aacefc0ffb0f9e0e34f78b76781f8502d548c003d0b828e7464d
                • Instruction ID: 70062d8229a8b6b562dcb58d4b9a6fea3e2810d445d45b0f9b269f5cee8356c0
                • Opcode Fuzzy Hash: 1ea132e1e453aacefc0ffb0f9e0e34f78b76781f8502d548c003d0b828e7464d
                • Instruction Fuzzy Hash: 42816C70E003199FDB18DFA9C8946AEBBF6FF88300F14816AE505EB351EB745906CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BABD00 Relevance: .2, Instructions: 197COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b6552585b7b1352c11ce4438c79715bd8f5b241283d281f8e1430947de1c3740
                • Instruction ID: 3a707193306684e0c2c7168bbfca2545d3007ace2d165d9b7c1950a41d0a7e12
                • Opcode Fuzzy Hash: b6552585b7b1352c11ce4438c79715bd8f5b241283d281f8e1430947de1c3740
                • Instruction Fuzzy Hash: ED91187190060ADFCB41EF68C880999FBF5FF49310B14C79AE919AB255EB70E995CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAE6F0 Relevance: .2, Instructions: 176COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4040d906704ee57f837a673b2400371b3e59bcdeb44f2d9677f4b7446940a0d
                • Instruction ID: a60f07bcc4e2fbc9e2aa11f9ef51f1f9f9b8b47bd40f1a9feb07803d853601a0
                • Opcode Fuzzy Hash: e4040d906704ee57f837a673b2400371b3e59bcdeb44f2d9677f4b7446940a0d
                • Instruction Fuzzy Hash: 75513834B052088FDB19EF69C894AAD7BF6FF89705B1444A9D806EB361DB35EC01CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BADFF9 Relevance: .2, Instructions: 165COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a8f47a3485908393315aafbeb356fbfc686b7af91ebe2f7ed34eaec095ce1acb
                • Instruction ID: 06e194905666a29d88247c7b125b1c9f9c2c95c3b70816cc2ffdfc8c77f610aa
                • Opcode Fuzzy Hash: a8f47a3485908393315aafbeb356fbfc686b7af91ebe2f7ed34eaec095ce1acb
                • Instruction Fuzzy Hash: 2A5127306106008FEB14EF69C898B9D77E6FF89314F5486BCD51A9B3A1DB71A8098B60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA4D90 Relevance: .2, Instructions: 155COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e3323eb9ad8634e9d444c5793ace6521ec4bf93c16e8f4248317a32545066f90
                • Instruction ID: 021ab1e629140957c69a3298327186051afdb24135ac1cbbc8c79e8caad35c67
                • Opcode Fuzzy Hash: e3323eb9ad8634e9d444c5793ace6521ec4bf93c16e8f4248317a32545066f90
                • Instruction Fuzzy Hash: 085170B1E042059FDB14DFA9C844AAFBBF6EF88310F14846AD555E3350EB74AA15CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BABCF0 Relevance: .1, Instructions: 149COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4219e75fa36ed82b54577dfb3cff94bc66dfc193d7c66735e78e85179e9692ef
                • Instruction ID: 6d06ff74603a3adde5d1c869538073ea22bb3a985c0c0722a709ec9aeeb1e251
                • Opcode Fuzzy Hash: 4219e75fa36ed82b54577dfb3cff94bc66dfc193d7c66735e78e85179e9692ef
                • Instruction Fuzzy Hash: A751097191470ADFCB41EF68C880999F7B0FF49310B14879AE929AB255EB70E995CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAE8F0 Relevance: .1, Instructions: 139COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c9d29a1ff6cc70a6794226fa4d704263fdfc97407da01358db00d9475818bf7a
                • Instruction ID: 50b2094d1c8a34fbbd8bf1881fef4e0b18a4cfa997a9278d41a652b14eff0e70
                • Opcode Fuzzy Hash: c9d29a1ff6cc70a6794226fa4d704263fdfc97407da01358db00d9475818bf7a
                • Instruction Fuzzy Hash: 8941DF317087108BEB59AB78882026E36D7EFC8B54B1444E9D906DB3A4EF34EC12C7D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5784 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2fc46e03781de6d13800ea1f0f3b67d0b9bf754467577fef3407f05f163695ae
                • Instruction ID: aec2b32cedc04a28ef672238d8214d3ac4b9aecef0c0a6ab9bfa667083421b63
                • Opcode Fuzzy Hash: 2fc46e03781de6d13800ea1f0f3b67d0b9bf754467577fef3407f05f163695ae
                • Instruction Fuzzy Hash: 8231CF70E06218EFCB14DFA0E5445ADBBB2FF45300F15859AE49177651CB31A965CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFB80 Relevance: .1, Instructions: 130COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6e50abe0a4477c2e079879c1add553bba8725770f25750a81b840579f74255b
                • Instruction ID: e45ee9b1c6bccb66af63b44b488b374eb53232804a0ac6942936f6e0c5c1c83e
                • Opcode Fuzzy Hash: c6e50abe0a4477c2e079879c1add553bba8725770f25750a81b840579f74255b
                • Instruction Fuzzy Hash: F1414831B047104FD719ABB9A0203BDB7D6EFC9721F4440AADA0AEB381DE35AC018795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA1C80 Relevance: .1, Instructions: 124COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 983c12d0744593b768babb43d13c286afb241a7dd18094c5e9d07b8e25f6f5b3
                • Instruction ID: 7347fe34df9d0a42f39af131b31797ce5992f271d88043cf6d2bac26b94a253e
                • Opcode Fuzzy Hash: 983c12d0744593b768babb43d13c286afb241a7dd18094c5e9d07b8e25f6f5b3
                • Instruction Fuzzy Hash: 17418C34A0461A8FCF55DFA9D8446EEBBF5EF88314F1840A9D805FB340DB34A925DB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA59BC Relevance: .1, Instructions: 123COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6ed5688426e9242c248fa3d2dd7cf166cd443cd35aa47e073e80dcc42ece0c2
                • Instruction ID: 0f5b15fb19301e711b930ece1ffd56768aef4b0ce938a40decfd47678d060a4d
                • Opcode Fuzzy Hash: c6ed5688426e9242c248fa3d2dd7cf166cd443cd35aa47e073e80dcc42ece0c2
                • Instruction Fuzzy Hash: 1141C3B1E083498FDB14CF69D844A9FBFF4EF89210F15846AD445E7341DB74A906CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA6418 Relevance: .1, Instructions: 119COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: beba66cb80d3ad8936617fb2734d06abbfba216ee76a40a105fc9f6241f0c5bd
                • Instruction ID: c5a056957765967379dcc820a02ff0d5ad92f322f7844506d30933c366d6b713
                • Opcode Fuzzy Hash: beba66cb80d3ad8936617fb2734d06abbfba216ee76a40a105fc9f6241f0c5bd
                • Instruction Fuzzy Hash: 9C41E274B00206DFDB08AFA8C45966F3FA7EBC4340F158469E5099B3A6DE388C078B95
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0AA0 Relevance: .1, Instructions: 112COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b39cf8b075e8c8b001189604b0ca1d44d8389781ba3d2d9870f1eded1bc8a3c6
                • Instruction ID: e0c8bbfab2854fc5c38d029fc3757a0c3137fb7b9bb2e15727d7d92b21d72c74
                • Opcode Fuzzy Hash: b39cf8b075e8c8b001189604b0ca1d44d8389781ba3d2d9870f1eded1bc8a3c6
                • Instruction Fuzzy Hash: 59415B30B082199FCB54EFB9D9846EDB7F2EF89308F5041A9E115A7350DB34A959CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA9F7A Relevance: .1, Instructions: 104COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5051702d84f4bc1256436b6946d690c4de67bfb4dbd86853850e6c9160d87e5a
                • Instruction ID: 4ac169b717cf77d3fbfa328018682e49c67a7f70a818e8a5b68e3c87539f1dd4
                • Opcode Fuzzy Hash: 5051702d84f4bc1256436b6946d690c4de67bfb4dbd86853850e6c9160d87e5a
                • Instruction Fuzzy Hash: 46414F34A10709CFDB04EF78C49499DBBB6FF89304F0085ADE5156B325EB71A946CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA9F88 Relevance: .1, Instructions: 101COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aff9724c512da86b1d96b3cc173094c2e2b54d84455208ab8a50c7fc0cdad34e
                • Instruction ID: 3d28386d3499fe741cb20f0242a4a16511196ce5ba4e0abe9f36998ecf8892e6
                • Opcode Fuzzy Hash: aff9724c512da86b1d96b3cc173094c2e2b54d84455208ab8a50c7fc0cdad34e
                • Instruction Fuzzy Hash: 71411B34A10709CFDB14EF78C89499DBBB6FF89304F0085A9E515AB325EB71A946CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5E55 Relevance: .1, Instructions: 100COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0a6196ea1a6ff28dd79abe6a759a02755c9e103a625fd75b8f8c6fe5f16fbc4b
                • Instruction ID: b555396be229e4fe58135c7c52760503bce3f467df217b98878bdc801c2f844b
                • Opcode Fuzzy Hash: 0a6196ea1a6ff28dd79abe6a759a02755c9e103a625fd75b8f8c6fe5f16fbc4b
                • Instruction Fuzzy Hash: 1841DFB1D05309DFEB24CFA9C584ACEBBB5FF48304F24806AD408AB215D7756A4ACF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA4DCC Relevance: .1, Instructions: 99COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4493b2f365cb00e7471998b5f6e5fb797c7c88ac14ab7743bcfd784b05593b1e
                • Instruction ID: 0dfdb457f2e3edcdebed70d43948fa8c7907418d18ece262d065a8b9fd373b68
                • Opcode Fuzzy Hash: 4493b2f365cb00e7471998b5f6e5fb797c7c88ac14ab7743bcfd784b05593b1e
                • Instruction Fuzzy Hash: 7041C1B1D05709DBEB24CFA9C584ADEBBB5FF48304F248069D508BB210D7B56A45CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA04BF Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2ae44a215fe0e38ed4a03cf7cabb1e42e79042c430a5cde054911cd07d9be66f
                • Instruction ID: 2cfdf1fdc9acbfc4d6476d99f47d129f3e08edfac493c344c61604248e173109
                • Opcode Fuzzy Hash: 2ae44a215fe0e38ed4a03cf7cabb1e42e79042c430a5cde054911cd07d9be66f
                • Instruction Fuzzy Hash: 65317034704206CFCB24DF68C0848AEB7B2FF89319B1045AAD55AD7361DB35F81ACB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA4D84 Relevance: .1, Instructions: 95COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 418f4e19150a43f8a13be573bfb49a7023b9f26a4d4a40e61a59d57de1286b82
                • Instruction ID: 1ff1f610b09bc30687ca4040934527d1fdf1e35b0998b8e69bf76dccf71d96c2
                • Opcode Fuzzy Hash: 418f4e19150a43f8a13be573bfb49a7023b9f26a4d4a40e61a59d57de1286b82
                • Instruction Fuzzy Hash: FA41BFB0D00359DBDB24CF9AD884A9EFBB1BF88710F24816AE418AB214D7756945CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7D01 Relevance: .1, Instructions: 94COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f87f40efd0d85c8b17601040104023b44ebbb18ac81b80f7e8bb57aeec6af031
                • Instruction ID: 4fdb739e2d2da1d764c796edd845b5a5fa9ba9edbf2528367a46c52a34d12510
                • Opcode Fuzzy Hash: f87f40efd0d85c8b17601040104023b44ebbb18ac81b80f7e8bb57aeec6af031
                • Instruction Fuzzy Hash: CC411875A0020ADFCB40DF68D98499EFBB5FF89310B14C699E918AB315E730E985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0128 Relevance: .1, Instructions: 93COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 619acacc1f0b37d9e5cc0d1839005e2135a34e4264c8bacf33d9732e402f0ca2
                • Instruction ID: cd60b7a881f1f40f62149370fc6ae993bb3745125915d464f6c570a519768eb7
                • Opcode Fuzzy Hash: 619acacc1f0b37d9e5cc0d1839005e2135a34e4264c8bacf33d9732e402f0ca2
                • Instruction Fuzzy Hash: C831D271A08700CBEB50EF39D85476677A6FF88314F0885B9DC0A6B345EF35A864CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7D08 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2bcf8a73f2f2ce8dc607b9e8c200eb3f156296e735640811ae2f58d5cb0108be
                • Instruction ID: a0c847ff1acdfc7b40211614874c0053aba3fea73cf3f82adfdace58bf771194
                • Opcode Fuzzy Hash: 2bcf8a73f2f2ce8dc607b9e8c200eb3f156296e735640811ae2f58d5cb0108be
                • Instruction Fuzzy Hash: 08411875A0020ADFCB40DF68D98499EFBB5FF89310B14C699E818AB311E730E985CF90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA9E80 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4865b4c87ff51fcac002964eca67cef3d531839dddc960b61d672e829531c23f
                • Instruction ID: 2416ab5b4c7fcb22f946478ee3d1cedde31855155e06d6f7d2b56f976464fb1f
                • Opcode Fuzzy Hash: 4865b4c87ff51fcac002964eca67cef3d531839dddc960b61d672e829531c23f
                • Instruction Fuzzy Hash: E3316B75A102199FCF04EFA4E8548DDF7B6FF88214B0586A9E506AB310EB31BD56CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0A90 Relevance: .1, Instructions: 92COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd859844cc142f36ceaf8642c955f08aabb7be4898480537b648526efb2b052e
                • Instruction ID: 16153a776b7d385c8e75140ef95c6bef6df4764521ff778e438b66ce5ed1834d
                • Opcode Fuzzy Hash: dd859844cc142f36ceaf8642c955f08aabb7be4898480537b648526efb2b052e
                • Instruction Fuzzy Hash: 2E31AD30B096099FCB14EFB9D9846EDB7F1EF89308F5041AAE515A7250EB30A95ACB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0F47 Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72eb5e5ed10b34e42155cdfb77a58082d5ff1f8622a3fa9d2115e886d795a9ff
                • Instruction ID: f7cceff0c9bf22a985a5090995339577cf419b1ead6e68ed7ff4ab284f9c0c8c
                • Opcode Fuzzy Hash: 72eb5e5ed10b34e42155cdfb77a58082d5ff1f8622a3fa9d2115e886d795a9ff
                • Instruction Fuzzy Hash: 2D31C371A08740CFEB60EF38D85475577B5FF88314F0986BAD84A6B346EB35A864CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0BEC Relevance: .1, Instructions: 90COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5409b4ca37ae6ac08fa8acff1911360e390965c4a62594de3404f03abbceea9
                • Instruction ID: 456dcb4e01001534101cf7763ee55afedfe920c7187d704a627aae066a423da0
                • Opcode Fuzzy Hash: d5409b4ca37ae6ac08fa8acff1911360e390965c4a62594de3404f03abbceea9
                • Instruction Fuzzy Hash: BA311831E05609DFDF20DFA8C480A9DFBF1FF48310F1486AAE559A7221E731A995CB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA88E8 Relevance: .1, Instructions: 89COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9fa2055ee192cb2c5d3f41d731a257efd3930a464de3a2cdf2529979c4408e26
                • Instruction ID: 8aa44ef2284f86a54570e46c5747bca891760c490cec18686f4c8b3f03ce997f
                • Opcode Fuzzy Hash: 9fa2055ee192cb2c5d3f41d731a257efd3930a464de3a2cdf2529979c4408e26
                • Instruction Fuzzy Hash: E22194323142018FD714AB2CCCC46693BA6FF85721F1985FAE109CF7A6EA35EC148B94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5FD8 Relevance: .1, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ad45bae6dae9259222e145453382530fbe83f453923a0982bc91cbc370794799
                • Instruction ID: 5bb5aafdb54e697af724a8630db792eac49224036463fbd9fdc3a51872719470
                • Opcode Fuzzy Hash: ad45bae6dae9259222e145453382530fbe83f453923a0982bc91cbc370794799
                • Instruction Fuzzy Hash: FB2194B1A04145AFDB15DFA9C840ABFBFFAEFC4300F14845AE554E3250EA709A118790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0950 Relevance: .1, Instructions: 83COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 91667d9f19787e2c7ec7d0ca0ae02338c0ff060b37456204d16606d5c4682875
                • Instruction ID: 74deecb36e77873cdcb135265eaf9cd6192b4aed916e054050bd73a5fe25d8ea
                • Opcode Fuzzy Hash: 91667d9f19787e2c7ec7d0ca0ae02338c0ff060b37456204d16606d5c4682875
                • Instruction Fuzzy Hash: 48312C70B0460A8FCB54EF68C54486EB7F2FF84315B10466DD51AAB351EB35BD0ACB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA253F Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eed65624e7a51887290d5a2b799329c62302abec9c80fc074c48e2816eeb8fbc
                • Instruction ID: 8acc483777be9aaf307c7142ec1897a3953e1425edec01227b14272fbc767250
                • Opcode Fuzzy Hash: eed65624e7a51887290d5a2b799329c62302abec9c80fc074c48e2816eeb8fbc
                • Instruction Fuzzy Hash: EA310D70A0020ADFEB08EBA9E4916AE7BF6FBD4300F10552CD115BF359DA796A058B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA2540 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 40f240e5a5edbb9fd4b682d93385b40e9628a021e58761b5b9213d3a393f3df6
                • Instruction ID: 32c0662457f1eb8053a4cd81e2166a5d0ffc25c3d99e9139dc0f719ac378c4d7
                • Opcode Fuzzy Hash: 40f240e5a5edbb9fd4b682d93385b40e9628a021e58761b5b9213d3a393f3df6
                • Instruction Fuzzy Hash: 73311070A0020ADFEB04FBA9E4916AE7BF6FBD4300F10552CD115BF359DE796A058B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5D58 Relevance: .1, Instructions: 81COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 840070bc7dea88a63ca09eb0d605a57fd19d6e230300dc6500c7bcdb7bee1ac3
                • Instruction ID: 9dceaca644ef0b579aa75bc0144fc80ff18addcc8c0b4c010369fe7973689455
                • Opcode Fuzzy Hash: 840070bc7dea88a63ca09eb0d605a57fd19d6e230300dc6500c7bcdb7bee1ac3
                • Instruction Fuzzy Hash: FE2124717042008FDB14EF78D8449ABBBE6EF84204B1489ADD606DB351EF75ED0A8BD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAE7FF Relevance: .1, Instructions: 80COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9e85cef2643a9ef45c33354bf693f7aa90278fcc7e74c477cd2b8ac32ce290d5
                • Instruction ID: 3e64eac4b3763d752a4d47a65e19184fa6307859e1d198de39f36482a6006e78
                • Opcode Fuzzy Hash: 9e85cef2643a9ef45c33354bf693f7aa90278fcc7e74c477cd2b8ac32ce290d5
                • Instruction Fuzzy Hash: D721C271B083448FD7199B28D894A6E7BE6FFC931171444ADD406CB362CE68ED06C7A1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA07B0 Relevance: .1, Instructions: 76COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce4dd0c9bfd7d0bd2d3a63b682241e034bf3cd89261fd1d82039173d6674714e
                • Instruction ID: 8fcf87b7b235f63d3c7e01ba8d5f55bdf211f390dfba3242a664e4683c861282
                • Opcode Fuzzy Hash: ce4dd0c9bfd7d0bd2d3a63b682241e034bf3cd89261fd1d82039173d6674714e
                • Instruction Fuzzy Hash: 442138307006008FDB68AF3DC854A6A77E6EF85715B2481ADE506CB3A1DF76EC06CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0083D3D8 Relevance: .1, Instructions: 75COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165864669.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_83d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0bd3430a24b821b77b34c5075525638b1bfa27e93351b3db763e42bd6953b779
                • Instruction ID: 8695e2d39cee62540b6099ff39016163305975b74f0ecf2ebd9dd1695c310c68
                • Opcode Fuzzy Hash: 0bd3430a24b821b77b34c5075525638b1bfa27e93351b3db763e42bd6953b779
                • Instruction Fuzzy Hash: 3421F476504304DFDB05DF14E9C0B26BB65FBD4324F20C169D9098B256C33AE856CAE1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0084D1D4 Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165909093.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_84d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 61a88d172ee8e91bde42cc3d3e40293e96b2105e467c6f44736dbe61b0b3d271
                • Instruction ID: 764ebee0f8b872c14683f2bb62924233142123ee42123d1cdd802e44948c7a53
                • Opcode Fuzzy Hash: 61a88d172ee8e91bde42cc3d3e40293e96b2105e467c6f44736dbe61b0b3d271
                • Instruction Fuzzy Hash: A221F975604348EFDB05DF14D5C0B25BBA5FB84318F24C66DE9098B352C7BAE846CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0084D01C Relevance: .1, Instructions: 72COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165909093.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_84d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 75f3e6d88cd610bc06b8653ee4c9e0f8d92de9320e782203c71e9822c15a0e78
                • Instruction ID: a114bf0c901657b81b32e349e6a2974e86e0fcd1438c5016cd4d8fe9b72640ec
                • Opcode Fuzzy Hash: 75f3e6d88cd610bc06b8653ee4c9e0f8d92de9320e782203c71e9822c15a0e78
                • Instruction Fuzzy Hash: 5C213475604708EFCB14DF14D9C0B26BB61FB84318F20C56DD90A8B392C37AD807CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA59F9 Relevance: .1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 47b245d8ba9f2abab47579579f0260ca4587ade27e543d3dc78046f6b0c9ad7c
                • Instruction ID: 3bc09609e594a1b53e299b4dbbd669b253ebb2085f160802ca4b5103e2ae27e0
                • Opcode Fuzzy Hash: 47b245d8ba9f2abab47579579f0260ca4587ade27e543d3dc78046f6b0c9ad7c
                • Instruction Fuzzy Hash: EC218775E0020A9FEF54DFA9C8406EEBBF6EF88340F14456AD505E7240EB745A118B61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BACEB0 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3dad48382a495fa689b5be144c102b06e3c833b65e2ce5771553431962da2b85
                • Instruction ID: 7a243fd41e94a804cc444d6f7e5b54d9e462fc4565b8567049eedcec3fcee94a
                • Opcode Fuzzy Hash: 3dad48382a495fa689b5be144c102b06e3c833b65e2ce5771553431962da2b85
                • Instruction Fuzzy Hash: 79213335A106099FCB10EF6CD84059EFBF5FF49310B50C26AE959A7204FB31A959CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0943 Relevance: .1, Instructions: 70COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 34cd6889996848fc1649854a0a2bb92f72da42ad6246cb2f111db0d0945b2e55
                • Instruction ID: bac769293804b2ef9835da9eb78982ac6ebff6bbd97f07e4e4456c69aafa8b20
                • Opcode Fuzzy Hash: 34cd6889996848fc1649854a0a2bb92f72da42ad6246cb2f111db0d0945b2e55
                • Instruction Fuzzy Hash: 5C214170A0460ACFCB24DF64C58089EB7F2FF45308B10466DD55A97351E735F90ACB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA04E0 Relevance: .1, Instructions: 69COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: de4438bd09c3f106bac45c795c96e1b6f5c8ba598a3886434bf5620bdb41cdc1
                • Instruction ID: 84c464d0097e9649cf0be893ecf58e26cdb4490d3143a710f5e24556eb09fe1b
                • Opcode Fuzzy Hash: de4438bd09c3f106bac45c795c96e1b6f5c8ba598a3886434bf5620bdb41cdc1
                • Instruction Fuzzy Hash: 7011D231F04A1A4BDB20FEA9C4902AFB7F2EB89710F04856AD415A7200DB74A95187C1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0E71 Relevance: .1, Instructions: 62COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 511b51becb2f17aae1adb6e91d3e51b340254e791e1343f2a2f90b35aa1d3218
                • Instruction ID: de19a31b5780bc167d6cf44ecf7761e563261151cc75462e50e6473603881b3c
                • Opcode Fuzzy Hash: 511b51becb2f17aae1adb6e91d3e51b340254e791e1343f2a2f90b35aa1d3218
                • Instruction Fuzzy Hash: F221CD34505705CFD7A5EF34C444AEAB7B6EF82219F4088ADD05A1B261CF31A89ACB42
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5D49 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4332a23f6f866cddf7d7a792cc8e24bfdc764d433bc7861fe6a4e400b3563f1d
                • Instruction ID: 8a0e3034c6f1f88daffbd58844b265473e7feab428734550df7cea9809e86396
                • Opcode Fuzzy Hash: 4332a23f6f866cddf7d7a792cc8e24bfdc764d433bc7861fe6a4e400b3563f1d
                • Instruction Fuzzy Hash: 0D11AC716002018FDB15EF79C494AABBBF6EF81204B0489A9D646DB355EFB0ED088FD1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFA10 Relevance: .1, Instructions: 61COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2c33d730c680d9cfb92bdb38158538d610b44ee675aaba35c238168f00d40ae
                • Instruction ID: 5f088cb864e2c0f7a5b30592a66df5a4265ac6237dd14367f456ae64e1b3a3cc
                • Opcode Fuzzy Hash: b2c33d730c680d9cfb92bdb38158538d610b44ee675aaba35c238168f00d40ae
                • Instruction Fuzzy Hash: E01106716083809FD72ADB34C89069A7FE2EF92350F0584ADC1498F662DA34BD46CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA04DE Relevance: .1, Instructions: 60COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b9386a2d9fb2d41c9d25304bc19bf2a1f5b9e90c3fa0f745276cf9044bef34e8
                • Instruction ID: 350c8f2af01efed54aea7fcc22a129ec0b23e0a7fc3641362a80a22da4f0c982
                • Opcode Fuzzy Hash: b9386a2d9fb2d41c9d25304bc19bf2a1f5b9e90c3fa0f745276cf9044bef34e8
                • Instruction Fuzzy Hash: 5B11A332F046164BDB20EEA994912BFB7F2EB89710F148469C516E7300DA34A9128BC1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA00F8 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bd8159dd98456cdd9e141570d9770a7eeaba53c7b1c1c9d4712a6509cfc2e1fb
                • Instruction ID: 7bc19de5f56243d5389225005e8f3c0b55004d55e2ba22e6f22ed25ef5f9c649
                • Opcode Fuzzy Hash: bd8159dd98456cdd9e141570d9770a7eeaba53c7b1c1c9d4712a6509cfc2e1fb
                • Instruction Fuzzy Hash: 85216D30604705CFD7A4FF78C444AAEB7A6EF85319F0089ADD05A2B260DF71B89ACB41
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFA40 Relevance: .1, Instructions: 59COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4717277643ae5f86e87d4f809f50014f5ade7372c5b03a96c267932123445583
                • Instruction ID: 5fb5f4a1fc11ddb0dac7724c87c1eb4ba52b08324a80352724bb5fcee56150a9
                • Opcode Fuzzy Hash: 4717277643ae5f86e87d4f809f50014f5ade7372c5b03a96c267932123445583
                • Instruction Fuzzy Hash: 6411BF316046049FE728EB68D8506AEBBE6EFC1351F14C5BDD4198B650DE31FE09CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA6830 Relevance: .1, Instructions: 57COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b70e01e620aa52cc6a190ceb00e3fc3d9d2a194a2f0c0e4f950715ef35321ae
                • Instruction ID: 3d64323929415ebf629d1540435fc81f88e69c06b2ff50510ed35d072bc465f0
                • Opcode Fuzzy Hash: 6b70e01e620aa52cc6a190ceb00e3fc3d9d2a194a2f0c0e4f950715ef35321ae
                • Instruction Fuzzy Hash: 5601F975B09264ABDF16977888905AD7B76DF89204F1100A9D704AB382DA241E12C795
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA04B0 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3a7aba0f0f4998fa756df7c3976943b0b0d7de1e8a089e703f8b5ceb6b2007da
                • Instruction ID: e552ff937bd8908ed419fca46078f653fe14c4513a0c5d0bfde47474b5aac8b6
                • Opcode Fuzzy Hash: 3a7aba0f0f4998fa756df7c3976943b0b0d7de1e8a089e703f8b5ceb6b2007da
                • Instruction Fuzzy Hash: DC210E7460460ACFCB24DF64C1808AEB7B2FF84309B10866DC556AB251DB35F91ACB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA8E48 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a955c1a5b07f8d3e561c67d0ad8f55164cb64d50219da50ee7c5a91a0d6b42da
                • Instruction ID: b461b47434103db76238169ddb73b3d03529c0d96455fee0ac5712cd89d3fa7f
                • Opcode Fuzzy Hash: a955c1a5b07f8d3e561c67d0ad8f55164cb64d50219da50ee7c5a91a0d6b42da
                • Instruction Fuzzy Hash: 8711C4323042018BD714AA1CD8C47A97BD6EF89310F1984B5E109CFB66DA35DC018784
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0083D3D3 Relevance: .1, Instructions: 56COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165864669.000000000083D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0083D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_83d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction ID: dff2eee821655eeb47493c252b45131e32a4f44a7fc1c4bde2f3f63b70b34d47
                • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                • Instruction Fuzzy Hash: 0E11D3B6504380DFCB16CF10E5C4B16BF71FB94324F24C6A9D8494B656C33AE856CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA2240 Relevance: .1, Instructions: 54COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6afcd3a6f4afb9a51e5ca2db906d733c8a86b143c924510df8c1d798205a144f
                • Instruction ID: df9f2208b3b2e11d1d8c452f652a964980bb9037b1c4931d9898a58817bdaf0e
                • Opcode Fuzzy Hash: 6afcd3a6f4afb9a51e5ca2db906d733c8a86b143c924510df8c1d798205a144f
                • Instruction Fuzzy Hash: D711E330A00205DFE718EFA9C4147DE7BF2EF88304F1044A8D615AB390DB79AD15CBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0084D017 Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165909093.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_84d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: c57d30a0364c64e0cb723dbc131b2ce035b91abcf091b04d5b4869d1834b08db
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 2A118B75504784DFCB15CF14D5C4B15BBA2FB84314F24C6AAD8498B656C33AD84ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0084D1CF Relevance: .1, Instructions: 53COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2165909093.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_84d000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction ID: 5bf5e5f82fb672080052af3d8968b6b8155f22871a2fb5a978b61f8dce1723e2
                • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                • Instruction Fuzzy Hash: 97118B75504384DFCB15CF10D5C4B15BBA2FB84314F24C6A9D8498B6A6C37AE84ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA55AC Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f192f0b1eb2c070105fc3ab3e5e66075b65e07ea11c187092e0c2f700ec4025e
                • Instruction ID: 832ec52eada275baa21bc9b5e24d9902692b4bbe99a43eda8abcf3c5c9b9d913
                • Opcode Fuzzy Hash: f192f0b1eb2c070105fc3ab3e5e66075b65e07ea11c187092e0c2f700ec4025e
                • Instruction Fuzzy Hash: 6D1123B5C042098FDB10CF9AC444B9EFBF4EB88320F14805AE458A3200D7B4A905CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA59EC Relevance: .1, Instructions: 51COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f32b31a88eec0640a9ba07ffd976d81d84566a7588c34b93575140537e6f2959
                • Instruction ID: 088eae9177f649eb707426cc7e726f896d2b031bca43d574b9fd02ee07ca19ed
                • Opcode Fuzzy Hash: f32b31a88eec0640a9ba07ffd976d81d84566a7588c34b93575140537e6f2959
                • Instruction Fuzzy Hash: 621120B1C042499FDB10DF9AC844B9EFBF4EB88320F14845AE858A7210D3B8A905CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA62F9 Relevance: .0, Instructions: 50COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 910294dce9850760b913a49b8963cc0f61b886b6cb3427fdd128ee812357a366
                • Instruction ID: 0b7832c2f67bce236f4ae1bc50ae62f70d8d4a6f854e847165cfbb53979e1e7a
                • Opcode Fuzzy Hash: 910294dce9850760b913a49b8963cc0f61b886b6cb3427fdd128ee812357a366
                • Instruction Fuzzy Hash: ED1102B5D042498FDB10DF9AD484BDEFBF4EB88320F14855AD558A7310D3B8A506CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7788 Relevance: .0, Instructions: 49COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 02e575725eae054cf86157a72bb9bdd90edf503dbf9e9b017a03973da969f9f9
                • Instruction ID: 4e9505e3d6b5c0fcc863879fae6c278df4d1fc9fc45cbb83346540714b4c870c
                • Opcode Fuzzy Hash: 02e575725eae054cf86157a72bb9bdd90edf503dbf9e9b017a03973da969f9f9
                • Instruction Fuzzy Hash: 9A1122B5804249CFDB20CFAAD584BDEBBF4EB48320F20841AD518A7200D775A545CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA2B22 Relevance: .0, Instructions: 48COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d1ffc9ee5e826036619705f26b65c3bdff9a66e9e54fa5d7bf22b5a96672b4bb
                • Instruction ID: 3cd679648966575e9138f7ea03cb3dff2ba9e04d34b6634ecb0bff61c5f38daa
                • Opcode Fuzzy Hash: d1ffc9ee5e826036619705f26b65c3bdff9a66e9e54fa5d7bf22b5a96672b4bb
                • Instruction Fuzzy Hash: AD01D2B1A001049FEB049F68C958BAF7BF6EF8C314F0440A9E101AF384DB789D05CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA6FB0 Relevance: .0, Instructions: 47COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2c5b258e178f926094ef13b1d22bd2d2bf78d77fca8e2a02dd5f824d4a7c9b3
                • Instruction ID: 655814b05c3e67358d11fbd4a7bb747c6c7e409f3c95fcd5b4cf2dc60521ef9f
                • Opcode Fuzzy Hash: b2c5b258e178f926094ef13b1d22bd2d2bf78d77fca8e2a02dd5f824d4a7c9b3
                • Instruction Fuzzy Hash: 151133B5904349CFDB20DF9AC584B9EFBF4EB48320F20845AE518A7300D775A944CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA561 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d3a547af5cb4006410399cdc98a8b1dbb2917a73b142cf0e3bf544a459c403b
                • Instruction ID: 91fbd08f3a066ec3c859bccfe6951eb47bbc8f63a77174faae3a113c5a98d129
                • Opcode Fuzzy Hash: 8d3a547af5cb4006410399cdc98a8b1dbb2917a73b142cf0e3bf544a459c403b
                • Instruction Fuzzy Hash: EF01F571A0C7408FD7127B3484201EEBB35EF86200F0901EEC9855B302DB31E956C7EA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA1B0 Relevance: .0, Instructions: 46COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9add704ed1ad3d9b496b8510828f6ce9efe6753daf88406ed398f403f79d8144
                • Instruction ID: e10c6ae6c272a494f1d348db9e7dd57a2d44ca7d056abf6e02beeefc4fd37eec
                • Opcode Fuzzy Hash: 9add704ed1ad3d9b496b8510828f6ce9efe6753daf88406ed398f403f79d8144
                • Instruction Fuzzy Hash: 6F019E31608B049FD715EF78C41016A7BB1EF8A304B4085AAD9469B660EB31E966CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAE868 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c9efffcb0e834ec74d1b5c2f4fe6ecb2d4c442fd8c1b26899d7557d44cf95801
                • Instruction ID: a46e3132370d67c0c853ecdeaef7ad5d051bec6f10c286925b2561dc0acb66d6
                • Opcode Fuzzy Hash: c9efffcb0e834ec74d1b5c2f4fe6ecb2d4c442fd8c1b26899d7557d44cf95801
                • Instruction Fuzzy Hash: 05017C317002058FD718DB29D88892ABBEAFFC831471484ADE41ACB320CF71EC02CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA2B30 Relevance: .0, Instructions: 45COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 223d39dbc915cd6ff24e25feaabfa7743943a67f5ce70b61af313be65cefd5bb
                • Instruction ID: 17571d63e26e5c58ceebcd3a55cf984c59fbc00d29234f5e60e7dd20366c98db
                • Opcode Fuzzy Hash: 223d39dbc915cd6ff24e25feaabfa7743943a67f5ce70b61af313be65cefd5bb
                • Instruction Fuzzy Hash: 7801B170A001049FEB049F69C959A9B7BF6EB88304F0440A9E502EF344CB79AC14CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA1C0 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 686f2073aed03533e027ad1725e14d22f1203513f23bebde88ca6a8d592545b2
                • Instruction ID: bcd34927d151935661f4b2baa6b4a7ce1a5b4dbc7f5b9f603df1bd53b58f4c07
                • Opcode Fuzzy Hash: 686f2073aed03533e027ad1725e14d22f1203513f23bebde88ca6a8d592545b2
                • Instruction Fuzzy Hash: 13018030604704CFD724EF79C41056A7BB2EF89304B50C5AED9469B660EF31F866CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFDB0 Relevance: .0, Instructions: 44COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e0c4383c2b1c94d411d01b5cf9eca92a1a003abc896c9622ac0cd9bbcdd0ac6e
                • Instruction ID: eb86eb8fe0cb63aa20afca34138941ce3b089cd5f2156e14b66da0b9d9e98fbe
                • Opcode Fuzzy Hash: e0c4383c2b1c94d411d01b5cf9eca92a1a003abc896c9622ac0cd9bbcdd0ac6e
                • Instruction Fuzzy Hash: CE01D6317086008FCB259A69E41097AB7F6DFC5225B14C5BEC9098B651DF75EC138B92
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7198 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ed6f272c623fe4310d0db94c7e98efe8224529155ea8f150b780b07f3f51b1e2
                • Instruction ID: 45622c2558ce2ee576d81a40e2c1bb6fbb7afe74f9b9286698eba731ae6666fd
                • Opcode Fuzzy Hash: ed6f272c623fe4310d0db94c7e98efe8224529155ea8f150b780b07f3f51b1e2
                • Instruction Fuzzy Hash: 0CF0AFA1B083446FEB09DBBA981556A7FEADAC1154B1484FAD845D7242EE30ED168390
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAF384 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 6b21c8fadc7add401191ab89d5809679bd0470b08724da44c03c56ac17acaa72
                • Instruction ID: efe19f2f14f6a96016bc495cafa777a92ca43f043ecb9de883f955b9b36a1b77
                • Opcode Fuzzy Hash: 6b21c8fadc7add401191ab89d5809679bd0470b08724da44c03c56ac17acaa72
                • Instruction Fuzzy Hash: DCF0AF31350201CBD62CAA2DC850ABF779AEFC9711F1085AEEA0AE7754DE70AC01A790
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFDC0 Relevance: .0, Instructions: 43COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b22f0816eca2611ae51569f0adc63b5f8dfc738c3af91a7e12b050f0471d7e5f
                • Instruction ID: c0534f7b6614d10f3a7c2507e6b3b0bb13bcb5ec7735eedb6d7caba13edaf753
                • Opcode Fuzzy Hash: b22f0816eca2611ae51569f0adc63b5f8dfc738c3af91a7e12b050f0471d7e5f
                • Instruction Fuzzy Hash: B5F0C8317082048FDB28E66ED81097EB7EAEFC4625760D9AEC509CB355DF70EC128B91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFD29 Relevance: .0, Instructions: 42COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 28e7ad794c7cc9788646fbb45a32eacbf324f8f80238d1e6efe625baccc2b7c2
                • Instruction ID: 063e96e0b478f5d5b1d19165ede39d4a7c430a9d05db5e6b210f5c5ee70f6e94
                • Opcode Fuzzy Hash: 28e7ad794c7cc9788646fbb45a32eacbf324f8f80238d1e6efe625baccc2b7c2
                • Instruction Fuzzy Hash: 8FF0C2713006118BD728A62CD454BBF77EAEFC8611F5441BEDA1AD7745EA70AC0297D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA8C90 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 56527e02e01e068f2e1da3551cf2051184bd2ee7d3d4a0f412196c6783c285a5
                • Instruction ID: 8fabf6b4d2c1698fb7d7e36fe8dccfcfe2c842151b8d983d15858888628a5fad
                • Opcode Fuzzy Hash: 56527e02e01e068f2e1da3551cf2051184bd2ee7d3d4a0f412196c6783c285a5
                • Instruction Fuzzy Hash: EFF0F63130D5140BD719BA38E41863E7BA6DFC5A05B0440FED905CB790EE34EC368B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA88C8 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ccfcf65efabca113fc1a5455cdf7741211297dda8d1502695af740797ba5c275
                • Instruction ID: 81fb70398ce16acdc2d433a1701c188e8a65d43683b602006f558d6f6c10043f
                • Opcode Fuzzy Hash: ccfcf65efabca113fc1a5455cdf7741211297dda8d1502695af740797ba5c275
                • Instruction Fuzzy Hash: E6F0E93030C6118BD628BA2A8840A3E36D9DFD0B9570444EEE856C7EA4DF30FC21F751
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA6860 Relevance: .0, Instructions: 40COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bc71b8c172bdb1db3d5a1de9ae6e9e8a53a7524cc6bfe026637265aa8d6896a1
                • Instruction ID: 01879bda53e9f34d01f35d5e9d6b697bb4b7df09775049325c13ea6073748cdb
                • Opcode Fuzzy Hash: bc71b8c172bdb1db3d5a1de9ae6e9e8a53a7524cc6bfe026637265aa8d6896a1
                • Instruction Fuzzy Hash: 4EF09675B04128EB9F25E6A998505BEBBBBABC8614B100469D605BB340DE311F21C7E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7C58 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8d3c16ea32f20fd44beabc8a1e3a72856c291fd491bceb00996c52eec9e6099
                • Instruction ID: 2b7d605c1ea053891ca5b6ac73f7334bd7a57d9530085c6a00bae19bb0b45db0
                • Opcode Fuzzy Hash: f8d3c16ea32f20fd44beabc8a1e3a72856c291fd491bceb00996c52eec9e6099
                • Instruction Fuzzy Hash: 7901C875D106099FCB40EFA8C54599DBBF0EF49210F11859AE959EB321E7709A44CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA8D28 Relevance: .0, Instructions: 38COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d411659eb974e91a34655d88153e4474143131a9ab615173f76312244f91c42e
                • Instruction ID: b72169a64b4640b4abcdf8f027c15215ba8d4b8b6101a68f10f7b650e9217024
                • Opcode Fuzzy Hash: d411659eb974e91a34655d88153e4474143131a9ab615173f76312244f91c42e
                • Instruction Fuzzy Hash: EAF02E3130C6104BD7287A25D48077E37D9DF94B96B0500EED956CBAA0DF34EC22EB91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0446 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3de8df21a1602f0dc6df91cbf30f5cfdc42fe09b116ea79867377fb55c892508
                • Instruction ID: c66c4a92cf67c92ad2544524e69ee574db564a24e12a39b73498b678fefe0802
                • Opcode Fuzzy Hash: 3de8df21a1602f0dc6df91cbf30f5cfdc42fe09b116ea79867377fb55c892508
                • Instruction Fuzzy Hash: 81F01D347101108FCB64AB6CD858AB977FAEFCD765B1880AAE50AC7371CE61DC06CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA588 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ce35e9ccd419293706c18a67a286ac7a32db6c0b1d1674460107a00839273dd4
                • Instruction ID: 039d1627d851d66f36f6e122175420e0e8e97c19016be0e94d16deeef5f5765b
                • Opcode Fuzzy Hash: ce35e9ccd419293706c18a67a286ac7a32db6c0b1d1674460107a00839273dd4
                • Instruction Fuzzy Hash: 7DF0CD31A047048BDB12BB7884204AEB77AFFC6210F4146ADD84967200EF31F996CAE5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA5F8 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 83b6c21dd11adf8d823a70522b257547939183d6a7dda5ccb283fcbfca5d3313
                • Instruction ID: 0e9d043893304d9b993886f589ea9b6d369366277bd66de4932234c76a68a63b
                • Opcode Fuzzy Hash: 83b6c21dd11adf8d823a70522b257547939183d6a7dda5ccb283fcbfca5d3313
                • Instruction Fuzzy Hash: 45F0C235304600CFC7245B29E49465ABBB6FFC9325B1801ADD50A4B366CF75AC02CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA9D8 Relevance: .0, Instructions: 37COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: eb833c9be136045a977551c47456810112d2e7b1e366bcbe7ba143c2beb6c3c2
                • Instruction ID: 9fb85657f89327eec6695ce88548d750f6daae5a3194a015bc0a8a30306b363b
                • Opcode Fuzzy Hash: eb833c9be136045a977551c47456810112d2e7b1e366bcbe7ba143c2beb6c3c2
                • Instruction Fuzzy Hash: 06F089363046119FD7189B6EF89495ABBEAEFC5225304467EE10ACB221CEB1EC0987D4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0448 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a11892b2c798088665fdb4e11aa4c5e8cef09c09cbb370ae2f425df8849fadc3
                • Instruction ID: cf59683ab7e9076173b4016c8b32ff69b77deb7c085942eaba38acb0a9b91168
                • Opcode Fuzzy Hash: a11892b2c798088665fdb4e11aa4c5e8cef09c09cbb370ae2f425df8849fadc3
                • Instruction Fuzzy Hash: 89F01D343101108FCA54AB6DD848A6977FAEFCD765B1440AAE50AC7371CE61EC018B90
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7352 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 751b6215d819f4f607485e0dd12844bd0ec729eaea6757134df090fe7ffd84f2
                • Instruction ID: 659194ca314e8a0848e6a0a697366c3442e69246c8cd204bf72f46c237887185
                • Opcode Fuzzy Hash: 751b6215d819f4f607485e0dd12844bd0ec729eaea6757134df090fe7ffd84f2
                • Instruction Fuzzy Hash: BDF05CF2B1C1212FEB148A699C44EBF7FFCDBC556470600BEE954C7201E921AC0183A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA8CA0 Relevance: .0, Instructions: 36COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4820bb85ae529abf8efc543161d808a9723e172ad35e91e2ed739a79a47c517
                • Instruction ID: cea5db3e8dccea79d6ec211ffd2e5f6abb1a7482c010e54a97bd980308b73a79
                • Opcode Fuzzy Hash: e4820bb85ae529abf8efc543161d808a9723e172ad35e91e2ed739a79a47c517
                • Instruction Fuzzy Hash: 76F0E23130C5144B9B19BA399418A3E36DAEFC4A15B0440BDD505CB790EE34FC328B81
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA608 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0c9396bcc820de10fd6db41cca9953ae87b48dd675e4ae1010cdb53d975a430d
                • Instruction ID: 52758d0b898ad55bb773afae5419d71ff32b4971c71fdc56bdce31938a4beb94
                • Opcode Fuzzy Hash: 0c9396bcc820de10fd6db41cca9953ae87b48dd675e4ae1010cdb53d975a430d
                • Instruction Fuzzy Hash: 63F09A352006008FC624AB1AE894A1AB7BAFBC8321B1401ADE50A87760DF75BC42CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAA9C9 Relevance: .0, Instructions: 34COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 151be15bab5eefee2328c54e98f0bea308d1b9223732af4ac410c3b39ea97c29
                • Instruction ID: 5e390a279a90488517ea6764bb79551c0e983eefe7f5c1cb82d81f6d262586bc
                • Opcode Fuzzy Hash: 151be15bab5eefee2328c54e98f0bea308d1b9223732af4ac410c3b39ea97c29
                • Instruction Fuzzy Hash: A0F027313043118FD7099B39E8A4949BFB6EFC5220304057EE20ACB222CEE4ED0A87D0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7C68 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFF90 Relevance: .0, Instructions: 33COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f8efa5b87e9032290ac200594aa042de4dadefbd8e39215713946963220a6882
                • Instruction ID: b401508d597dbc5107bd5ecea8176672f08d2e824ec54005841d013c429cbc36
                • Opcode Fuzzy Hash: f8efa5b87e9032290ac200594aa042de4dadefbd8e39215713946963220a6882
                • Instruction Fuzzy Hash: 5BF0EC363066519FD7149A5AE8844B7F75AFBD5336318C077E50487300CB32B861C7A0
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAAE38 Relevance: .0, Instructions: 32COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b8d25220bb6998ce3d1c292160f82ae9f3d6c498a0123bd0749ef35a5db1a585
                • Instruction ID: 48ffbb0fb516d37b5d11e0abd9a8eab0272b5daa3740af5cefd3b59b7a65376c
                • Opcode Fuzzy Hash: b8d25220bb6998ce3d1c292160f82ae9f3d6c498a0123bd0749ef35a5db1a585
                • Instruction Fuzzy Hash: 61F0E271204A50CFC719DB28D598A58BBE2EF49619B1644EDE60A8F332CB62EC41CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7189 Relevance: .0, Instructions: 31COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 116121ff8c125e0804ba64bcb6de07c9caa590b1a5f1521c9d4068bf2abbf80e
                • Instruction ID: 409750a21fd61ff0a1ab49f725ee418bbe5e1e63810e2e7568cdb7a5c0c8e718
                • Opcode Fuzzy Hash: 116121ff8c125e0804ba64bcb6de07c9caa590b1a5f1521c9d4068bf2abbf80e
                • Instruction Fuzzy Hash: 0BE065A2B081046FE708DEB9984469E7FAACB88154F0180BADA08DB251E930DE524390
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAAE48 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d500c575e3676803567ea298e9733c6c921fc8262a1b4f0be6d5d4965850e478
                • Instruction ID: 4e5fe01651b0804722418aa7b3d6e010d7401f06b2a408aecf726917fbfef8ce
                • Opcode Fuzzy Hash: d500c575e3676803567ea298e9733c6c921fc8262a1b4f0be6d5d4965850e478
                • Instruction Fuzzy Hash: 2EF0DF34200610CFC718DB2CD588D59BBE6EF49B1971145A9E10ACB332CBB2EC40CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BAFF81 Relevance: .0, Instructions: 28COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b22c1d9eaaaa8591462bc6898eab9021846b2c5c18f10afb3eba1b77bf613430
                • Instruction ID: 11e53991f7e18557a3017a973d2e065213f2a457ff0559d0a41c6c4fd77d30d3
                • Opcode Fuzzy Hash: b22c1d9eaaaa8591462bc6898eab9021846b2c5c18f10afb3eba1b77bf613430
                • Instruction Fuzzy Hash: 5CF0EC76701251DFD714DF26D9844A7B776FBC5322349C0AAE5049B260CB34B852CB50
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5CF0 Relevance: .0, Instructions: 25COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 76f4350d375574bd0ac75e1b1105c77400a1a71d03d5fb7a3cfa0d215ce267f1
                • Instruction ID: 9677a11c567ff494edcb7a2a978091d7e7121d0d6bde57c6bca18bb30c5a1348
                • Opcode Fuzzy Hash: 76f4350d375574bd0ac75e1b1105c77400a1a71d03d5fb7a3cfa0d215ce267f1
                • Instruction Fuzzy Hash: 4AF0ED30901248EFC700FFB0E481A8C3FF0EB81201B2085ADDC09AF222EA369E11D752
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0158 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 06a5a70f487c1075fbd27a2bf34d258ad191c38ade9b3ffab0f0538b5d394565
                • Instruction ID: 7a4324e8b1f60329bedf73c56e9bfcd9e7d49ed5b941e4658235529aa99ad9ed
                • Opcode Fuzzy Hash: 06a5a70f487c1075fbd27a2bf34d258ad191c38ade9b3ffab0f0538b5d394565
                • Instruction Fuzzy Hash: F2E08C313146049FD31CEA1CE88086A77E9EF8836031489AEF109D3664DEA0FC044689
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA8851 Relevance: .0, Instructions: 23COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a3f0ad66bcec46fb3532be2b17c0aa4a238c8eb65ac479047b3c58cd18c9454a
                • Instruction ID: 1edbbdd20eb8dc09089e6199ad336e8d3d0e2542192aa1221fd535cb7e3ff258
                • Opcode Fuzzy Hash: a3f0ad66bcec46fb3532be2b17c0aa4a238c8eb65ac479047b3c58cd18c9454a
                • Instruction Fuzzy Hash: 28E08C72319B009FC31CDF2CE8409967BF5EF8A75031885EEE149CB761DAA4EC068780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA230C Relevance: .0, Instructions: 22COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2d61239e2008ecb0dcdf322bcbf0363db9f9aae588961ea15a6f178a4b0c76a
                • Instruction ID: 9ca2e8559856c5a486e902a5c232591ef07f4a5d48140d04d08c0602936e5d45
                • Opcode Fuzzy Hash: b2d61239e2008ecb0dcdf322bcbf0363db9f9aae588961ea15a6f178a4b0c76a
                • Instruction Fuzzy Hash: D8F0AE35A05208CFCB59EFA8D5845DCB7F1EB9A216F6000E9D025B7260C7366E61CB21
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA5D00 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 41b929c1e0ff982597596a1e8f6299d85360fd768535af75948a67ff2a7a7e9d
                • Instruction ID: 328dd8a352441968c4ab98af468bd443ed9ba92024f17328b0fda3c07950b155
                • Opcode Fuzzy Hash: 41b929c1e0ff982597596a1e8f6299d85360fd768535af75948a67ff2a7a7e9d
                • Instruction Fuzzy Hash: 19E08630A00209EFC704EFA5E58055D7BF5FB84705B208158D804AB324EB736F10DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA6618 Relevance: .0, Instructions: 18COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 89073de5d98f2d5db345c34b043cdfbc338634d3e91c7ebbab26716270eb8d06
                • Instruction ID: 339710090afe6bcec41a456925474eed3a5ec7d3d0438fd586911821eeca8ff3
                • Opcode Fuzzy Hash: 89073de5d98f2d5db345c34b043cdfbc338634d3e91c7ebbab26716270eb8d06
                • Instruction Fuzzy Hash: 3DE0B636500209EFCB01DF54D948C997BBAFF05304759C0A6E9194F636C736E965EF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA0890 Relevance: .0, Instructions: 15COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c00a994049323357cceac8c66aa46dd8ba0bb6409bb65f7ea3769398c4d63cb9
                • Instruction ID: 88262181ba8e678f7da18dfbdb8d28ba7e50a5d9213fb69755b6d45f71a4467b
                • Opcode Fuzzy Hash: c00a994049323357cceac8c66aa46dd8ba0bb6409bb65f7ea3769398c4d63cb9
                • Instruction Fuzzy Hash: 57D0C9363101289F8B049B69E848CA97BE9EB5D66131180A6F909CB361CA71DC118BD4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7F91 Relevance: .0, Instructions: 13COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cff6f0b170d91990e0b468996ddf6addde5b459c96ff4d9561b543d3eb0916e0
                • Instruction ID: a564a2023583d36ab73269d3362bed7c74276dda93845a698651a2bcd217143d
                • Opcode Fuzzy Hash: cff6f0b170d91990e0b468996ddf6addde5b459c96ff4d9561b543d3eb0916e0
                • Instruction Fuzzy Hash: 40D05EE084C1D09ECF26472024656A43F58873A315F0905D5DA8506143C054122ECE26
                Uniqueness

                Uniqueness Score: -1.00%

                Function 04BA7FA0 Relevance: .0, Instructions: 7COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 0000000F.00000002.2169168795.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BA0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_15_2_4ba0000_iqKlcCJyhhi.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f52009d13c92aabbfd3724fb1f380b9a9c7fad6655ec4c34d86f01e576c474af
                • Instruction ID: ea37d913f8acd6f23154699088e105e4d5bf30a07d9589632d37bc385c506d80
                • Opcode Fuzzy Hash: f52009d13c92aabbfd3724fb1f380b9a9c7fad6655ec4c34d86f01e576c474af
                • Instruction Fuzzy Hash: 2CC002E0C9C1D05DDF3A876471583543F9A537A32DF990A89D88A41143C559526CCF31
                Uniqueness

                Uniqueness Score: -1.00%