Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tmjGCGOEGMinVPD.exe

Overview

General Information

Sample name:tmjGCGOEGMinVPD.exe
Analysis ID:1427196
MD5:b5006f1dac678c6e6a2c698704e49ad4
SHA1:2ad2b936da60e85c1dc26b6281ad8380393b0fcb
SHA256:17ffcd130215ae5b3f8ba4f4aa5577abdf7c44a0c2e70619c35e42bafbbb3a82
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • tmjGCGOEGMinVPD.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe" MD5: B5006F1DAC678C6E6A2C698704E49AD4)
    • powershell.exe (PID: 6556 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 3160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5876 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5908 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 2800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 4796 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • IeagOAdQiUHWi.exe (PID: 4724 cmdline: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe MD5: B5006F1DAC678C6E6A2C698704E49AD4)
    • schtasks.exe (PID: 5864 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 6404 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.morabitur.com", "Username": "bookings@morabitur.com", "Password": "Book&Confirm!"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x33621:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x33693:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x3371d:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x337af:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33819:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3388b:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x33921:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x339b1:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 24 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ParentImage: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe, ParentProcessId: 6416, ParentProcessName: tmjGCGOEGMinVPD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ProcessId: 6556, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ParentImage: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe, ParentProcessId: 6416, ParentProcessName: tmjGCGOEGMinVPD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ProcessId: 6556, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe, ParentImage: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe, ParentProcessId: 4724, ParentProcessName: IeagOAdQiUHWi.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp", ProcessId: 5864, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 198.46.88.214, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4796, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ParentImage: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe, ParentProcessId: 6416, ParentProcessName: tmjGCGOEGMinVPD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", ProcessId: 5908, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ParentImage: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe, ParentProcessId: 6416, ParentProcessName: tmjGCGOEGMinVPD.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ProcessId: 6556, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe", ParentImage: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe, ParentProcessId: 6416, ParentProcessName: tmjGCGOEGMinVPD.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp", ProcessId: 5908, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.morabitur.com", "Username": "bookings@morabitur.com", "Password": "Book&Confirm!"}
                    Multi AV Scanner detection for domain / URL
                    Source: mail.morabitur.comVirustotal: Detection: 8%Perma Link
                    Source: http://mail.morabitur.comVirustotal: Detection: 8%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeReversingLabs: Detection: 39%
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeVirustotal: Detection: 31%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: tmjGCGOEGMinVPD.exeReversingLabs: Detection: 39%
                    Source: tmjGCGOEGMinVPD.exeVirustotal: Detection: 31%Perma Link
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: tmjGCGOEGMinVPD.exeJoe Sandbox ML: detected
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 4x nop then jmp 05DCBF75h0_2_05DCB890
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 4x nop then jmp 05F6B465h9_2_05F6AD80

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 198.46.88.214:587
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 198.46.88.214 198.46.88.214
                    Source: Joe Sandbox ViewASN Name: INMOTI-1US INMOTI-1US
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.5:49706 -> 198.46.88.214:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001068000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2050964518.0000000001008000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2050964518.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001068000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.morabitur.com
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2050964518.0000000000FF3000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001068000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001096000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036286887.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2072332030.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001068000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, cPKWk.cs.Net Code: khI1
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, cPKWk.cs.Net Code: khI1

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5b30000.5.raw.unpack, .csLarge array initialization: : array initializer size 13798
                    Source: 0.2.tmjGCGOEGMinVPD.exe.28faa54.0.raw.unpack, .csLarge array initialization: : array initializer size 13798
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_0289E3680_2_0289E368
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC1E700_2_05DC1E70
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC65500_2_05DC6550
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC4EA80_2_05DC4EA8
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC1E600_2_05DC1E60
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC6E170_2_05DC6E17
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC6E280_2_05DC6E28
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC73380_2_05DC7338
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC73280_2_05DC7328
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05DC4A700_2_05DC4A70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011BA5F88_2_011BA5F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011BB7FC8_2_011BB7FC
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011BE6F88_2_011BE6F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011B4AC08_2_011B4AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011B3EA88_2_011B3EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011BDEA08_2_011BDEA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011B41F08_2_011B41F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E56B08_2_066E56B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066EC2888_2_066EC288
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066EB31A8_2_066EB31A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E31688_2_066E3168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E7E808_2_066E7E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E77A08_2_066E77A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066EE4A08_2_066EE4A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E00408_2_066E0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E5DEB8_2_066E5DEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E00388_2_066E0038
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E00068_2_066E0006
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_010EE3689_2_010EE368
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F61E709_2_05F61E70
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F6C8809_2_05F6C880
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F665509_2_05F66550
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F673389_2_05F67338
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F673289_2_05F67328
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F64EA89_2_05F64EA8
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F61E609_2_05F61E60
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F66E289_2_05F66E28
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F66E179_2_05F66E17
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeCode function: 9_2_05F64A709_2_05F64A70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013ADB8813_2_013ADB88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013AEAF813_2_013AEAF8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013A4AC013_2_013A4AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013A3EA813_2_013A3EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013A41F013_2_013A41F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0686D06C13_2_0686D06C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0686A46813_2_0686A468
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0686DF1013_2_0686DF10
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0686BD0013_2_0686BD00
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_068856B013_2_068856B0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_068866F813_2_068866F8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688C28813_2_0688C288
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688B31B13_2_0688B31B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688316813_2_06883168
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06887E8013_2_06887E80
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_068877A013_2_068877A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688E4A013_2_0688E4A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688004013_2_06880040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06885DEB13_2_06885DEB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688000713_2_06880007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_0688003813_2_06880038
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename3c9920d9-0bbf-4165-a948-73d58106b6fe.exe4 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2041471952.0000000005B30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2033706818.0000000000AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036286887.0000000002921000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename3c9920d9-0bbf-4165-a948-73d58106b6fe.exe4 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2036286887.00000000028D1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exe, 00000000.00000002.2041813905.0000000005D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exeBinary or memory string: OriginalFilenameqQZO.exe4 vs tmjGCGOEGMinVPD.exe
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: IeagOAdQiUHWi.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, cPs8D.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, 72CF8egH.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, G5CXsdn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, 3uPsILA6U.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, 6oQOw74dfIt.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, aMIWm.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, 3QjbQ514BDx.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, XEdC7QV6Rt5lnY2C0O.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, XEdC7QV6Rt5lnY2C0O.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, XEdC7QV6Rt5lnY2C0O.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, j5dpp8OOTTnYqdQADi.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@2/2
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile created: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:348:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMutant created: \Sessions\1\BaseNamedObjects\VRVtugv
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile created: C:\Users\user\AppData\Local\Temp\tmp2292.tmpJump to behavior
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: tmjGCGOEGMinVPD.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: tmjGCGOEGMinVPD.exeReversingLabs: Detection: 39%
                    Source: tmjGCGOEGMinVPD.exeVirustotal: Detection: 31%
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile read: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5b30000.5.raw.unpack, LoginForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, XEdC7QV6Rt5lnY2C0O.cs.Net Code: RETAT27GhG System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.tmjGCGOEGMinVPD.exe.28faa54.0.raw.unpack, LoginForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeCode function: 0_2_05B11580 push esp; ret 0_2_05B11581
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011B0C3D push edi; ret 8_2_011B0CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_011B0C95 push edi; retf 8_2_011B0C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E248A push edx; retf 8_2_066E248B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E6CAA push edx; retf 8_2_066E6CB2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_066E2AB4 push ebx; ret 8_2_066E2ABA
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013A0C3D push edi; ret 13_2_013A0CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_013A0C95 push edi; retf 13_2_013A0C3A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 13_2_06882AB4 push ebx; ret 13_2_06882ABA
                    Source: tmjGCGOEGMinVPD.exeStatic PE information: section name: .text entropy: 7.919208382510467
                    Source: IeagOAdQiUHWi.exe.0.drStatic PE information: section name: .text entropy: 7.919208382510467
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, xgwRJErkKT654DOZWbC.csHigh entropy of concatenated method names: 'fFysjr3yd7', 'XvqsiFuLj1', 'QHtsTHta23', 'jsjs2F5mUx', 'jBVsw2fO3t', 'YkGsyqadfG', 'WuVsZb81bT', 'x7vsO32Yv1', 'uFTstaHgcg', 'zX3sv9yM1L'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, dPegeW0eYejufclxKQ.csHigh entropy of concatenated method names: 'ArhGQi4uxT', 'TGVG4sW9xh', 'QrHoktlItl', 'Fptor3GbiZ', 'B5tGqiMXu8', 'LsfGhnZ2kD', 'gwnG7jCWib', 'tAYGDInZ3y', 'kB8GaKqMCL', 'AljGdvuN8j'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, FaZ3HItojvthwe2kHO.csHigh entropy of concatenated method names: 'd87c2bYKCo', 'SRbcyXdDfF', 'pNacOODyVP', 'T6dctEPOXc', 'SMUcfeJ9Ce', 'sf1cujRmx8', 'zZBcGMGk2l', 'bm6coJu1Wk', 'NlVcs58QJx', 'L0tcp3kDAY'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, bx4kos4UeHAlmi1Ndi.csHigh entropy of concatenated method names: 'r07srLCoXS', 'bDfsBB2oTu', 'UC8sAWduTa', 'aSAs8m6Ikm', 'gYdslOVrHB', 'SiisnHgITd', 'OIbs9MGVZP', 'D2moULfdy0', 'LURoQmI12f', 'o6WoIFQCd7'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, Xr3uQfrBk5aUXpYtnMp.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OY5pDE7qG0', 'Oarpav5aeR', 'arWpdFcok4', 'e2vp12tK6y', 'ESCpMLRwBa', 'iKPp0w70W4', 'sQ9pUQqGhk'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, BDRpIDdweyCaa107hN.csHigh entropy of concatenated method names: 'ToString', 'WIhuqsblth', 'lMDuKIrsA5', 'e4suWYe17m', 'Ma2uS1qR1k', 'GWlueLpKFF', 'sl2uLbLJNr', 'Enuu562T7o', 'jJwuxPHx5y', 'fQqub9Tgiy'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, w8yq0j6JB6FNo6g1ro.csHigh entropy of concatenated method names: 'rrJT0o2DY', 'Hyj2xgpBx', 'l7UySMyHc', 'BM8Z5ZqmN', 'w0Dt4yRyW', 'm73vRpCMj', 'AaDOMw4RI7rNHlBSu6', 'sZMMkYvRiqDAJWTBH7', 's7EoXC5OA', 'YtOphVZ07'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, CmryaQcYPIgtA2oWdC.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'D5Y6IELbye', 'VLL64Kmt0g', 'JuZ6z9K1sT', 'U6YBk8RgNb', 'OgoBrHWoDH', 'nFmB67OYGw', 'UCsBBVTv1b', 'pFTnrA2OB7x2l4LpyRO'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, JevAQxAsvQTfoTo7qV.csHigh entropy of concatenated method names: 'deNrN5dpp8', 'DTTrVnYqdQ', 'Yojrgvthwe', 'AkHrHO7Wcp', 'Jtnrf0R9qH', 'bOnruP8Osq', 'xdTswmHCnCcOwwMjZ0', 'L8Nsp6tTOUaxgsnWXV', 'iSDrrry9ju', 'xSLrB6VrNF'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, reBkZm5kKl9IGNPYB0.csHigh entropy of concatenated method names: 'tGDN8fp1hq', 'hgiNckioEw', 'lRlN9TBt8i', 'iYx94c2O1D', 'Yt89zlZ6Rc', 'HwmNk7Fs4K', 'GMyNrEEaOB', 'w1WN66Y3EY', 'SdqNBKPbwT', 'eJNNAYUYJS'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, ptE76C7LaSl1yyFqqB.csHigh entropy of concatenated method names: 'ljpJOGb4Do', 'DCAJt3pTTV', 'JbaJFpuTyK', 'dDyJKPsSMp', 'RxIJSuOV5A', 'tCFJehHeLy', 'tLlJ5NsZ8p', 'v1KJxottXh', 'lRjJPrRMod', 'TZSJqI9RHV'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, Gwmwn1IdWSL8JMswjK.csHigh entropy of concatenated method names: 'mo7oFf41v0', 'pW0oKUbTRm', 'cXnoWsLUUL', 'u19oS06ibZ', 'TEooDdoMQH', 'i8ZoeHrXie', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, kAILssQ1X2KkGcjGo8.csHigh entropy of concatenated method names: 'fILo89KTF4', 'tC0olCHdHE', 'HZkocD2lcL', 'LH8onTIeAu', 'bASo92V9ln', 'WxloNnf0vS', 'SeAoVgp0YV', 'XYYoRX0poR', 'JLBog5pe8E', 'BAZoHe2QwI'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, QWJd5mbBOjp6Sfjb8H.csHigh entropy of concatenated method names: 'sEpNjuhpog', 'INGNiqjmsr', 'l1ANTFDwrT', 'n6iN2tA9aR', 'vIuNwgEfT4', 'JPpNyMwBj3', 'eBoNZ6BE9Q', 'XyPNOp0HLN', 'XXONtvOfG8', 'IuHNvkjoMg'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, XEdC7QV6Rt5lnY2C0O.csHigh entropy of concatenated method names: 'a7WBYZYAyG', 'UENB8h1VlW', 'VNhBlfsH0U', 'o6gBcFkjvg', 'C8mBnA7bCJ', 'EOlB9Pl7Nq', 'VdCBN7UpZ3', 'X6MBV6Ztsx', 'rXyBRVlYjK', 'SD2BggI350'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, QWcpwsv4gssLWetn0R.csHigh entropy of concatenated method names: 'RTNnw9S88v', 'ePGnZrdwxK', 'jjicWD7xH5', 'NjncSt7gqY', 'GnuceRKBjs', 'VHkcL5FHXJ', 'B1jc5Me8fc', 'y1Ocxxa1U3', 'aD1cbRyui2', 'mKUcPUjPY2'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, j5dpp8OOTTnYqdQADi.csHigh entropy of concatenated method names: 'B0FlDWYjvj', 'sdMla1TaTH', 'lu4ldTuikj', 'fbvl1YxnDh', 'W5AlMaM0Vy', 'Lj0l0RFqh6', 'mKmlUNQ6Vx', 'prHlQexFIA', 'EemlITX5sS', 'b6El4j7jbI'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, etSEGYl7TCjAjpMCF9.csHigh entropy of concatenated method names: 'Dispose', 'Mx5rIc3U3L', 'TaZ6KMVYYE', 'GZqCCSc6yv', 'HVAr4ILss1', 'w2KrzkGcjG', 'ProcessDialogKey', 'r8K6kwmwn1', 'SWS6rL8JMs', 'AjK66rx4ko'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, qHUNuXzwKZkLQAARi8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MrRsJ6YfNC', 'ajbsfeH4K4', 'h2XsuqcIHE', 'dZLsGQdKd0', 'QTDsorF1FT', 'wr9ssy6IwX', 'xkUspKMHUK'
                    Source: 0.2.tmjGCGOEGMinVPD.exe.5d30000.8.raw.unpack, iqHrOnFP8OsqKpVe0B.csHigh entropy of concatenated method names: 'ywk9Y1eb0p', 'XBO9lfcTOg', 'sE19n6MTRV', 'hXn9N6Nun8', 'DLU9VLZ3Ol', 'kLvnMpgaAM', 'lE3n04isRS', 'kdPnUtXT6y', 'gLCnQ8gcyt', 'FNJnIZfixQ'
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile created: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: tmjGCGOEGMinVPD.exe PID: 6416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IeagOAdQiUHWi.exe PID: 4724, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 10F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 48D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 5DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 6DD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 7010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: 8010000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 4AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 5F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 6F70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 71B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: 81B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5837Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1328Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6524Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1135Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 716Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2271Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 469
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2519
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe TID: 6004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5496Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4320Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5080Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5024Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe TID: 4668Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99782Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99657Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99532Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99188Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99063Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98938Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98813Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98699Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98344Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98233Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99874
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99433
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99195
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99084
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98859
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98749
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98640
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98421
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrocef_low\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\AcrobatJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\Adobe\Acrobat\NULLJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbxJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeFile opened: C:\Users\user\AppData\Local\Temp\acrord32_super_sbx\AdobeJump to behavior
                    Source: RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B84008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C4D008Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\tmjGCGOEGMinVPD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tmjGCGOEGMinVPD.exe PID: 6416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IeagOAdQiUHWi.exe PID: 4724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tmjGCGOEGMinVPD.exe PID: 6416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IeagOAdQiUHWi.exe PID: 4724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3d16a18.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.IeagOAdQiUHWi.exe.3cdbdf8.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b0aa68.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.tmjGCGOEGMinVPD.exe.3b45688.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.3233129383.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: tmjGCGOEGMinVPD.exe PID: 6416, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 4796, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: IeagOAdQiUHWi.exe PID: 4724, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6404, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSHKeylogging23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427196 Sample: tmjGCGOEGMinVPD.exe Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 42 mail.morabitur.com 2->42 44 api.ipify.org 2->44 50 Multi AV Scanner detection for domain / URL 2->50 52 Found malware configuration 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 10 other signatures 2->56 8 tmjGCGOEGMinVPD.exe 7 2->8         started        12 IeagOAdQiUHWi.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\IeagOAdQiUHWi.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp2292.tmp, XML 8->40 dropped 58 Uses schtasks.exe or at.exe to add and modify task schedules 8->58 60 Writes to foreign memory regions 8->60 62 Allocates memory in foreign processes 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Multi AV Scanner detection for dropped file 12->66 68 Machine Learning detection for dropped file 12->68 70 Injects a PE file into a foreign processes 12->70 24 RegSvcs.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 46 mail.morabitur.com 198.46.88.214, 49706, 49708, 587 INMOTI-1US United States 14->46 48 api.ipify.org 104.26.13.205, 443, 49705, 49707 CLOUDFLARENETUS United States 14->48 72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->72 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->74 76 Tries to steal Mail credentials (via file / registry access) 14->76 78 Loading BitLocker PowerShell Module 18->78 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        80 Tries to harvest and steal browser information (history, passwords, etc) 24->80 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    tmjGCGOEGMinVPD.exe39%ReversingLabsWin32.Trojan.Leonem
                    tmjGCGOEGMinVPD.exe32%VirustotalBrowse
                    tmjGCGOEGMinVPD.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe39%ReversingLabsWin32.Trojan.Leonem
                    C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe32%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    mail.morabitur.com9%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    https://sectigo.com/CPS00%URL Reputationsafe
                    http://mail.morabitur.com9%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.13.205
                    		truefalse
                      		high
                      mail.morabitur.com
                      		198.46.88.214
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgtmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://sectigo.com/CPS0RegSvcs.exe, 00000008.00000002.2052069250.0000000002D34000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2056117229.0000000006080000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.0000000006108000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3232298389.0000000001068000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3238674490.00000000060E0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/tmjGCGOEGMinVPD.exe, 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://api.ipify.org/tRegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://mail.morabitur.comRegSvcs.exe, 00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametmjGCGOEGMinVPD.exe, 00000000.00000002.2036286887.00000000028D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000008.00000002.2052069250.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, IeagOAdQiUHWi.exe, 00000009.00000002.2072332030.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.3233129383.0000000002F9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                104.26.13.205
                                		api.ipify.orgUnited States
                                		13335CLOUDFLARENETUSfalse
                                198.46.88.214
                                		mail.morabitur.comUnited States
                                		54641INMOTI-1UStrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1427196
                                Start date and time:2024-04-17 08:34:05 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 19s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:16
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:tmjGCGOEGMinVPD.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@19/15@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 98%
                                • Number of executed functions: 177
                                • Number of non-executed functions: 25
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:34:52API Interceptor1x Sleep call for process: tmjGCGOEGMinVPD.exe modified
                                08:34:53API Interceptor28x Sleep call for process: powershell.exe modified
                                08:34:54Task SchedulerRun new task: IeagOAdQiUHWi path: C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                                08:34:55API Interceptor31x Sleep call for process: RegSvcs.exe modified
                                08:34:56API Interceptor1x Sleep call for process: IeagOAdQiUHWi.exe modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/
                                Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                • api.ipify.org/?format=json
                                Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/?format=json
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                • api.ipify.org/
                                SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                • api.ipify.org/
                                198.46.88.214eTo4MkEQvX.exeGet hashmaliciousAgentTeslaBrowse
                                  Quotation[MPI-240401.exeGet hashmaliciousAgentTeslaBrowse
                                    SOA.exeGet hashmaliciousAgentTeslaBrowse
                                      blessed.exeGet hashmaliciousAgentTeslaBrowse
                                        Order 0128-4894.exeGet hashmaliciousAgentTeslaBrowse
                                          050522 Swift OR22182862.xlsxGet hashmaliciousAgentTeslaBrowse
                                            bless.exeGet hashmaliciousAgentTeslaBrowse
                                              iAKgcYg6TV.exeGet hashmaliciousAgentTeslaBrowse
                                                Arrival Notice Copy.xlsxGet hashmaliciousAgentTeslaBrowse
                                                  Original Shipping Documents.xlsxGet hashmaliciousAgentTeslaBrowse

                                                    Domains

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    api.ipify.orgSAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    https://worker-royal-sun-1090.nipocas604.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                    • 172.67.74.152
                                                    z158xIuvhauCQiddTe.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    z34PDnVzyEItkXaInw.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    mail.morabitur.comeTo4MkEQvX.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    Quotation[MPI-240401.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    blessed.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    Order 0128-4894.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    050522 Swift OR22182862.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    bless.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    iAKgcYg6TV.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    Arrival Notice Copy.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    Original Shipping Documents.xlsxGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214

                                                    ASNs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    CLOUDFLARENETUSSAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    http://139.144.214.53/5nXpDw325kdXA19thlgqqvurf31CSRUYYRTWNTDQNU30935IYSS28p9Get hashmaliciousPhisherBrowse
                                                    • 104.21.54.167
                                                    https://theredhendc.comGet hashmaliciousUnknownBrowse
                                                    • 104.18.11.207
                                                    Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.12.205
                                                    hcjt7Ajt5t.exeGet hashmaliciousLummaCBrowse
                                                    • 172.67.217.241
                                                    45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 172.67.74.152
                                                    Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    3otr19d5Oq.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                    • 104.21.77.31
                                                    msXkgFIUyS.rtfGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    http://bookstopbuzz.comGet hashmaliciousUnknownBrowse
                                                    • 23.227.38.65
                                                    INMOTI-1USeTo4MkEQvX.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    Quotation[MPI-240401.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 198.46.88.214
                                                    https://gcv.microsoft.us/kgRWagmalJGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                                                    • 173.231.215.6
                                                    http://bookkeepers.com/Get hashmaliciousUnknownBrowse
                                                    • 199.250.194.144
                                                    http://bookkeepers.comGet hashmaliciousUnknownBrowse
                                                    • 199.250.194.144
                                                    http://aitcaid.comGet hashmaliciousUnknownBrowse
                                                    • 199.250.194.144
                                                    fuggy.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                    • 144.208.78.130
                                                    Erfarendes.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                    • 144.208.78.130
                                                    Vansire1r.wsfGet hashmaliciousGuLoader, XWormBrowse
                                                    • 144.208.78.130
                                                    Eneans3varlig.vbsGet hashmaliciousGuLoader, XWormBrowse
                                                    • 144.208.78.130

                                                    JA3 Fingerprints

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    3b5074b1b5d032e5620f69f9f700ff0eCleared Payment.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Credit_Details21367163050417024.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    • 104.26.13.205
                                                    SAMPLE PURCHASE ORDER.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Eaton PO-45150292964.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    45brrQrxwH.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Quotation 0048484.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    remittance payment of invoice DMWW24009.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    2llKbb9pR7.exeGet hashmaliciousLummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoaderBrowse
                                                    • 104.26.13.205
                                                    NOA, BL and invoice.exeGet hashmaliciousAgentTeslaBrowse
                                                    • 104.26.13.205
                                                    Hays_compiled_documents.ZIP.jsGet hashmaliciousUnknownBrowse
                                                    • 104.26.13.205

                                                    Dropped Files

                                                    No context

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IeagOAdQiUHWi.exe.log

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1415
                                                    Entropy (8bit):5.352427679901606
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                    MD5:97AD91F1C1F572C945DA12233082171D
                                                    SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                    SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                    SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                    Malicious:false
                                                    Reputation:moderate, very likely benign file
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmjGCGOEGMinVPD.exe.log

                                                    Download File
                                                    Process:C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):1415
                                                    Entropy (8bit):5.352427679901606
                                                    Encrypted:false
                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPHKMRatHo6hAH4
                                                    MD5:97AD91F1C1F572C945DA12233082171D
                                                    SHA1:D5E33DDAB37E32E416FC40419FB26B3C0563519D
                                                    SHA-256:3F64591E0447E6F5034BC69A8A8D4C7ED36DAC5FE1E408401AE1B98F0D915F7E
                                                    SHA-512:8FAEED342DADC17571F711DDC1BE67C79A51CA5BD56B5DA13E472ED45FC4EC6F1DC704BA92E81E97F5ECFD73F3D88F9B9CD9AE4EADDF993BFF826627215FBBCE
                                                    Malicious:false
                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fc

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:modified
                                                    Size (bytes):2232
                                                    Entropy (8bit):5.379677338874509
                                                    Encrypted:false
                                                    SSDEEP:48:tWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:tLHxvIIwLgZ2KRHWLOug8s
                                                    MD5:AAC9B2CC385B2595E11AAF60C4652279
                                                    SHA1:5F14BE9EC829371BFAC9DDBF97BF156C13E03341
                                                    SHA-256:0C17939EA24BBFE7F727AFB0FABC5BAFC8F2A8A5218BC9B2A7580A54B510EC84
                                                    SHA-512:3BC9F81C7C9FD417B7F486550EBBE95CF4BA5408E013AB11FA54400F49DB8ACDAD5EE28C95278DACF62E6FDB30071D193EED741616C91E48F9A2ADC92EAAB257
                                                    Malicious:false
                                                    Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eec3ihtp.sgc.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ga15zrqr.yav.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gyngporp.a2d.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mf3dbaxa.o3m.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nheterxz.liq.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wlj5ufqp.412.ps1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqdpq0es.io3.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ypduttnl.tuu.psm1

                                                    Download File
                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:ASCII text, with no line terminators
                                                    Category:dropped
                                                    Size (bytes):60
                                                    Entropy (8bit):4.038920595031593
                                                    Encrypted:false
                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                    Malicious:false
                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                    C:\Users\user\AppData\Local\Temp\tmp2292.tmp

                                                    Download File
                                                    Process:C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1586
                                                    Entropy (8bit):5.103042176671731
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Bxvn:cgergYrFdOFzOzN33ODOiDdKrsuT5v
                                                    MD5:F43BF10E16106F233420F7CD66B15082
                                                    SHA1:DC60A2D7861D929F3096B431A9D22583027CF54A
                                                    SHA-256:2F3C6E1ACEFC582162D4E3572970E6B316D0C463FF9F96A5C9C861FB48A43778
                                                    SHA-512:FC71FAAA03E5FAA6B73AE4AB575FCBE229564EE3145F1747FF45BBEB01CDBF22E13A11F1A0257B9308237F45113E76E7AF24C798E6E08B2493A8D4114990C454
                                                    Malicious:true
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                    C:\Users\user\AppData\Local\Temp\tmp31D4.tmp

                                                    Download File
                                                    Process:C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                                                    File Type:XML 1.0 document, ASCII text
                                                    Category:dropped
                                                    Size (bytes):1586
                                                    Entropy (8bit):5.103042176671731
                                                    Encrypted:false
                                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt5Bxvn:cgergYrFdOFzOzN33ODOiDdKrsuT5v
                                                    MD5:F43BF10E16106F233420F7CD66B15082
                                                    SHA1:DC60A2D7861D929F3096B431A9D22583027CF54A
                                                    SHA-256:2F3C6E1ACEFC582162D4E3572970E6B316D0C463FF9F96A5C9C861FB48A43778
                                                    SHA-512:FC71FAAA03E5FAA6B73AE4AB575FCBE229564EE3145F1747FF45BBEB01CDBF22E13A11F1A0257B9308237F45113E76E7AF24C798E6E08B2493A8D4114990C454
                                                    Malicious:false
                                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                    C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe

                                                    Download File
                                                    Process:C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe
                                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):708096
                                                    Entropy (8bit):7.909236376438322
                                                    Encrypted:false
                                                    SSDEEP:12288:G/fWTAkMq3EAppRG1/D02YbItl1rr6NPcCCZ7VB2iGI881CEt2UXS+ucb:UmAAEQg3v6NPm7VEIlp2Ui+ucb
                                                    MD5:B5006F1DAC678C6E6A2C698704E49AD4
                                                    SHA1:2AD2B936DA60E85C1DC26B6281AD8380393B0FCB
                                                    SHA-256:17FFCD130215AE5B3F8BA4F4AA5577ABDF7C44A0C2E70619C35E42BAFBBB3A82
                                                    SHA-512:CD21606434F044E533876F37F44579BD916D868AD6E0F4957A9991B29FD03D69773CBF6F1C232BA5DEC41787BCD3C73C04B25A02BB5FDCE6A01104E57BF4D4B7
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 39%
                                                    • Antivirus: Virustotal, Detection: 32%, Browse
                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......$O...............................................................0..A....... .........%.k...(.....l... .........%.=...(.....>...(....*.....&*...B... ....(......*....0..............,.".".#..(....+...*..0...............".".#. ....(....+...*...0...............".".#...(....+...*..0...................... ....(....+...*..0..+.....................(R...+....s....}......j}....*..0............{......*...0..|.......~l.....~>........E....=...H...........=...7.........{.....(j....

                                                    C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe:Zone.Identifier

                                                    Download File
                                                    Process:C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):26
                                                    Entropy (8bit):3.95006375643621
                                                    Encrypted:false
                                                    SSDEEP:3:ggPYV:rPYV
                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                    Malicious:false
                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                    Static File Info

                                                    General

                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                    Entropy (8bit):7.909236376438322
                                                    TrID:
                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                    File name:tmjGCGOEGMinVPD.exe
                                                    File size:708'096 bytes
                                                    MD5:b5006f1dac678c6e6a2c698704e49ad4
                                                    SHA1:2ad2b936da60e85c1dc26b6281ad8380393b0fcb
                                                    SHA256:17ffcd130215ae5b3f8ba4f4aa5577abdf7c44a0c2e70619c35e42bafbbb3a82
                                                    SHA512:cd21606434f044e533876f37f44579bd916d868ad6e0f4957a9991b29fd03d69773cbf6f1c232ba5dec41787bcd3c73c04b25a02bb5fdce6a01104e57bf4d4b7
                                                    SSDEEP:12288:G/fWTAkMq3EAppRG1/D02YbItl1rr6NPcCCZ7VB2iGI881CEt2UXS+ucb:UmAAEQg3v6NPm7VEIlp2Ui+ucb
                                                    TLSH:D0E4121CEFB8AE1BC2D857B9F5722924433789498017FB0F1FE954D90E62B82D45AC87
                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...,..f................................. ........@.. ....................... ............@................................

                                                    File Icon

                                                    Icon Hash:9931c5b98687b385

                                                    Static PE Info

                                                    General

                                                    Entrypoint:0x4ad1fe
                                                    Entrypoint Section:.text
                                                    Digitally signed:false
                                                    Imagebase:0x400000
                                                    Subsystem:windows gui
                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                    Time Stamp:0x661F162C [Wed Apr 17 00:22:04 2024 UTC]
                                                    TLS Callbacks:
                                                    CLR (.Net) Version:
                                                    OS Version Major:4
                                                    OS Version Minor:0
                                                    File Version Major:4
                                                    File Version Minor:0
                                                    Subsystem Version Major:4
                                                    Subsystem Version Minor:0
                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                    Entrypoint Preview

                                                    Instruction
                                                    jmp dword ptr [00402000h]
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al
                                                    add byte ptr [eax], al

                                                    Data Directories

                                                    NameVirtual AddressVirtual Size Is in Section
                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xad1b00x4b.text
                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xae0000x1600.rsrc
                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xb00000xc.reloc
                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                    Sections

                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                    .text0x20000xab2040xab4006393fc2eba155fa98c743b60e629a002False0.9414889370437957data7.919208382510467IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                    .rsrc0xae0000x16000x1600a91a51bbc42fb39ff5094f4f03cfd605False0.734375data6.525365957817498IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                    .reloc0xb00000xc0x200878acf140226925049ffd7b62381c61eFalse0.041015625data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                    Resources

                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                    RT_ICON0xae0c80xf5dPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9125349605898805
                                                    RT_GROUP_ICON0xaf0380x14data1.05
                                                    RT_VERSION0xaf05c0x3c0data0.453125

                                                    Imports

                                                    DLLImport
                                                    mscoree.dll_CorExeMain

                                                    Network Behavior

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 17, 2024 08:34:55.350616932 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.350667953 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.350807905 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.382150888 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.382175922 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.603075981 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.603189945 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.605457067 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.605473995 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.605813980 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.651226044 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.696116924 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.906248093 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.906390905 CEST44349705104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:55.906585932 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:55.912313938 CEST49705443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:56.792943954 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:56.907757998 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:56.911608934 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.538146973 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.540855885 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.655754089 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.655916929 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.773452044 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.773868084 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.895915031 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.895939112 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.895951033 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.895965099 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.896011114 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.896048069 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:57.897814035 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:57.934652090 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.049839020 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:58.053455114 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.168353081 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:58.188859940 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.303936958 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:58.305427074 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.432878971 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:58.433129072 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.547952890 CEST58749706198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:58.626609087 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:58.792902946 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:58.792941093 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:58.793138981 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:58.798268080 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:58.798280954 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.015022993 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.015096903 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:59.016858101 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:59.016869068 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.017201900 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.075660944 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:59.116130114 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.296015024 CEST49706587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:59.323288918 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.323355913 CEST44349707104.26.13.205192.168.2.5
                                                    Apr 17, 2024 08:34:59.323715925 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:59.326442003 CEST49707443192.168.2.5104.26.13.205
                                                    Apr 17, 2024 08:34:59.837364912 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:34:59.954582930 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:34:59.954735994 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.089467049 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.090274096 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.207772017 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.213350058 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.329638958 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.330416918 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.455044985 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.455066919 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.455080032 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.455094099 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.455178022 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.455178022 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.456830978 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.458821058 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.573695898 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.579016924 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.693728924 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.702363014 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.817338943 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.817739964 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:00.942670107 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:00.943487883 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.058327913 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.058609962 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.189519882 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.189735889 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.304394007 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.305185080 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.305274963 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.305332899 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.305448055 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.419892073 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.419910908 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.419923067 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.419935942 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.420964956 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.642236948 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:35:01.740566015 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:35:01.740861893 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:36:39.860929966 CEST49708587192.168.2.5198.46.88.214
                                                    Apr 17, 2024 08:36:39.976589918 CEST58749708198.46.88.214192.168.2.5
                                                    Apr 17, 2024 08:36:39.977241039 CEST49708587192.168.2.5198.46.88.214

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Apr 17, 2024 08:34:55.226680040 CEST5685253192.168.2.51.1.1.1
                                                    Apr 17, 2024 08:34:55.331197023 CEST53568521.1.1.1192.168.2.5
                                                    Apr 17, 2024 08:34:56.651700020 CEST4916553192.168.2.51.1.1.1
                                                    Apr 17, 2024 08:34:56.788983107 CEST53491651.1.1.1192.168.2.5

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                    Apr 17, 2024 08:34:55.226680040 CEST192.168.2.51.1.1.10xef15Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                    Apr 17, 2024 08:34:56.651700020 CEST192.168.2.51.1.1.10xcb6cStandard query (0)mail.morabitur.comA (IP address)IN (0x0001)false

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                    Apr 17, 2024 08:34:55.331197023 CEST1.1.1.1192.168.2.50xef15No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                    Apr 17, 2024 08:34:55.331197023 CEST1.1.1.1192.168.2.50xef15No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                    Apr 17, 2024 08:34:55.331197023 CEST1.1.1.1192.168.2.50xef15No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                    Apr 17, 2024 08:34:56.788983107 CEST1.1.1.1192.168.2.50xcb6cNo error (0)mail.morabitur.com198.46.88.214A (IP address)IN (0x0001)false

                                                    HTTP Request Dependency Graph

                                                    • api.ipify.org

                                                    HTTPS Proxied Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    0192.168.2.549705104.26.13.2054434796C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-04-17 06:34:55 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2024-04-17 06:34:55 UTC211INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Apr 2024 06:34:55 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 12
                                                    Connection: close
                                                    Vary: Origin
                                                    CF-Cache-Status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 875a6462be716740-ATL
                                                    2024-04-17 06:34:55 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                    Data Ascii: 81.181.57.52


                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                    1192.168.2.549707104.26.13.2054436404C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    TimestampBytes transferredDirectionData
                                                    2024-04-17 06:34:59 UTC155OUTGET / HTTP/1.1
                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                    Host: api.ipify.org
                                                    Connection: Keep-Alive
                                                    2024-04-17 06:34:59 UTC211INHTTP/1.1 200 OK
                                                    Date: Wed, 17 Apr 2024 06:34:59 GMT
                                                    Content-Type: text/plain
                                                    Content-Length: 12
                                                    Connection: close
                                                    Vary: Origin
                                                    CF-Cache-Status: DYNAMIC
                                                    Server: cloudflare
                                                    CF-RAY: 875a64781b0a53b1-ATL
                                                    2024-04-17 06:34:59 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                    Data Ascii: 81.181.57.52


                                                    SMTP Packets

                                                    TimestampSource PortDest PortSource IPDest IPCommands
                                                    Apr 17, 2024 08:34:57.538146973 CEST58749706198.46.88.214192.168.2.5220-ecbiz240.inmotionhosting.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 02:34:57 -0400
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Apr 17, 2024 08:34:57.540855885 CEST49706587192.168.2.5198.46.88.214EHLO 609290
                                                    Apr 17, 2024 08:34:57.655754089 CEST58749706198.46.88.214192.168.2.5250-ecbiz240.inmotionhosting.com Hello 609290 [81.181.57.52]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-CHUNKING
                                                    250-STARTTLS
                                                    250 HELP
                                                    Apr 17, 2024 08:34:57.655916929 CEST49706587192.168.2.5198.46.88.214STARTTLS
                                                    Apr 17, 2024 08:34:57.773452044 CEST58749706198.46.88.214192.168.2.5220 TLS go ahead
                                                    Apr 17, 2024 08:35:00.089467049 CEST58749708198.46.88.214192.168.2.5220-ecbiz240.inmotionhosting.com ESMTP Exim 4.96.2 #2 Wed, 17 Apr 2024 02:35:00 -0400
                                                    220-We do not authorize the use of this system to transport unsolicited,
                                                    220 and/or bulk e-mail.
                                                    Apr 17, 2024 08:35:00.090274096 CEST49708587192.168.2.5198.46.88.214EHLO 609290
                                                    Apr 17, 2024 08:35:00.207772017 CEST58749708198.46.88.214192.168.2.5250-ecbiz240.inmotionhosting.com Hello 609290 [81.181.57.52]
                                                    250-SIZE 52428800
                                                    250-8BITMIME
                                                    250-PIPELINING
                                                    250-PIPECONNECT
                                                    250-AUTH PLAIN LOGIN
                                                    250-CHUNKING
                                                    250-STARTTLS
                                                    250 HELP
                                                    Apr 17, 2024 08:35:00.213350058 CEST49708587192.168.2.5198.46.88.214STARTTLS
                                                    Apr 17, 2024 08:35:00.329638958 CEST58749708198.46.88.214192.168.2.5220 TLS go ahead

                                                    Statistics

                                                    CPU Usage

                                                    Click to jump to process

                                                    Memory Usage

                                                    Click to jump to process

                                                    High Level Behavior Distribution

                                                    Click to dive into process behavior distribution

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    General

                                                    Target ID:0
                                                    Start time:08:34:51
                                                    Start date:17/04/2024
                                                    Path:C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"
                                                    Imagebase:0x550000
                                                    File size:708'096 bytes
                                                    MD5 hash:B5006F1DAC678C6E6A2C698704E49AD4
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2036680771.0000000003B0A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:2
                                                    Start time:08:34:52
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\tmjGCGOEGMinVPD.exe"
                                                    Imagebase:0x260000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:3
                                                    Start time:08:34:52
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:4
                                                    Start time:08:34:52
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe"
                                                    Imagebase:0x260000
                                                    File size:433'152 bytes
                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:5
                                                    Start time:08:34:53
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:6
                                                    Start time:08:34:53
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp2292.tmp"
                                                    Imagebase:0x100000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:7
                                                    Start time:08:34:53
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:8
                                                    Start time:08:34:53
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                    Imagebase:0x970000
                                                    File size:45'984 bytes
                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2052069250.0000000002D2C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2052069250.0000000002D01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2049853033.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:9
                                                    Start time:08:34:54
                                                    Start date:17/04/2024
                                                    Path:C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Users\user\AppData\Roaming\IeagOAdQiUHWi.exe
                                                    Imagebase:0x6f0000
                                                    File size:708'096 bytes
                                                    MD5 hash:B5006F1DAC678C6E6A2C698704E49AD4
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2074421489.0000000003CDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Antivirus matches:
                                                    • Detection: 100%, Joe Sandbox ML
                                                    • Detection: 39%, ReversingLabs
                                                    • Detection: 32%, Virustotal, Browse
                                                    Reputation:low
                                                    Has exited:true

                                                    General

                                                    Target ID:10
                                                    Start time:08:34:55
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                    Imagebase:0x7ff6ef0c0000
                                                    File size:496'640 bytes
                                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                    Has elevated privileges:true
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:11
                                                    Start time:08:34:56
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IeagOAdQiUHWi" /XML "C:\Users\user\AppData\Local\Temp\tmp31D4.tmp"
                                                    Imagebase:0x100000
                                                    File size:187'904 bytes
                                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:12
                                                    Start time:08:34:57
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\System32\conhost.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                    Imagebase:0x7ff6d64d0000
                                                    File size:862'208 bytes
                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high
                                                    Has exited:true

                                                    General

                                                    Target ID:13
                                                    Start time:08:34:57
                                                    Start date:17/04/2024
                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                    Imagebase:0xb10000
                                                    File size:45'984 bytes
                                                    MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                    Has elevated privileges:false
                                                    Has administrator privileges:false
                                                    Programmed in:C, C++ or other language
                                                    Yara matches:
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3233129383.000000000300C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3233129383.0000000003014000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.3233129383.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000D.00000002.3233129383.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                    Reputation:high
                                                    Has exited:false

                                                    Disassembly

                                                    Reset < >

                                                      Execution Graph

                                                      Execution Coverage:9.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:153
                                                      Total number of Limit Nodes:8
                                                      execution_graph 26755 2894a10 26756 2894a19 26755->26756 26757 2894a1f 26756->26757 26759 2894b08 26756->26759 26760 2894b0c 26759->26760 26764 2894c08 26760->26764 26768 2894c18 26760->26768 26766 2894c0c 26764->26766 26765 2894d1c 26765->26765 26766->26765 26772 2894834 26766->26772 26770 2894c1c 26768->26770 26769 2894d1c 26769->26769 26770->26769 26771 2894834 CreateActCtxA 26770->26771 26771->26769 26773 2895ca8 CreateActCtxA 26772->26773 26775 2895d6b 26773->26775 26775->26765 26955 5dcc220 26956 5dcc224 26955->26956 26957 5dcc3ab 26956->26957 26959 5dc8cd4 26956->26959 26960 5dcc4a0 PostMessageW 26959->26960 26961 5dcc50c 26960->26961 26961->26956 26776 5dc8083 26778 5dc7fc5 26776->26778 26777 5dc7edd 26778->26777 26783 5dcaf58 26778->26783 26787 5dcafc6 26778->26787 26792 5dcaf68 26778->26792 26779 5dc825c 26784 5dcaf82 26783->26784 26796 5dcb2ca 26784->26796 26785 5dcafa6 26785->26779 26788 5dcaf54 26787->26788 26790 5dcafc9 26787->26790 26791 5dcb2ca 12 API calls 26788->26791 26789 5dcafa6 26789->26779 26790->26779 26791->26789 26793 5dcaf82 26792->26793 26795 5dcb2ca 12 API calls 26793->26795 26794 5dcafa6 26794->26779 26795->26794 26797 5dcb2ed 26796->26797 26798 5dcb2ff 26797->26798 26813 5dcbbda 26797->26813 26818 5dcb843 26797->26818 26822 5dcb503 26797->26822 26827 5dcb9a2 26797->26827 26832 5dcb6a1 26797->26832 26839 5dcb746 26797->26839 26844 5dcbb66 26797->26844 26849 5dcbe25 26797->26849 26854 5dcb410 26797->26854 26859 5dcb476 26797->26859 26864 5dcb5b5 26797->26864 26869 5dcb3fb 26797->26869 26874 5dcb77b 26797->26874 26882 5dcb91a 26797->26882 26798->26785 26814 5dcbbe0 26813->26814 26887 5dc782b 26814->26887 26891 5dc7830 26814->26891 26815 5dcbe5e 26820 5dc782b WriteProcessMemory 26818->26820 26821 5dc7830 WriteProcessMemory 26818->26821 26819 5dcb57d 26819->26798 26820->26819 26821->26819 26823 5dcb4f9 26822->26823 26824 5dcb5d1 26823->26824 26895 5dc7258 26823->26895 26899 5dc7260 26823->26899 26824->26798 26828 5dcbcb5 26827->26828 26903 5dcc150 26828->26903 26908 5dcc140 26828->26908 26829 5dcbcce 26913 5dc7918 26832->26913 26917 5dc7920 26832->26917 26833 5dcb4f9 26834 5dcb5d1 26833->26834 26837 5dc7258 Wow64SetThreadContext 26833->26837 26838 5dc7260 Wow64SetThreadContext 26833->26838 26834->26798 26837->26833 26838->26833 26840 5dcb762 26839->26840 26921 5dcc198 26840->26921 26926 5dcc188 26840->26926 26841 5dcbc83 26845 5dcb4f9 26844->26845 26846 5dcb5d1 26845->26846 26847 5dc7258 Wow64SetThreadContext 26845->26847 26848 5dc7260 Wow64SetThreadContext 26845->26848 26846->26798 26847->26845 26848->26845 26850 5dcbe26 26849->26850 26852 5dc782b WriteProcessMemory 26850->26852 26853 5dc7830 WriteProcessMemory 26850->26853 26851 5dcbe5e 26852->26851 26853->26851 26855 5dcb414 26854->26855 26939 5dc7aac 26855->26939 26943 5dc7ab8 26855->26943 26860 5dcb3fc 26859->26860 26862 5dc7aac CreateProcessA 26860->26862 26863 5dc7ab8 CreateProcessA 26860->26863 26861 5dcb4ce 26861->26798 26861->26861 26862->26861 26863->26861 26865 5dcb4f9 26864->26865 26866 5dcb5d1 26865->26866 26867 5dc7258 Wow64SetThreadContext 26865->26867 26868 5dc7260 Wow64SetThreadContext 26865->26868 26866->26798 26867->26865 26868->26865 26870 5dcb414 26869->26870 26872 5dc7aac CreateProcessA 26870->26872 26873 5dc7ab8 CreateProcessA 26870->26873 26871 5dcb4ce 26871->26798 26871->26871 26872->26871 26873->26871 26875 5dcb79e 26874->26875 26878 5dc782b WriteProcessMemory 26875->26878 26879 5dc7830 WriteProcessMemory 26875->26879 26876 5dcb4f9 26877 5dcb5d1 26876->26877 26880 5dc7258 Wow64SetThreadContext 26876->26880 26881 5dc7260 Wow64SetThreadContext 26876->26881 26877->26798 26878->26876 26879->26876 26880->26876 26881->26876 26883 5dcbd28 26882->26883 26947 5dc776b 26883->26947 26951 5dc7770 26883->26951 26884 5dcbd46 26888 5dc7830 WriteProcessMemory 26887->26888 26890 5dc78cf 26888->26890 26890->26815 26892 5dc7878 WriteProcessMemory 26891->26892 26894 5dc78cf 26892->26894 26894->26815 26896 5dc7260 Wow64SetThreadContext 26895->26896 26898 5dc72ed 26896->26898 26898->26823 26900 5dc72a5 Wow64SetThreadContext 26899->26900 26902 5dc72ed 26900->26902 26902->26823 26904 5dcc165 26903->26904 26906 5dc7258 Wow64SetThreadContext 26904->26906 26907 5dc7260 Wow64SetThreadContext 26904->26907 26905 5dcc17b 26905->26829 26906->26905 26907->26905 26909 5dcc165 26908->26909 26911 5dc7258 Wow64SetThreadContext 26909->26911 26912 5dc7260 Wow64SetThreadContext 26909->26912 26910 5dcc17b 26910->26829 26911->26910 26912->26910 26914 5dc7920 ReadProcessMemory 26913->26914 26916 5dc79af 26914->26916 26916->26833 26918 5dc796b ReadProcessMemory 26917->26918 26920 5dc79af 26918->26920 26920->26833 26922 5dcc1ad 26921->26922 26931 5dc6d78 26922->26931 26935 5dc6d70 26922->26935 26923 5dcc1c0 26923->26841 26927 5dcc1ad 26926->26927 26929 5dc6d78 ResumeThread 26927->26929 26930 5dc6d70 ResumeThread 26927->26930 26928 5dcc1c0 26928->26841 26929->26928 26930->26928 26932 5dc6db8 ResumeThread 26931->26932 26934 5dc6de9 26932->26934 26934->26923 26936 5dc6d78 ResumeThread 26935->26936 26938 5dc6de9 26936->26938 26938->26923 26940 5dc7aaf CreateProcessA 26939->26940 26942 5dc7d03 26940->26942 26944 5dc7b41 CreateProcessA 26943->26944 26946 5dc7d03 26944->26946 26948 5dc7770 VirtualAllocEx 26947->26948 26950 5dc77ed 26948->26950 26950->26884 26952 5dc77b0 VirtualAllocEx 26951->26952 26954 5dc77ed 26952->26954 26954->26884

                                                      Executed Functions

                                                      Function 05DC1E60 Relevance: .1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aff19e0d284b6c186846072e4818acae1866391d506ee4f5292bd3b8da4229bf
                                                      • Instruction ID: 737f83f8c85544060f23000ca73bdbfd421371856a713edadf4713985512fc0e
                                                      • Opcode Fuzzy Hash: aff19e0d284b6c186846072e4818acae1866391d506ee4f5292bd3b8da4229bf
                                                      • Instruction Fuzzy Hash: B521E2B0D046198BEB18CF9ACD443EEBEF7AF88300F14C06AD449A7264DB751949CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC1E70 Relevance: .1, Instructions: 61COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f1abede0371222e5c7f5353a7408f5b8f0356322282b2fb073a8d48ac8165e69
                                                      • Instruction ID: a4fdb2053503f18f87b722b0666af1106c0a6275f4cb9245b8ec6e813dd79e0e
                                                      • Opcode Fuzzy Hash: f1abede0371222e5c7f5353a7408f5b8f0356322282b2fb073a8d48ac8165e69
                                                      • Instruction Fuzzy Hash: 0D21E2B0D046198BEB18CFAAC9443EEBEF7AFC9300F14C06AD449A7264DB750949CE90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DCB890 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f2c84602243177252a7ae3fc2db3524413bfeaba6c0e9f39af5fed489023b08b
                                                      • Instruction ID: fde4a7b099d539ad4dd6cdce6f16fef388f3d6261e0969b0d68403d17a3cb26f
                                                      • Opcode Fuzzy Hash: f2c84602243177252a7ae3fc2db3524413bfeaba6c0e9f39af5fed489023b08b
                                                      • Instruction Fuzzy Hash: 85C08012D4E005D5D90159802C020F4EF7DC64B021F8130D7C14D631525001C5150A15
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1A75D Relevance: 5.5, Strings: 4, Instructions: 451COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 695 5b1a75d-5b1a767 696 5b1a771-5b1a7d6 695->696 700 5b1a7d8 696->700 701 5b1a7df-5b1a7e0 696->701 700->701 702 5b1a837-5b1a83d 701->702 703 5b1a7e2-5b1a804 702->703 704 5b1a83f-5b1a901 702->704 705 5b1a806 703->705 706 5b1a80b-5b1a834 703->706 715 5b1a903-5b1a93c 704->715 716 5b1a942-5b1a946 704->716 705->706 706->702 715->716 717 5b1a987-5b1a98b 716->717 718 5b1a948-5b1a981 716->718 720 5b1a98d-5b1a9c6 717->720 721 5b1a9cc-5b1a9d0 717->721 718->717 720->721 722 5b1aa54-5b1aaaf 721->722 723 5b1a9d6-5b1a9ee 721->723 743 5b1aab1-5b1aae4 722->743 744 5b1aae6-5b1ab10 722->744 725 5b1a9f4-5b1a9fb 723->725 726 5b1a6ce-5b1a6d2 723->726 728 5b1aa42-5b1aa46 725->728 729 5b1a721-5b1a757 726->729 730 5b1a6d4-5b1a70c 726->730 732 5b1a5aa-5b1a5ae 728->732 733 5b1aa4c-5b1aa52 728->733 729->695 740 5b1a5f5-5b1a602 729->740 758 5b1abc1-5b1abc6 730->758 734 5b1a5b0-5b1a5be 732->734 735 5b1a5c3-5b1a5c9 732->735 733->722 736 5b1a9fd-5b1aa3f 733->736 741 5b1a643-5b1a675 734->741 742 5b1a614-5b1a618 735->742 736->728 745 5b1a567-5b1a58b 740->745 746 5b1a608-5b1a60f 740->746 773 5b1a677-5b1a683 741->773 774 5b1a69f 741->774 748 5b1a5cb-5b1a5d7 742->748 749 5b1a61a-5b1a631 742->749 761 5b1ab19-5b1ab86 743->761 744->761 764 5b1a639-5b1a63d 745->764 746->749 756 5b1a5d9 748->756 757 5b1a5de-5b1a5e3 748->757 753 5b1a633-5b1a636 749->753 754 5b1a5e6-5b1a5ec 749->754 753->764 759 5b1a611 754->759 760 5b1a5ee-5b1a5f2 754->760 756->757 757->754 765 5b1abc8-5b1abd6 758->765 766 5b1abdd-5b1abfc 758->766 759->742 760->740 784 5b1ab8c-5b1ab98 761->784 764->741 768 5b1a590-5b1a5a7 764->768 765->766 770 5b1ac02-5b1ac09 766->770 771 5b1a51f-5b1ac70 766->771 768->732 778 5b1a685-5b1a68b 773->778 779 5b1a68d-5b1a693 773->779 776 5b1a6a5-5b1a6cb 774->776 776->726 782 5b1a69d 778->782 779->782 782->776 785 5b1ab9f-5b1abb2 784->785 785->758
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q$:$paq$~
                                                      • API String ID: 0-2498672421
                                                      • Opcode ID: 9dd24a436934e5528a53d746e1c58a9dfe759c51cffef6962bae7c92b2972b9c
                                                      • Instruction ID: b47c48fafce82c572d59fef29a024552de6b193d230136f0dc1277ed850fb076
                                                      • Opcode Fuzzy Hash: 9dd24a436934e5528a53d746e1c58a9dfe759c51cffef6962bae7c92b2972b9c
                                                      • Instruction Fuzzy Hash: 5A22D475A01218DFDB55CFA8C984E99BBB2FF48304F1580E5E909AB222D732ED91DF50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7AAC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 840 5dc7aac-5dc7b4d 843 5dc7b4f-5dc7b59 840->843 844 5dc7b86-5dc7ba6 840->844 843->844 845 5dc7b5b-5dc7b5d 843->845 849 5dc7bdf-5dc7c0e 844->849 850 5dc7ba8-5dc7bb2 844->850 847 5dc7b5f-5dc7b69 845->847 848 5dc7b80-5dc7b83 845->848 851 5dc7b6d-5dc7b7c 847->851 852 5dc7b6b 847->852 848->844 860 5dc7c47-5dc7d01 CreateProcessA 849->860 861 5dc7c10-5dc7c1a 849->861 850->849 853 5dc7bb4-5dc7bb6 850->853 851->851 854 5dc7b7e 851->854 852->851 855 5dc7bb8-5dc7bc2 853->855 856 5dc7bd9-5dc7bdc 853->856 854->848 858 5dc7bc4 855->858 859 5dc7bc6-5dc7bd5 855->859 856->849 858->859 859->859 862 5dc7bd7 859->862 872 5dc7d0a-5dc7d90 860->872 873 5dc7d03-5dc7d09 860->873 861->860 863 5dc7c1c-5dc7c1e 861->863 862->856 865 5dc7c20-5dc7c2a 863->865 866 5dc7c41-5dc7c44 863->866 867 5dc7c2c 865->867 868 5dc7c2e-5dc7c3d 865->868 866->860 867->868 868->868 869 5dc7c3f 868->869 869->866 883 5dc7da0-5dc7da4 872->883 884 5dc7d92-5dc7d96 872->884 873->872 886 5dc7db4-5dc7db8 883->886 887 5dc7da6-5dc7daa 883->887 884->883 885 5dc7d98 884->885 885->883 889 5dc7dc8-5dc7dcc 886->889 890 5dc7dba-5dc7dbe 886->890 887->886 888 5dc7dac 887->888 888->886 892 5dc7dde-5dc7de5 889->892 893 5dc7dce-5dc7dd4 889->893 890->889 891 5dc7dc0 890->891 891->889 894 5dc7dfc 892->894 895 5dc7de7-5dc7df6 892->895 893->892 897 5dc7dfd 894->897 895->894 897->897
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05DC7CEE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 26b71ba03da18ce030e65379c4582e5b75d9f30bc42a1761f18fc6b9505ba513
                                                      • Instruction ID: 0676dfcf84063e3a6f96453ee32e563d4ee587259c153107e090196bc528e0bd
                                                      • Opcode Fuzzy Hash: 26b71ba03da18ce030e65379c4582e5b75d9f30bc42a1761f18fc6b9505ba513
                                                      • Instruction Fuzzy Hash: 50913871D0021ACFDB24DFA8C845BEDBAB2FF48314F1485AED819A7280DB759985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7AB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 898 5dc7ab8-5dc7b4d 900 5dc7b4f-5dc7b59 898->900 901 5dc7b86-5dc7ba6 898->901 900->901 902 5dc7b5b-5dc7b5d 900->902 906 5dc7bdf-5dc7c0e 901->906 907 5dc7ba8-5dc7bb2 901->907 904 5dc7b5f-5dc7b69 902->904 905 5dc7b80-5dc7b83 902->905 908 5dc7b6d-5dc7b7c 904->908 909 5dc7b6b 904->909 905->901 917 5dc7c47-5dc7d01 CreateProcessA 906->917 918 5dc7c10-5dc7c1a 906->918 907->906 910 5dc7bb4-5dc7bb6 907->910 908->908 911 5dc7b7e 908->911 909->908 912 5dc7bb8-5dc7bc2 910->912 913 5dc7bd9-5dc7bdc 910->913 911->905 915 5dc7bc4 912->915 916 5dc7bc6-5dc7bd5 912->916 913->906 915->916 916->916 919 5dc7bd7 916->919 929 5dc7d0a-5dc7d90 917->929 930 5dc7d03-5dc7d09 917->930 918->917 920 5dc7c1c-5dc7c1e 918->920 919->913 922 5dc7c20-5dc7c2a 920->922 923 5dc7c41-5dc7c44 920->923 924 5dc7c2c 922->924 925 5dc7c2e-5dc7c3d 922->925 923->917 924->925 925->925 926 5dc7c3f 925->926 926->923 940 5dc7da0-5dc7da4 929->940 941 5dc7d92-5dc7d96 929->941 930->929 943 5dc7db4-5dc7db8 940->943 944 5dc7da6-5dc7daa 940->944 941->940 942 5dc7d98 941->942 942->940 946 5dc7dc8-5dc7dcc 943->946 947 5dc7dba-5dc7dbe 943->947 944->943 945 5dc7dac 944->945 945->943 949 5dc7dde-5dc7de5 946->949 950 5dc7dce-5dc7dd4 946->950 947->946 948 5dc7dc0 947->948 948->946 951 5dc7dfc 949->951 952 5dc7de7-5dc7df6 949->952 950->949 954 5dc7dfd 951->954 952->951 954->954
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05DC7CEE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 6b9c8394d57b2f130de53b9c207ed9540cd8be0256bf8414d0bc44e6d70eb0dc
                                                      • Instruction ID: fdf9284a013a75e5f8a613c22c470a65509df6fa6acaeedda5b9cd591eacd82e
                                                      • Opcode Fuzzy Hash: 6b9c8394d57b2f130de53b9c207ed9540cd8be0256bf8414d0bc44e6d70eb0dc
                                                      • Instruction Fuzzy Hash: 93913871D0021ACFDB24DF68C845BEDBAB2FF48314F1485AED819A7280DB759985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02895C9C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1065 2895c9c-2895c9e 1066 2895ca0-2895ca2 1065->1066 1067 2895ca4 1065->1067 1066->1067 1068 2895ca8-2895d69 CreateActCtxA 1066->1068 1067->1068 1070 2895d6b-2895d71 1068->1070 1071 2895d72-2895dcc 1068->1071 1070->1071 1078 2895ddb-2895ddf 1071->1078 1079 2895dce-2895dd1 1071->1079 1080 2895de1-2895ded 1078->1080 1081 2895df0-2895e06 1078->1081 1079->1078 1080->1081
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02895D59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2036177873.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2890000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 51075c4c008b2556479ff5111bb08c6bf0ac423d8b85c4221e8ddc60e5b1d74b
                                                      • Instruction ID: 195cd6dcdcca2e6e071125b730c6a72d11c2b318cd266ab0fa9a0d48ab144ab5
                                                      • Opcode Fuzzy Hash: 51075c4c008b2556479ff5111bb08c6bf0ac423d8b85c4221e8ddc60e5b1d74b
                                                      • Instruction Fuzzy Hash: 6D4125B4C00719CBDF25DFA9C844BCDBBB5BF48304F24806AD418AB254DB75694ACF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 02894834 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1086 2894834-2895d69 CreateActCtxA 1089 2895d6b-2895d71 1086->1089 1090 2895d72-2895dcc 1086->1090 1089->1090 1097 2895ddb-2895ddf 1090->1097 1098 2895dce-2895dd1 1090->1098 1099 2895de1-2895ded 1097->1099 1100 2895df0-2895e06 1097->1100 1098->1097 1099->1100
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 02895D59
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2036177873.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2890000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: c8179dbb2bfc66a0c780aa0e6b752b360b7a335b43075f70fcd2ddaf014cd041
                                                      • Instruction ID: 3e88bf11b2a8594420c0b6a666c9b70b9c8a3d87c7c5b73011c24d58cafcebed
                                                      • Opcode Fuzzy Hash: c8179dbb2bfc66a0c780aa0e6b752b360b7a335b43075f70fcd2ddaf014cd041
                                                      • Instruction Fuzzy Hash: 704104B4C0071DCBDB25DFA9C844B9DBBB1BF44308F64806AD408AB254D7756945CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC782B Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1105 5dc782b-5dc787e 1108 5dc788e-5dc78cd WriteProcessMemory 1105->1108 1109 5dc7880-5dc788c 1105->1109 1111 5dc78cf-5dc78d5 1108->1111 1112 5dc78d6-5dc7906 1108->1112 1109->1108 1111->1112
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05DC78C0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: c4292b53b6bfeb6051f0e371b9023003eb24c7d7298b29eb0679e9a838b49f3f
                                                      • Instruction ID: 0a77a418aeb7f2042e37c4b7796fc79d1b801df90fff705343d0bd160e427456
                                                      • Opcode Fuzzy Hash: c4292b53b6bfeb6051f0e371b9023003eb24c7d7298b29eb0679e9a838b49f3f
                                                      • Instruction Fuzzy Hash: AC2126B59003499FCB10DFA9C885BEEBBF5FF48310F14842AE919A7240C778A944CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1116 5dc7830-5dc787e 1118 5dc788e-5dc78cd WriteProcessMemory 1116->1118 1119 5dc7880-5dc788c 1116->1119 1121 5dc78cf-5dc78d5 1118->1121 1122 5dc78d6-5dc7906 1118->1122 1119->1118 1121->1122
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05DC78C0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: bbd799b6855e0c2918c15d2ce27b59b4825402300413f0482f3d2f4092748e4b
                                                      • Instruction ID: 1151dadb7f11896ea813976f4096f271c9b80b753bcd9cb0f97f0b9e2e017ed2
                                                      • Opcode Fuzzy Hash: bbd799b6855e0c2918c15d2ce27b59b4825402300413f0482f3d2f4092748e4b
                                                      • Instruction Fuzzy Hash: 4421F6B59003599FCB10DFA9C885BEEBBF5FF48310F10842AE919A7240D778A944CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7918 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1137 5dc7918-5dc79ad ReadProcessMemory 1141 5dc79af-5dc79b5 1137->1141 1142 5dc79b6-5dc79e6 1137->1142 1141->1142
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05DC79A0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 48b30524d64791f31e39a675ebef2e674ea6e3e06fd7861ed865c8926bb3fd66
                                                      • Instruction ID: 9ad316820e68a132bb9f033a7f23551cd5c0369df9f0b060069f36700a251399
                                                      • Opcode Fuzzy Hash: 48b30524d64791f31e39a675ebef2e674ea6e3e06fd7861ed865c8926bb3fd66
                                                      • Instruction Fuzzy Hash: E22119B1C00249DFCB10DFAAC845AEEBBF5FF48310F50842EE919A7240C7389544CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7258 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1126 5dc7258-5dc72ab 1129 5dc72ad-5dc72b9 1126->1129 1130 5dc72bb-5dc72eb Wow64SetThreadContext 1126->1130 1129->1130 1132 5dc72ed-5dc72f3 1130->1132 1133 5dc72f4-5dc7324 1130->1133 1132->1133
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05DC72DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 640f6643b4418a7d211b236790a37d1c2ac4a25f1cc6ee7d3b30cbc5d8e312bf
                                                      • Instruction ID: a166980501a4523553b11cfe6a26beb21bd7f9fca85d7a98d250679a1bfab976
                                                      • Opcode Fuzzy Hash: 640f6643b4418a7d211b236790a37d1c2ac4a25f1cc6ee7d3b30cbc5d8e312bf
                                                      • Instruction Fuzzy Hash: F221E6719002099FDB10DFAAC4857AEBBF5EB48314F54842AE51AA7240CB789945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7920 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05DC79A0
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: d05ad10abf20c8b9b1d80ddf909aefdef671c9210f378f33f69d982503fcc7ef
                                                      • Instruction ID: c4c8f85c6b74034320b61fddda0e94fc713302e299fa61a5cc7cda39a77c4ae8
                                                      • Opcode Fuzzy Hash: d05ad10abf20c8b9b1d80ddf909aefdef671c9210f378f33f69d982503fcc7ef
                                                      • Instruction Fuzzy Hash: 9C21F8B1C002599FCB10DFAAC845AEEFBF5FF48310F50842EE559A7250C7799544CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7260 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1146 5dc7260-5dc72ab 1148 5dc72ad-5dc72b9 1146->1148 1149 5dc72bb-5dc72eb Wow64SetThreadContext 1146->1149 1148->1149 1151 5dc72ed-5dc72f3 1149->1151 1152 5dc72f4-5dc7324 1149->1152 1151->1152
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05DC72DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 81a54d23f672dada84a99453710479d8ed3995e27331de5c7cb5a369b2f72acf
                                                      • Instruction ID: 01c92520d10edc881121eae5d5800b49efe3aa192303509551658279222c59fc
                                                      • Opcode Fuzzy Hash: 81a54d23f672dada84a99453710479d8ed3995e27331de5c7cb5a369b2f72acf
                                                      • Instruction Fuzzy Hash: 752107B19002098FDB10DFAAC4857AEFBF4FF48314F14842ED51AA7240CB789945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC776B Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05DC77DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 907ac466147a409b951c2bad49a2565749ddd13e21bfca254f28d9e4e095ec50
                                                      • Instruction ID: db5858c3f1311ed197ea5f9bcc596d8f75c61ec2b854b14775d33dbb8af71c0e
                                                      • Opcode Fuzzy Hash: 907ac466147a409b951c2bad49a2565749ddd13e21bfca254f28d9e4e095ec50
                                                      • Instruction Fuzzy Hash: B81137768002499FCB10DFAAC845AEEBFF5FF48310F24881AE519A7250CB79A544CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05DC77DE
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 982c40b1b0b24f7922f902b5850d04b74b5527cc6833d375ef83d9dca30bf6ed
                                                      • Instruction ID: 1643a09b2f980a02d496b121d42146bbbdadfe74db5d434e3310eefbf53098e6
                                                      • Opcode Fuzzy Hash: 982c40b1b0b24f7922f902b5850d04b74b5527cc6833d375ef83d9dca30bf6ed
                                                      • Instruction Fuzzy Hash: D01137758002499FCB10DFAAC844AEEBFF5FF48310F24881AE519A7250CB79A544CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC6D70 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: a2f824188556f54ac8e657fd48d5e8aa75284386f2ebf9a57ceace729f4d305e
                                                      • Instruction ID: 6d05bd05c33b605563e5f75cf501023db131dd90ee1525a6f35f342cd0fd12fc
                                                      • Opcode Fuzzy Hash: a2f824188556f54ac8e657fd48d5e8aa75284386f2ebf9a57ceace729f4d305e
                                                      • Instruction Fuzzy Hash: 3D1158B19002498FCB10DFAAC4457EEFFF9FF88320F24841AD519A7240CB39A544CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC6D78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: d0b09bee52a773a2aa468d9c28ec97f14d24244623a0b75e7aaf90887028fdbb
                                                      • Instruction ID: f29b35185759c81c2a015579880c50ce329cb2efce7777d7c87e3307595f2e0b
                                                      • Opcode Fuzzy Hash: d0b09bee52a773a2aa468d9c28ec97f14d24244623a0b75e7aaf90887028fdbb
                                                      • Instruction Fuzzy Hash: C31128B19002598FCB10DFAAC4457AEFFF5EF88314F24841AD519A7240CB79A544CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC8CD4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05DCC4FD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 6e90042560b93e505d8461bbc7e2f1279b23c655d50fc190f9fedf1c242cb7b0
                                                      • Instruction ID: 190f3620cf3959c1e16be2d04c21060ca729d48c7010698b8f89fbf349a7feb4
                                                      • Opcode Fuzzy Hash: 6e90042560b93e505d8461bbc7e2f1279b23c655d50fc190f9fedf1c242cb7b0
                                                      • Instruction Fuzzy Hash: AE11F5B58043499FDB10DF99D849BEEBFF8FB48310F10845AE519A7250C375A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DCC499 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05DCC4FD
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 7bc576773d70e080805e1c0c9fc57de73d934a5f5dec44ad782ed5435c940b66
                                                      • Instruction ID: 93215bc218b3ddfc5db614f5fc8d886adda6ff42cb92fe640525336657ab14d9
                                                      • Opcode Fuzzy Hash: 7bc576773d70e080805e1c0c9fc57de73d934a5f5dec44ad782ed5435c940b66
                                                      • Instruction Fuzzy Hash: A91103B58002498FDB10DF99C988BDEBFF4FB48310F14885AE518A7350C379AA44CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DCC9 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 0
                                                      • API String ID: 0-4108050209
                                                      • Opcode ID: ada75928c16dd4cecfd0cccb709bad56a269fc58fb711ca36af6e583a96855de
                                                      • Instruction ID: 229cbc32dacdb108be1864c4e4e8fab38d96f97e4b0b7e5db57a17c95448ba0b
                                                      • Opcode Fuzzy Hash: ada75928c16dd4cecfd0cccb709bad56a269fc58fb711ca36af6e583a96855de
                                                      • Instruction Fuzzy Hash: 03F05878E0D298CFCB41CFA4D890AA87BB6AF06200F1441E6D8486B213C3745A49CB46
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1D325 Relevance: .2, Instructions: 166COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3635ad70ceccc76b2cdc70701eb943e6d14f837a8a88e8cc47a1532d6dbb73bd
                                                      • Instruction ID: f754666383e8075e7e792241e15e76810a14ddd2e38310d6428c85acc34c2c4d
                                                      • Opcode Fuzzy Hash: 3635ad70ceccc76b2cdc70701eb943e6d14f837a8a88e8cc47a1532d6dbb73bd
                                                      • Instruction Fuzzy Hash: 55518034B416059FDB44DFA8C951BBEBBB2FF44700F908166E9269B395CB34E902CB85
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1C515 Relevance: .2, Instructions: 155COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bfdf3c9c85db691868fdd9f4da5a6dd024d865641df51bcf4f1b19ab50d87374
                                                      • Instruction ID: 8c0b6b784c399b592ffba814b4a0667e1070f7a055f029b693dc5e7c67d3a140
                                                      • Opcode Fuzzy Hash: bfdf3c9c85db691868fdd9f4da5a6dd024d865641df51bcf4f1b19ab50d87374
                                                      • Instruction Fuzzy Hash: 4A51AD35B84205DFDB50DB68C805ABDBBB2FF44301F9481A6E909AB2A1C774FC10CB59
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DD17 Relevance: .1, Instructions: 134COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a13fdb948adedc19de1bd6316f06ab82c50bd692fd78083e89404fa09a258ff
                                                      • Instruction ID: 2a5c0372792a30c844dfcecd0e074c74e8575aa98b3beec45be0859800fbd072
                                                      • Opcode Fuzzy Hash: 3a13fdb948adedc19de1bd6316f06ab82c50bd692fd78083e89404fa09a258ff
                                                      • Instruction Fuzzy Hash: D851C0B4E052199FCF40CFA8D9809AEBBF2FF48310F6495A5E819E7305D730AA42CB54
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1C6BE Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: cea6d948a68dbc43d3f3278a679950bb5cc1b53039a22a7eafbfd7b030a03ef9
                                                      • Instruction ID: a05257ef621ab0d0dbec92025b6af28da0c72fa60f45646a14ca190839138ebf
                                                      • Opcode Fuzzy Hash: cea6d948a68dbc43d3f3278a679950bb5cc1b53039a22a7eafbfd7b030a03ef9
                                                      • Instruction Fuzzy Hash: C051CF39A84205DFDB90CF58C805ABDBBB2FF44301F9481A6E909AB2A1C774FC50CB59
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1B778 Relevance: .1, Instructions: 103COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a19f81919cebca9b251c8c8157de255ba8acef64079cde2b3d6bfaac2e0ace63
                                                      • Instruction ID: 085eb84980c4d8354b9d2328eeacc5c8b1d44c71f904ea119d0ed3da30b6913c
                                                      • Opcode Fuzzy Hash: a19f81919cebca9b251c8c8157de255ba8acef64079cde2b3d6bfaac2e0ace63
                                                      • Instruction Fuzzy Hash: A841E031E00609CBCB90DF7AC8406BEB3F2FF45704F9481AAE926C7291D774A840CB19
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CCD080 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035377746.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ccd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 237130d4836ed8f2f9908b1ed3ea5b0c5aa7b718c27a4d4edb1fdc885ba031d2
                                                      • Instruction ID: 10798fda8ffe836e96a63bf3b68680975ebbc250e40c0fea626cf263114d9530
                                                      • Opcode Fuzzy Hash: 237130d4836ed8f2f9908b1ed3ea5b0c5aa7b718c27a4d4edb1fdc885ba031d2
                                                      • Instruction Fuzzy Hash: BC319375509380CFD712CF24C594B15BF70AF46314F1985EED8898B263C33A990ACB52
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1BC01 Relevance: .1, Instructions: 83COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 25fdd1d97cef3a718dbde96af38bae4b250e79516eba72c850cc36456cd3ea20
                                                      • Instruction ID: 11534d32fe97a46e3c2cbefafc8ed7eb0e45dc25c9c6b626e3b738d09e24588a
                                                      • Opcode Fuzzy Hash: 25fdd1d97cef3a718dbde96af38bae4b250e79516eba72c850cc36456cd3ea20
                                                      • Instruction Fuzzy Hash: 6B316DB5E042198FCB44DFA9C885AEEBBF1FB48210F5494A5E819F7301D734AA45CF64
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CBD72C Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035328258.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_cbd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e1c865b076665db0960f9595f1e0c42e44e3e37e2a8c453bf74518bbdaa0dd48
                                                      • Instruction ID: 031dd42872a1135d2327e539e65ca383f055238174d89bec839c0bae23a84178
                                                      • Opcode Fuzzy Hash: e1c865b076665db0960f9595f1e0c42e44e3e37e2a8c453bf74518bbdaa0dd48
                                                      • Instruction Fuzzy Hash: C72167B1500244DFCB05DF14C9C0FA6BFA5FB98314F20C569E90A1B25AD73AC816CBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1AEFC Relevance: .1, Instructions: 75COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6bdf9b4c49b59ab65f7478db99fb4af25c2731e217b07ba3de78ce18dcafbb4d
                                                      • Instruction ID: d84bf846871749d3b6091dfc7ea85389fcaed72007017e837cf27deba5025d4a
                                                      • Opcode Fuzzy Hash: 6bdf9b4c49b59ab65f7478db99fb4af25c2731e217b07ba3de78ce18dcafbb4d
                                                      • Instruction Fuzzy Hash: 05212732F142489FCB05DB65DC049EE7F76EFC6310B4584A7E814EB295DB30A909CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1E400 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3a5014486069caa69b440a45816fe0a8a1397f2b83d5562eb996158edebe3d3c
                                                      • Instruction ID: 23461d8903216fad3a2f4f26998b4ca069e8b6384a0503318667dc6ec826cf8b
                                                      • Opcode Fuzzy Hash: 3a5014486069caa69b440a45816fe0a8a1397f2b83d5562eb996158edebe3d3c
                                                      • Instruction Fuzzy Hash: B721D430784204DFE7588A198854B3D3F9BEF85B00FA488E6EC438F295CA24F802C75A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CCD0DC Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035377746.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ccd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d5b826e3c97c075264b6968b29aa660e08aac60e84c5c749a538c855019e0a50
                                                      • Instruction ID: ecd92b28cd47855cfad9e2e961daf1551a31d8af153fe6bbb4e25e0efc225d29
                                                      • Opcode Fuzzy Hash: d5b826e3c97c075264b6968b29aa660e08aac60e84c5c749a538c855019e0a50
                                                      • Instruction Fuzzy Hash: FC21F571504204DFDB04DF14D9C0F1ABBA5FB84324F28C57DD90A4B356C33AD846CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CCD294 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035377746.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ccd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: de4a62c68516e70ae7b899de42791b5afd0feb1df6433f0763cce42775f377d6
                                                      • Instruction ID: 286fce55df7a4c00620b61a9665bce46a9ca7a6c48f9944feba57c606d9d1ce7
                                                      • Opcode Fuzzy Hash: de4a62c68516e70ae7b899de42791b5afd0feb1df6433f0763cce42775f377d6
                                                      • Instruction Fuzzy Hash: 5421D071604244DFDB05DF24D980F26BFA5FB88314F28C5BDE84A4B262C33AD846CA62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1E3F0 Relevance: .1, Instructions: 64COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e6f5e29dcfe0a8a93d4295ff4af5f3fd7deda884af530a625732e686abd7dde9
                                                      • Instruction ID: 858cc4046831b874674ac9955371f384133f67d703be99a97cf2bbdfa5c2f8fb
                                                      • Opcode Fuzzy Hash: e6f5e29dcfe0a8a93d4295ff4af5f3fd7deda884af530a625732e686abd7dde9
                                                      • Instruction Fuzzy Hash: A1110430784300DFE7A48A14D815B7D7F6BFB81B00F95C4E6EC464B291C661F841C75A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1C900 Relevance: .1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5036a13b89f27e5de737c00b0751d5e35d897cf3a1ee7491c9db023f00d280f
                                                      • Instruction ID: 6a5c052d4335ad84a4cbe298e818c5188e41c098788e73212599697b59c0d268
                                                      • Opcode Fuzzy Hash: a5036a13b89f27e5de737c00b0751d5e35d897cf3a1ee7491c9db023f00d280f
                                                      • Instruction Fuzzy Hash: C111E3B2A093889FDB56CB748815AAE7FB9EF42100F1404EAEC45C7292EA30AD018761
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CBD727 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035328258.0000000000CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CBD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_cbd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction ID: 587f8a4289f78fdf544bb3c01f1deb9b676237cd5e8c17679b044cad8619535b
                                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                                      • Instruction Fuzzy Hash: 29112676404280CFCF06CF00D5C4B56BF72FB94314F24C5A9D8490B65AC336D95ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1AF0C Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: bfeec610ac4de353b4aa1bea81fc73c5399d2b2b25d382cc9c72072bcc851f7c
                                                      • Instruction ID: aba0d47e06e631ab54f84e1afb247607e25a6f30b8ad59be2fc2b252d2e38eca
                                                      • Opcode Fuzzy Hash: bfeec610ac4de353b4aa1bea81fc73c5399d2b2b25d382cc9c72072bcc851f7c
                                                      • Instruction Fuzzy Hash: 712114B58003499FCB50CF9AC984ADEBFF4FB48320F508419E919B7210C379A954CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1A165 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 93b5734ac8d446c4da8d9df286fac58269860f6e250910f5662f7b3580c87140
                                                      • Instruction ID: b59bffaed0bb7bb9e2fcac87e837d25654f01f3a73f2af86bb55837484e147f7
                                                      • Opcode Fuzzy Hash: 93b5734ac8d446c4da8d9df286fac58269860f6e250910f5662f7b3580c87140
                                                      • Instruction Fuzzy Hash: 0BF0BE7044E708CBCB10AF68C40E6B97FA9FB03251FA415E9AC0D431A2CB722925EB94
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1CA78 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2341953accf6e2e563fc0f9c77104542701f2f840f3ad5a869bb3ee7912dce3
                                                      • Instruction ID: a45078dc0acb45794a11bffdca222ab70a154244a16a1603e29d02eb64374182
                                                      • Opcode Fuzzy Hash: a2341953accf6e2e563fc0f9c77104542701f2f840f3ad5a869bb3ee7912dce3
                                                      • Instruction Fuzzy Hash: BE21E2B69002499FCB10CF9AD984ADEBFF5FB48310F14841AE919A7310C379A955CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 00CCD28F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2035377746.0000000000CCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CCD000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_ccd000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 00d066b8bf4a2294f2917de9d43fddf2f16dd965267eb9df1df082db225a997f
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: D7119D75504280DFDB06CF14D5C4B15BFB1FB84324F28C6AEE84A4B666C33AD94ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1AEE8 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0add93953c657dbe2417754225ffab06fe8849911db9d77561ac70db7339ea5c
                                                      • Instruction ID: eb0771df3fb34a68236b5b0e9079fad6a60557c404bdd82d2f37083f4a83a817
                                                      • Opcode Fuzzy Hash: 0add93953c657dbe2417754225ffab06fe8849911db9d77561ac70db7339ea5c
                                                      • Instruction Fuzzy Hash: 7901AC32A441586FDB41DB6DD850DEA7FAAEFC5350744C0A6E804DB215D630E905CBD4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1AE62 Relevance: .0, Instructions: 40COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a16672e268acd367193e28890357f8b9061b2ea55d76e544b897928d4a767db2
                                                      • Instruction ID: b363b7d5c5578dfc798563a9549a1cbbfe60b433582daeac385496b9f785da12
                                                      • Opcode Fuzzy Hash: a16672e268acd367193e28890357f8b9061b2ea55d76e544b897928d4a767db2
                                                      • Instruction Fuzzy Hash: DBF0A71614E3C16EC3539B3C1CA4AD37F24CFE7741B0A51E7E5808D093D914181693AA
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1C9A9 Relevance: .0, Instructions: 38COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 870b6f29a494ed9a2ffc29816b745bb985c518c5d923f0acd9d03d071e04d824
                                                      • Instruction ID: de27e4b74dbe2051237e6f114bf214bf292a91f600a9b4009097800d383e90e5
                                                      • Opcode Fuzzy Hash: 870b6f29a494ed9a2ffc29816b745bb985c518c5d923f0acd9d03d071e04d824
                                                      • Instruction Fuzzy Hash: E4F06277B001086FDB45DB5AD845AAE7BBAEBC4260B44C1A5E918DB354E630D9118F90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DB00 Relevance: .0, Instructions: 34COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d634a8cfd956b06c9d16dd5b2ce302e8482d237cd985ab075c0b31f0763c976a
                                                      • Instruction ID: d7665a5daac04aa940ccc6737636de5e31267306ccdcf10ada3fa6807a4b2a4f
                                                      • Opcode Fuzzy Hash: d634a8cfd956b06c9d16dd5b2ce302e8482d237cd985ab075c0b31f0763c976a
                                                      • Instruction Fuzzy Hash: F90169B0E0434A9FDB54CFA9C941BAFBFF4AB08214F5045A9E911E7281E770A1018BD0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DB10 Relevance: .0, Instructions: 29COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7cfce155c9f96cccb2b7765ff5ca0b4b5057ad2775cb406b4e12b773efe65a51
                                                      • Instruction ID: 4254237827b10ce414da1c456628e8f32becfc5f3dfc38df587291eac059394c
                                                      • Opcode Fuzzy Hash: 7cfce155c9f96cccb2b7765ff5ca0b4b5057ad2775cb406b4e12b773efe65a51
                                                      • Instruction Fuzzy Hash: CAF0DAB0E0430A9FDB44DFA9C942AAFBBF4FB48200F5045A9D919E7240D77495408BD4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DAA9 Relevance: .0, Instructions: 23COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8e7d96045fd0717d2d6e375deb1d8999c93984e64a56f5093d7260081b433102
                                                      • Instruction ID: c988c198cd324aa96cef12693fab13c7f0b4532b0991ab9817aa09e3180049d4
                                                      • Opcode Fuzzy Hash: 8e7d96045fd0717d2d6e375deb1d8999c93984e64a56f5093d7260081b433102
                                                      • Instruction Fuzzy Hash: 37E0EDB1D442099FD740DF69C94579EBBF1BB18200F5884B6D515E7315E770E6008F50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DAB8 Relevance: .0, Instructions: 18COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52934fea107de8f3231da0253ac0e306ae97b97df9aea313c22986b3bdb1b8be
                                                      • Instruction ID: 2e8889f54b7bd08bfd2becae80306ab1166d46b47f6f3e6297056fe7215f37be
                                                      • Opcode Fuzzy Hash: 52934fea107de8f3231da0253ac0e306ae97b97df9aea313c22986b3bdb1b8be
                                                      • Instruction Fuzzy Hash: D3E046B0D44209DFC780EFB9C908A5EBBF0BF08200F14C4A9C418E7221E7B0A6008F90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1A1B0 Relevance: .0, Instructions: 17COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 75efe207ae9d71e3c4ebdd9abae158fe6aa272229ad2f76d7ca86653935be8eb
                                                      • Instruction ID: e741352da81453eba621b68439759c43ea2e10f8a25b33a085c6289e40e500ce
                                                      • Opcode Fuzzy Hash: 75efe207ae9d71e3c4ebdd9abae158fe6aa272229ad2f76d7ca86653935be8eb
                                                      • Instruction Fuzzy Hash: 24D05E7058B30CDBC340EA61D50DAB97A6EE703202FA05498AC0A131408AB13D24EA99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DCB9 Relevance: .0, Instructions: 15COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c013b02fc883f20866bdc1132284cf1bbe5f2c328d732a84a77ce35119492ec3
                                                      • Instruction ID: 8a1a2c9a8224543e1f5139d9e486811cc72e351a40f6f8f3a2c589f6e74df84d
                                                      • Opcode Fuzzy Hash: c013b02fc883f20866bdc1132284cf1bbe5f2c328d732a84a77ce35119492ec3
                                                      • Instruction Fuzzy Hash: 5FE01274C4D358CFCB94CF6498517997BB66B05340F5014DA980997212D7305A44CF06
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1DF88 Relevance: .0, Instructions: 14COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6aea016da88c675499bf14a9a6dd9cd8bd8e4be8a01e15a52b416b14c6afba2f
                                                      • Instruction ID: 043fe08bdf3838962e8f908209ece17e4edc99946e687d79b6e047cfb3a08063
                                                      • Opcode Fuzzy Hash: 6aea016da88c675499bf14a9a6dd9cd8bd8e4be8a01e15a52b416b14c6afba2f
                                                      • Instruction Fuzzy Hash: A6D012366501089E4B91EEA5E804D5777DDBB147007808466F904C7031E621F538D755
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1A10E Relevance: .0, Instructions: 10COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f147b988f30bf52586bfd91676776a298cfe5e555eb6f657d1010401906be16e
                                                      • Instruction ID: bf59f29dc4caa90f43f2b8ba7945267067b5606684d3718c681a1a63deb285a8
                                                      • Opcode Fuzzy Hash: f147b988f30bf52586bfd91676776a298cfe5e555eb6f657d1010401906be16e
                                                      • Instruction Fuzzy Hash: EDD09238E00128CFDB60CF24C890F99F7B1AB49318F1480D9880EA3302C732AE82CF14
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1C981 Relevance: .0, Instructions: 9COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b5c18eca14cba37bb3e6eeea07663577d0ed6f9ad96efbbdfe2348b3789cee96
                                                      • Instruction ID: 8aea201684aa25d8f1472aab9eb28f6e5f38a89c6fb834798c3a55546e8f9bdf
                                                      • Opcode Fuzzy Hash: b5c18eca14cba37bb3e6eeea07663577d0ed6f9ad96efbbdfe2348b3789cee96
                                                      • Instruction Fuzzy Hash: C1B092F755520062FA219250CC02BED56229BB4B48F684034ABD570750D629E1B2911A
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B1AE9C Relevance: .0, Instructions: 8COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6d8a9a71c50a016ca4415ba269ae8207455ced147cdc9fdb2b701a4b6a2dd28d
                                                      • Instruction ID: 78ee10f61c23f645d290d5314337fae72dfbd478a3498a2bc4cb76c6a56ee6a3
                                                      • Opcode Fuzzy Hash: 6d8a9a71c50a016ca4415ba269ae8207455ced147cdc9fdb2b701a4b6a2dd28d
                                                      • Instruction Fuzzy Hash: 63B012776D6200A26381E3684985E7A9901EFE9700BA0BC617B09500648424F8B9D11F
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 05DC6E28 Relevance: 1.6, Strings: 1, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r%
                                                      • API String ID: 0-1142163115
                                                      • Opcode ID: c06b4c8285339c1106951c2af25dc46f2d6c27d8fdde08d7a731b7881fda2782
                                                      • Instruction ID: 16c99d1c5701fff898ba6cdf51dc7d9fcfa6658eabd54f532e7dec0905305900
                                                      • Opcode Fuzzy Hash: c06b4c8285339c1106951c2af25dc46f2d6c27d8fdde08d7a731b7881fda2782
                                                      • Instruction Fuzzy Hash: 08E10D74E042198FCB14DFA9C5909AEFBF2FF89305F24819AE419A7355D730A941CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC6E17 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: r%
                                                      • API String ID: 0-1142163115
                                                      • Opcode ID: e8a4a2774399f31f7ddcec35c663541c77672ee368b64718a74fb5e79074a40f
                                                      • Instruction ID: 03f0ca4abc78f85c3a2d191b28edc2cfc21f02069251081f0d97f34e15bf8b6e
                                                      • Opcode Fuzzy Hash: e8a4a2774399f31f7ddcec35c663541c77672ee368b64718a74fb5e79074a40f
                                                      • Instruction Fuzzy Hash: 1A51F974E042198BCB14DFA9C5805AEFBF2FF89305F24C1AAE419A7356D7319A41CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC6550 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: dcc205e8522f6f6136f1bbf4588a8a4005fa7011774e710972d4042fa5dfc7d7
                                                      • Instruction ID: 599768151ca1c871d1575ad4cc501375d75bf1c4b42dedb7c7769ed27f7baea2
                                                      • Opcode Fuzzy Hash: dcc205e8522f6f6136f1bbf4588a8a4005fa7011774e710972d4042fa5dfc7d7
                                                      • Instruction Fuzzy Hash: 9EE1FB74E042198FCB14DFA9C5909AEFBF2FF89305F2481AAE419AB355D730A941CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC4EA8 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 42426dfde5f2e47b26941937389a168196b0ece94fbfd040f22dd48856c06f29
                                                      • Instruction ID: bcb535363e1f590d961a215d96623df6614c0515afcfd71da84dfba7d9f0811a
                                                      • Opcode Fuzzy Hash: 42426dfde5f2e47b26941937389a168196b0ece94fbfd040f22dd48856c06f29
                                                      • Instruction Fuzzy Hash: 40E12D74E052198FCB14DFA8C5909AEFBF2FF89305F24819AE409A7356D730A941CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7338 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 439d73619f5cbaad2f852f33cdb0cd50fc10a3a9dab0d70e4e7d445f19bb019d
                                                      • Instruction ID: 4aace734cb5ecc30329f82ae7af235b40ed25ee1869bb82f76b4840486ed2678
                                                      • Opcode Fuzzy Hash: 439d73619f5cbaad2f852f33cdb0cd50fc10a3a9dab0d70e4e7d445f19bb019d
                                                      • Instruction Fuzzy Hash: F9E1FD74E042198FCB14DFA9C5809AEFBF2FF89305F24819AE419AB356D731A941CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC4A70 Relevance: .3, Instructions: 312COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 201bf674ac973c56f7705a7dc99d57442564e14b9c62322172bc5f177326454b
                                                      • Instruction ID: 91c23516fbe317467348a239504300afadd19cae33aad40d6d04935c4cbc5c50
                                                      • Opcode Fuzzy Hash: 201bf674ac973c56f7705a7dc99d57442564e14b9c62322172bc5f177326454b
                                                      • Instruction Fuzzy Hash: F7E10C74E002198FCB14DFA8C5909AEFBF2FF89305F24819AE419A7356D731A941CF61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0289E368 Relevance: .3, Instructions: 264COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2036177873.0000000002890000.00000040.00000800.00020000.00000000.sdmp, Offset: 02890000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_2890000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b2f139353aeabca3818d9b89a7c5a6266dd5688a8a3c28f50101206df14afe8
                                                      • Instruction ID: 11d8d5596051f21a8299bc0e91eca0e97a2c86ef3f6eeb0a690abb2e1291b672
                                                      • Opcode Fuzzy Hash: 3b2f139353aeabca3818d9b89a7c5a6266dd5688a8a3c28f50101206df14afe8
                                                      • Instruction Fuzzy Hash: 1DD1F731D20B5ADACB05EB64D990A9DB7B5FF95300F60879AE00937264EF706AC9CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05DC7328 Relevance: .1, Instructions: 131COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2042143108.0000000005DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05DC0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5dc0000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d45d00c39496722a4e5ff52f63ce9d15fbacbee6de84059b6f99081af16ba7d4
                                                      • Instruction ID: 53ab20186dda886587e16055f1935228ac381bf9ca1a28a1773f044cb4f2dc76
                                                      • Opcode Fuzzy Hash: d45d00c39496722a4e5ff52f63ce9d15fbacbee6de84059b6f99081af16ba7d4
                                                      • Instruction Fuzzy Hash: D1510A74E042198BCB14CFA9C5405AEFBF2FF89305F24C1AAD418A7355D7319A41CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B15FE0 Relevance: 14.2, Strings: 11, Instructions: 455COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$Te]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-2237115325
                                                      • Opcode ID: 2f7bcfec1f55adea4317a33e8a2f212e261d8a56a642be645eff83abdfddffc7
                                                      • Instruction ID: 72871d147f20f21e9cc7d0e1c9d77c0846de66980a89241e5f1b79f9416479a4
                                                      • Opcode Fuzzy Hash: 2f7bcfec1f55adea4317a33e8a2f212e261d8a56a642be645eff83abdfddffc7
                                                      • Instruction Fuzzy Hash: E8F1C134B40208DFDB488FA8D959BAD7BE7BF88700FA04465E806DB794DE74AC41CB59
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B15F4D Relevance: 7.9, Strings: 6, Instructions: 449COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: Te]q$Te]q$Te]q$Te]q$$]q$$]q
                                                      • API String ID: 0-3261640282
                                                      • Opcode ID: 3b028ebf40af3594a7dec75cd670eaaab57ea97c1ae6b6f4a45c022698251f80
                                                      • Instruction ID: c445dcd2214897baf28f27712b1d052bb6c64350a361356e7e974b3eb8934ab8
                                                      • Opcode Fuzzy Hash: 3b028ebf40af3594a7dec75cd670eaaab57ea97c1ae6b6f4a45c022698251f80
                                                      • Instruction Fuzzy Hash: 2EF10F30B44204DFDB448F6CE959BAD7BE6FF84700F6044A6E802EB795DA74AC41CB99
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B14F68 Relevance: 6.3, Strings: 5, Instructions: 66COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q$4']q$4']q$4']q$4']q
                                                      • API String ID: 0-4248691736
                                                      • Opcode ID: 7cc9bdb9b6981ac10367759230097694e33854c9cb350c8ae35bd04a6b1855fa
                                                      • Instruction ID: 57b5a051050565fa594a6b4df76de5b678ab30e9ed641123fea7b7d8eec7a182
                                                      • Opcode Fuzzy Hash: 7cc9bdb9b6981ac10367759230097694e33854c9cb350c8ae35bd04a6b1855fa
                                                      • Instruction Fuzzy Hash: 9421B630B0010A9FCF0CEFA9E9519EE7BB6FF80704F0044A9C145AB265EF346A15CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05B14F78 Relevance: 6.3, Strings: 5, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000000.00000002.2041411066.0000000005B10000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B10000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_0_2_5b10000_tmjGCGOEGMinVPD.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: 4']q$4']q$4']q$4']q$4']q
                                                      • API String ID: 0-4248691736
                                                      • Opcode ID: f1adbf2d01634a9b7d6d47e20ddf9d7d600c4c49f464b7a71053b697bdf40528
                                                      • Instruction ID: 6bbcda1f231622831f42ccfac0e5298b6a26726679978977f4cafb3f620d9e8f
                                                      • Opcode Fuzzy Hash: f1adbf2d01634a9b7d6d47e20ddf9d7d600c4c49f464b7a71053b697bdf40528
                                                      • Instruction Fuzzy Hash: 9E216530B0010A9FCF0CEFA9E5519EE7BB6FFC0700F5044A98145A7265EF356A05CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:11.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:208
                                                      Total number of Limit Nodes:24
                                                      execution_graph 24553 11b0848 24554 11b084e 24553->24554 24555 11b091b 24554->24555 24557 11b1390 24554->24557 24559 11b13a6 24557->24559 24558 11b14a8 24558->24554 24559->24558 24563 11b7fa8 24559->24563 24568 11b7e90 24559->24568 24572 11b7e81 24559->24572 24564 11b7fb2 24563->24564 24565 11b7fcc 24564->24565 24576 66efb40 24564->24576 24585 66efb30 24564->24585 24565->24559 24569 11b7ea6 24568->24569 24570 11b7f57 24569->24570 24594 11b8820 24569->24594 24570->24559 24573 11b7e90 24572->24573 24574 11b7f57 24573->24574 24575 11b8820 3 API calls 24573->24575 24574->24559 24575->24573 24577 66efb55 24576->24577 24578 66efd6a 24577->24578 24579 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24579 24580 11bb7fc GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24580 24581 11baa83 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24581 24582 11bdea0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24582 24583 11bae85 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24583 24584 11baad4 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24577->24584 24578->24565 24579->24577 24580->24577 24581->24577 24582->24577 24583->24577 24584->24577 24586 66efb40 24585->24586 24587 66efd6a 24586->24587 24588 11bdea0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24588 24589 11bae85 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24589 24590 11baad4 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24590 24591 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24591 24592 11bb7fc GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24592 24593 11baa83 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24586->24593 24587->24565 24588->24586 24589->24586 24590->24586 24591->24586 24592->24586 24593->24586 24595 11b8825 24594->24595 24596 11b8ffd 24595->24596 24600 11ba11b 24595->24600 24605 11ba06c 24595->24605 24610 11ba078 24595->24610 24596->24569 24601 11ba0f0 24600->24601 24602 11ba131 24601->24602 24615 11ba178 24601->24615 24621 11ba167 24601->24621 24602->24602 24607 11ba078 24605->24607 24606 11ba131 24606->24606 24607->24606 24608 11ba178 3 API calls 24607->24608 24609 11ba167 3 API calls 24607->24609 24608->24607 24609->24607 24612 11ba095 24610->24612 24611 11ba131 24611->24611 24612->24611 24613 11ba178 3 API calls 24612->24613 24614 11ba167 3 API calls 24612->24614 24613->24612 24614->24612 24616 11ba192 24615->24616 24617 11ba252 24616->24617 24627 11ba3a8 24616->24627 24639 11ba5a6 24616->24639 24651 11ba2d8 24616->24651 24622 11ba133 24621->24622 24622->24621 24623 11ba252 24622->24623 24624 11ba3a8 3 API calls 24622->24624 24625 11ba2d8 3 API calls 24622->24625 24626 11ba5a6 3 API calls 24622->24626 24623->24623 24624->24622 24625->24622 24626->24622 24629 11ba2b1 24627->24629 24628 11ba5d5 24628->24616 24629->24628 24636 11ba5f8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24629->24636 24638 11ba5f4 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24629->24638 24663 11ba7a8 24629->24663 24676 11baa83 24629->24676 24688 11baad4 24629->24688 24700 11bae85 24629->24700 24712 11bdea0 24629->24712 24718 11baa58 24629->24718 24730 11bb7fc 24629->24730 24636->24629 24638->24629 24641 11ba2b1 24639->24641 24640 11ba5d5 24640->24616 24641->24640 24642 11ba5f8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24641->24642 24643 11ba7a8 3 API calls 24641->24643 24644 11ba5f4 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24641->24644 24645 11baa58 3 API calls 24641->24645 24646 11bb7fc 3 API calls 24641->24646 24647 11baa83 3 API calls 24641->24647 24648 11bdea0 3 API calls 24641->24648 24649 11bae85 3 API calls 24641->24649 24650 11baad4 3 API calls 24641->24650 24642->24641 24643->24641 24644->24641 24645->24641 24646->24641 24647->24641 24648->24641 24649->24641 24650->24641 24653 11ba2b1 24651->24653 24652 11ba5d5 24652->24616 24653->24651 24653->24652 24654 11ba5f4 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24653->24654 24655 11ba5f8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24653->24655 24656 11ba7a8 3 API calls 24653->24656 24657 11baa58 3 API calls 24653->24657 24658 11bb7fc 3 API calls 24653->24658 24659 11baa83 3 API calls 24653->24659 24660 11bdea0 3 API calls 24653->24660 24661 11bae85 3 API calls 24653->24661 24662 11baad4 3 API calls 24653->24662 24654->24653 24655->24653 24656->24653 24657->24653 24658->24653 24659->24653 24660->24653 24661->24653 24662->24653 24664 11ba7d5 24663->24664 24665 11ba932 24664->24665 24669 11ba7a8 3 API calls 24664->24669 24742 11ba5f8 24664->24742 24755 11ba5f4 24664->24755 24665->24629 24666 11ba82c 24667 11ba843 24666->24667 24671 11baa58 3 API calls 24666->24671 24672 11bb7fc 3 API calls 24666->24672 24673 11baa83 3 API calls 24666->24673 24674 11bae85 3 API calls 24666->24674 24675 11baad4 3 API calls 24666->24675 24667->24629 24669->24666 24671->24665 24672->24665 24673->24665 24674->24665 24675->24665 24679 11baa69 24676->24679 24677 11baa8d 24677->24629 24678 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24678->24679 24679->24677 24679->24678 24681 11bdb62 24679->24681 24683 11bb7fc 3 API calls 24679->24683 24684 11baa83 3 API calls 24679->24684 24685 11bae85 3 API calls 24679->24685 24686 11baad4 3 API calls 24679->24686 24680 11bdb94 24680->24629 24681->24680 24768 11beb48 24681->24768 24683->24679 24684->24679 24685->24679 24686->24679 24689 11baaf0 24688->24689 24691 11baac5 24688->24691 24689->24629 24690 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24690->24691 24691->24689 24691->24690 24693 11bdb62 24691->24693 24695 11bb7fc 3 API calls 24691->24695 24696 11baa83 3 API calls 24691->24696 24697 11bae85 3 API calls 24691->24697 24698 11baad4 3 API calls 24691->24698 24692 11bdb94 24692->24629 24693->24692 24699 11beb48 3 API calls 24693->24699 24694 11be382 24694->24629 24695->24691 24696->24691 24697->24691 24698->24691 24699->24694 24703 11bab3f 24700->24703 24701 11baf53 24701->24629 24702 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24702->24703 24703->24700 24703->24701 24703->24702 24705 11bdb62 24703->24705 24707 11bb7fc 3 API calls 24703->24707 24708 11baa83 3 API calls 24703->24708 24709 11bae85 3 API calls 24703->24709 24710 11baad4 3 API calls 24703->24710 24704 11bdb94 24704->24629 24705->24704 24711 11beb48 3 API calls 24705->24711 24706 11be382 24706->24629 24707->24703 24708->24703 24709->24703 24710->24703 24711->24706 24713 11bdeaf 24712->24713 24715 11bdf0f 24712->24715 24713->24629 24714 11be05f 24714->24629 24715->24714 24717 11beb48 3 API calls 24715->24717 24716 11be382 24716->24629 24717->24716 24721 11baa69 24718->24721 24719 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24719->24721 24720 11baa8d 24720->24629 24721->24719 24721->24720 24722 11bdb62 24721->24722 24725 11bb7fc 3 API calls 24721->24725 24726 11baa83 3 API calls 24721->24726 24727 11bae85 3 API calls 24721->24727 24728 11baad4 3 API calls 24721->24728 24723 11bdb94 24722->24723 24729 11beb48 3 API calls 24722->24729 24723->24629 24724 11be382 24724->24629 24725->24721 24726->24721 24727->24721 24728->24721 24729->24724 24733 11bab3f 24730->24733 24731 11baa58 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 24731->24733 24732 11baf53 24732->24629 24733->24730 24733->24731 24733->24732 24735 11bdb62 24733->24735 24738 11bb7fc 3 API calls 24733->24738 24739 11baa83 3 API calls 24733->24739 24740 11bae85 3 API calls 24733->24740 24741 11baad4 3 API calls 24733->24741 24734 11bdb94 24734->24629 24735->24734 24737 11beb48 3 API calls 24735->24737 24736 11be382 24736->24629 24737->24736 24738->24733 24739->24733 24740->24733 24741->24733 24744 11ba614 24742->24744 24743 11ba6f5 24743->24666 24744->24743 24747 11ba5f8 3 API calls 24744->24747 24748 11ba7a8 3 API calls 24744->24748 24749 11ba5f4 3 API calls 24744->24749 24745 11ba82c 24746 11ba843 24745->24746 24750 11baa58 3 API calls 24745->24750 24751 11bb7fc 3 API calls 24745->24751 24752 11baa83 3 API calls 24745->24752 24753 11bae85 3 API calls 24745->24753 24754 11baad4 3 API calls 24745->24754 24746->24666 24747->24745 24748->24745 24749->24745 24750->24743 24751->24743 24752->24743 24753->24743 24754->24743 24756 11ba5f8 24755->24756 24757 11ba6f5 24756->24757 24765 11ba5f8 3 API calls 24756->24765 24766 11ba7a8 3 API calls 24756->24766 24767 11ba5f4 3 API calls 24756->24767 24757->24666 24758 11ba82c 24759 11ba843 24758->24759 24760 11baa58 3 API calls 24758->24760 24761 11bb7fc 3 API calls 24758->24761 24762 11baa83 3 API calls 24758->24762 24763 11bae85 3 API calls 24758->24763 24764 11baad4 3 API calls 24758->24764 24759->24666 24760->24757 24761->24757 24762->24757 24763->24757 24764->24757 24765->24758 24766->24758 24767->24758 24772 11bef90 24768->24772 24780 11bec85 24768->24780 24769 11be382 24769->24629 24773 11bef9d 24772->24773 24774 11befc5 24772->24774 24773->24769 24788 11beb80 24774->24788 24776 11befe6 24776->24769 24778 11bf0ae GlobalMemoryStatusEx 24779 11bf0de 24778->24779 24779->24769 24781 11bef90 24780->24781 24782 11bef9d 24781->24782 24783 11beb80 GlobalMemoryStatusEx 24781->24783 24782->24769 24784 11befe2 24783->24784 24785 11befe6 24784->24785 24786 11bf0ae GlobalMemoryStatusEx 24784->24786 24785->24769 24787 11bf0de 24786->24787 24787->24769 24789 11bf068 GlobalMemoryStatusEx 24788->24789 24791 11befe2 24789->24791 24791->24776 24791->24778

                                                      Executed Functions

                                                      Function 066E3168 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 127 66e3168-66e3189 128 66e318b-66e318e 127->128 129 66e31b4-66e31b7 128->129 130 66e3190-66e31af 128->130 131 66e31bd-66e31dc 129->131 132 66e3958-66e395a 129->132 130->129 140 66e31de-66e31e1 131->140 141 66e31f5-66e31ff 131->141 133 66e395c 132->133 134 66e3961-66e3964 132->134 133->134 134->128 137 66e396a-66e3973 134->137 140->141 142 66e31e3-66e31f3 140->142 145 66e3205-66e3214 141->145 142->145 253 66e3216 call 66e3988 145->253 254 66e3216 call 66e3980 145->254 146 66e321b-66e3220 147 66e322d-66e350a 146->147 148 66e3222-66e3228 146->148 169 66e394a-66e3957 147->169 170 66e3510-66e35bf 147->170 148->137 179 66e35e8 170->179 180 66e35c1-66e35e6 170->180 182 66e35f1-66e3604 179->182 180->182 184 66e360a-66e362c 182->184 185 66e3931-66e393d 182->185 184->185 188 66e3632-66e363c 184->188 185->170 186 66e3943 185->186 186->169 188->185 189 66e3642-66e364d 188->189 189->185 190 66e3653-66e3729 189->190 202 66e372b-66e372d 190->202 203 66e3737-66e3767 190->203 202->203 207 66e3769-66e376b 203->207 208 66e3775-66e3781 203->208 207->208 209 66e3783-66e3787 208->209 210 66e37e1-66e37e5 208->210 209->210 213 66e3789-66e37b3 209->213 211 66e37eb-66e3827 210->211 212 66e3922-66e392b 210->212 223 66e3829-66e382b 211->223 224 66e3835-66e3843 211->224 212->185 212->190 220 66e37b5-66e37b7 213->220 221 66e37c1-66e37de 213->221 220->221 221->210 223->224 227 66e385a-66e3865 224->227 228 66e3845-66e3850 224->228 232 66e387d-66e388e 227->232 233 66e3867-66e386d 227->233 228->227 231 66e3852 228->231 231->227 237 66e38a6-66e38b2 232->237 238 66e3890-66e3896 232->238 234 66e386f 233->234 235 66e3871-66e3873 233->235 234->232 235->232 242 66e38ca-66e391b 237->242 243 66e38b4-66e38ba 237->243 239 66e389a-66e389c 238->239 240 66e3898 238->240 239->237 240->237 242->212 244 66e38be-66e38c0 243->244 245 66e38bc 243->245 244->242 245->242 253->146 254->146
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 4c325f655a7c70350ed226f0740712bb18d6a507c6fd2e7b0a3414277849a250
                                                      • Instruction ID: 7c4cad7c314b60c7781bd45cd7f275eba5da1b431b4a7cb6cb5168f3b65f1e33
                                                      • Opcode Fuzzy Hash: 4c325f655a7c70350ed226f0740712bb18d6a507c6fd2e7b0a3414277849a250
                                                      • Instruction Fuzzy Hash: 4F323F31E1061ACFCB15EF78D89459DB7B6FF89300F10C6A9D449A7364EB70A986CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E7E80 Relevance: 3.0, Strings: 2, Instructions: 472COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 800 66e7e80-66e7e9e 801 66e7ea0-66e7ea3 800->801 802 66e7ec6-66e7ec9 801->802 803 66e7ea5-66e7ec1 801->803 804 66e7ecb-66e7ed5 802->804 805 66e7ed6-66e7ed9 802->805 803->802 807 66e7edb-66e7ee9 805->807 808 66e7ef0-66e7ef3 805->808 815 66e7f26-66e7f3c 807->815 816 66e7eeb 807->816 809 66e7f14-66e7f16 808->809 810 66e7ef5-66e7f0f 808->810 811 66e7f1d-66e7f20 809->811 812 66e7f18 809->812 810->809 811->801 811->815 812->811 820 66e8157-66e8161 815->820 821 66e7f42-66e7f4b 815->821 816->808 822 66e8162-66e8197 821->822 823 66e7f51-66e7f6e 821->823 826 66e8199-66e819c 822->826 832 66e8144-66e8151 823->832 833 66e7f74-66e7f9c 823->833 828 66e824f-66e8252 826->828 829 66e81a2-66e81ae 826->829 830 66e847e-66e8481 828->830 831 66e8258-66e8267 828->831 836 66e81b9-66e81bb 829->836 834 66e84a4-66e84a6 830->834 835 66e8483-66e849f 830->835 849 66e8269-66e8284 831->849 850 66e8286-66e82c1 831->850 832->820 832->821 833->832 854 66e7fa2-66e7fab 833->854 839 66e84ad-66e84b0 834->839 840 66e84a8 834->840 835->834 837 66e81bd-66e81c3 836->837 838 66e81d3-66e81da 836->838 844 66e81c7-66e81c9 837->844 845 66e81c5 837->845 846 66e81dc-66e81e9 838->846 847 66e81eb 838->847 839->826 848 66e84b6-66e84bf 839->848 840->839 844->838 845->838 852 66e81f0-66e81f2 846->852 847->852 849->850 859 66e82c7-66e82d8 850->859 860 66e8452-66e8468 850->860 856 66e8209-66e8242 852->856 857 66e81f4-66e81f7 852->857 854->822 861 66e7fb1-66e7fcd 854->861 856->831 880 66e8244-66e824e 856->880 857->848 867 66e82de-66e82fb 859->867 868 66e843d-66e844c 859->868 860->830 869 66e8132-66e813e 861->869 870 66e7fd3-66e7ffd 861->870 867->868 881 66e8301-66e83f7 call 66e66a8 867->881 868->859 868->860 869->832 869->854 884 66e8128-66e812d 870->884 885 66e8003-66e802b 870->885 933 66e83f9-66e8403 881->933 934 66e8405 881->934 884->869 885->884 891 66e8031-66e805f 885->891 891->884 897 66e8065-66e806e 891->897 897->884 898 66e8074-66e80a6 897->898 906 66e80a8-66e80ac 898->906 907 66e80b1-66e80cd 898->907 906->884 909 66e80ae 906->909 907->869 908 66e80cf-66e8126 call 66e66a8 907->908 908->869 909->907 935 66e840a-66e840c 933->935 934->935 935->868 936 66e840e-66e8413 935->936 937 66e8415-66e841f 936->937 938 66e8421 936->938 939 66e8426-66e8428 937->939 938->939 939->868 940 66e842a-66e8436 939->940 940->868
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: a86ae33a44fd13b00cbb3d91cca7cfa34d3f8543950cb07745f9045260991e02
                                                      • Instruction ID: 6753f77a54057a32dcf589587ef8b62a70fc1916f11884920c77f29544e1fdc8
                                                      • Opcode Fuzzy Hash: a86ae33a44fd13b00cbb3d91cca7cfa34d3f8543950cb07745f9045260991e02
                                                      • Instruction Fuzzy Hash: 3C02BF30B012069FDB58DFA8D990AAEB7E6FF84304F148529D415EB395DB35EC46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E56B0 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1896 66e56b0-66e56cd 1897 66e56cf-66e56d2 1896->1897 1898 66e56d4-66e56da 1897->1898 1899 66e56e1-66e56e4 1897->1899 1900 66e56dc 1898->1900 1901 66e56e6-66e56f0 1898->1901 1899->1901 1902 66e56fe-66e5701 1899->1902 1900->1899 1905 66e56f7-66e56f9 1901->1905 1903 66e5708-66e570e 1902->1903 1904 66e5703-66e5706 1902->1904 1907 66e57ea-66e57f0 1903->1907 1908 66e5714 1903->1908 1904->1903 1906 66e5719-66e571c 1904->1906 1905->1902 1911 66e571e-66e5725 1906->1911 1912 66e572a-66e572d 1906->1912 1909 66e57f6-66e57fe 1907->1909 1910 66e5887-66e58b3 1907->1910 1908->1906 1909->1910 1913 66e5804-66e5811 1909->1913 1925 66e58bd-66e58c0 1910->1925 1911->1912 1914 66e572f-66e5741 1912->1914 1915 66e5746-66e5749 1912->1915 1913->1910 1917 66e5813-66e5817 1913->1917 1914->1915 1918 66e574b-66e5761 1915->1918 1919 66e5766-66e5769 1915->1919 1921 66e581c-66e581f 1917->1921 1918->1919 1919->1898 1920 66e576f-66e5772 1919->1920 1923 66e577c-66e577f 1920->1923 1924 66e5774-66e5777 1920->1924 1926 66e5835-66e5838 1921->1926 1927 66e5821-66e5830 1921->1927 1929 66e57a5-66e57a8 1923->1929 1930 66e5781-66e57a0 1923->1930 1924->1923 1931 66e58c2-66e58cc 1925->1931 1932 66e58d1-66e58d4 1925->1932 1933 66e583a-66e5840 1926->1933 1934 66e584b-66e584e 1926->1934 1927->1926 1937 66e57aa-66e57ab 1929->1937 1938 66e57b0-66e57b3 1929->1938 1930->1929 1931->1932 1939 66e58de-66e58e1 1932->1939 1940 66e58d6-66e58dd 1932->1940 1933->1924 1942 66e5846 1933->1942 1935 66e585a-66e585d 1934->1935 1936 66e5850-66e5859 1934->1936 1945 66e585f-66e5862 1935->1945 1946 66e5867-66e5869 1935->1946 1937->1938 1947 66e57c7-66e57ca 1938->1947 1948 66e57b5-66e57c2 1938->1948 1949 66e5903-66e5906 1939->1949 1950 66e58e3-66e58e7 1939->1950 1942->1934 1945->1946 1957 66e586b 1946->1957 1958 66e5870-66e5873 1946->1958 1951 66e57cc-66e57ce 1947->1951 1952 66e57d1-66e57d4 1947->1952 1948->1947 1953 66e5928-66e592b 1949->1953 1954 66e5908-66e590c 1949->1954 1955 66e58ed-66e58f5 1950->1955 1956 66e59aa-66e59e4 1950->1956 1951->1952 1961 66e57d6-66e57da 1952->1961 1962 66e57e5-66e57e8 1952->1962 1963 66e592d-66e5934 1953->1963 1964 66e593b-66e593e 1953->1964 1954->1956 1960 66e5912-66e591a 1954->1960 1955->1956 1967 66e58fb-66e58fe 1955->1967 1975 66e59e6-66e59e9 1956->1975 1957->1958 1958->1897 1959 66e5879-66e5886 1958->1959 1960->1956 1968 66e5920-66e5923 1960->1968 1961->1959 1969 66e57e0 1961->1969 1962->1907 1962->1921 1970 66e5936 1963->1970 1971 66e59a2-66e59a9 1963->1971 1972 66e5956-66e5959 1964->1972 1973 66e5940-66e5951 1964->1973 1967->1949 1968->1953 1969->1962 1970->1964 1976 66e595b-66e595f 1972->1976 1977 66e5973-66e5976 1972->1977 1973->1972 1979 66e59eb-66e59ee 1975->1979 1980 66e5a61-66e5bf5 1975->1980 1976->1956 1981 66e5961-66e5969 1976->1981 1982 66e5978-66e597c 1977->1982 1983 66e5990-66e5992 1977->1983 1987 66e59f8-66e59fb 1979->1987 1988 66e59f0-66e59f5 1979->1988 2045 66e5d2e-66e5d41 1980->2045 2046 66e5bfb-66e5c02 1980->2046 1981->1956 1989 66e596b-66e596e 1981->1989 1982->1956 1984 66e597e-66e5986 1982->1984 1985 66e5999-66e599c 1983->1985 1986 66e5994 1983->1986 1984->1956 1990 66e5988-66e598b 1984->1990 1985->1925 1985->1971 1986->1985 1991 66e59fd-66e5a04 1987->1991 1992 66e5a09-66e5a0c 1987->1992 1988->1987 1989->1977 1990->1983 1991->1992 1994 66e5a0e-66e5a15 1992->1994 1995 66e5a1a-66e5a1d 1992->1995 1994->1995 1996 66e5a1f-66e5a30 1995->1996 1997 66e5a3b-66e5a3e 1995->1997 2004 66e5a36 1996->2004 2005 66e5d73-66e5d86 1996->2005 1999 66e5a58-66e5a5b 1997->1999 2000 66e5a40-66e5a51 1997->2000 1999->1980 2003 66e5d44-66e5d47 1999->2003 2000->1991 2010 66e5a53 2000->2010 2007 66e5d49-66e5d5a 2003->2007 2008 66e5d65-66e5d68 2003->2008 2004->1997 2007->1991 2018 66e5d60 2007->2018 2008->1980 2011 66e5d6e-66e5d71 2008->2011 2010->1999 2011->2005 2014 66e5d89-66e5d8c 2011->2014 2015 66e5d8e-66e5d9f 2014->2015 2016 66e5da6-66e5da9 2014->2016 2019 66e5dab-66e5dbc 2015->2019 2025 66e5da1 2015->2025 2016->2019 2020 66e5dc7-66e5dc9 2016->2020 2018->2008 2019->1991 2029 66e5dc2 2019->2029 2023 66e5dcb 2020->2023 2024 66e5dd0-66e5dd3 2020->2024 2023->2024 2024->1975 2027 66e5dd9-66e5de2 2024->2027 2025->2016 2029->2020 2047 66e5c08-66e5c3b 2046->2047 2048 66e5cb6-66e5cbd 2046->2048 2058 66e5c3d 2047->2058 2059 66e5c40-66e5c81 2047->2059 2048->2045 2049 66e5cbf-66e5cf2 2048->2049 2061 66e5cf7-66e5d24 2049->2061 2062 66e5cf4 2049->2062 2058->2059 2070 66e5c99-66e5ca0 2059->2070 2071 66e5c83-66e5c94 2059->2071 2061->2027 2062->2061 2072 66e5ca8-66e5caa 2070->2072 2071->2027 2072->2027
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-3993045852
                                                      • Opcode ID: bca93387104430776b942b80adee2dc57019abed2526bd616fabf2ab8525b7b3
                                                      • Instruction ID: b9c329990a6e820ade2c8b5a9be51bc0b82fa9ccab55ff8c79e5ccdb91f32e78
                                                      • Opcode Fuzzy Hash: bca93387104430776b942b80adee2dc57019abed2526bd616fabf2ab8525b7b3
                                                      • Instruction Fuzzy Hash: A122E175E012159FDF64DFA4C4806AEBBF2EF84328F208469D45AAB344DB36DC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EC288 Relevance: .6, Instructions: 644COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d28dd3757056fe1c2c5f6396c6dce75c34277f7450022b93bad387b195a48f6a
                                                      • Instruction ID: 888e391368b35a4edd05ced371c252bf7c0f99b1a928924164bccd87cf205498
                                                      • Opcode Fuzzy Hash: d28dd3757056fe1c2c5f6396c6dce75c34277f7450022b93bad387b195a48f6a
                                                      • Instruction Fuzzy Hash: 61328B30B012099FDB54DF68E990BAEB7B6FB88314F108525E419EB394DB35EC46CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EB31A Relevance: .6, Instructions: 569COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 19dfeb149300a97e4950eb53087b1f229e3a5642f7b8c22d09bb57617ee2a03d
                                                      • Instruction ID: 47f87b244c1d3f6d194cd21b4f3bff8414be554572b8ffd45015aa16931cbdd6
                                                      • Opcode Fuzzy Hash: 19dfeb149300a97e4950eb53087b1f229e3a5642f7b8c22d09bb57617ee2a03d
                                                      • Instruction Fuzzy Hash: 50227130E112099FDF64CF68D6907AEB7B6FB85310F208826E459EB395DA34DC85CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EADC0 Relevance: 10.4, Strings: 8, Instructions: 396COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 0 66eadc0-66eadde 1 66eade0-66eade3 0->1 2 66eae06-66eae09 1->2 3 66eade5-66eae01 1->3 4 66eae0b-66eae14 2->4 5 66eae19-66eae1c 2->5 3->2 4->5 6 66eae1e-66eae27 5->6 7 66eae36-66eae39 5->7 9 66eae2d-66eae31 6->9 10 66eaff7-66eb004 6->10 11 66eae3f-66eae42 7->11 12 66eafdd-66eafe6 7->12 9->7 22 66eb06d 10->22 23 66eb007-66eb02e 10->23 14 66eae4c-66eae4f 11->14 15 66eae44-66eae49 11->15 12->6 13 66eafec-66eaff6 12->13 17 66eae63-66eae66 14->17 18 66eae51-66eae5e 14->18 15->14 20 66eae68-66eae7b 17->20 21 66eae80-66eae83 17->21 18->17 20->21 26 66eae94-66eae96 21->26 27 66eae85-66eae89 21->27 25 66eb06f-66eb0aa 22->25 28 66eb030-66eb033 23->28 42 66eb29d-66eb2b0 25->42 43 66eb0b0-66eb0bc 25->43 31 66eae9d-66eaea0 26->31 32 66eae98 26->32 27->13 34 66eae8f 27->34 29 66eb056-66eb059 28->29 30 66eb035-66eb051 28->30 36 66eb05b-66eb05f 29->36 37 66eb066-66eb069 29->37 30->29 31->1 35 66eaea6-66eaeca 31->35 32->31 34->26 60 66eafda 35->60 61 66eaed0-66eaedf 35->61 36->25 40 66eb061 36->40 37->22 41 66eb2d2-66eb2d5 37->41 40->37 44 66eb2d7-66eb2e1 41->44 45 66eb2e2-66eb2e5 41->45 46 66eb2b2 42->46 56 66eb0be-66eb0d7 43->56 57 66eb0dc-66eb120 43->57 48 66eb2e7 call 66eb31a 45->48 49 66eb2f4-66eb2f6 45->49 54 66eb2b3 46->54 58 66eb2ed-66eb2ef 48->58 52 66eb2fd-66eb300 49->52 53 66eb2f8 49->53 52->28 59 66eb306-66eb310 52->59 53->52 54->54 56->46 76 66eb13c-66eb17b 57->76 77 66eb122-66eb134 57->77 58->49 60->12 65 66eaef7-66eaf32 call 66e66a8 61->65 66 66eaee1-66eaee7 61->66 85 66eaf4a-66eaf61 65->85 86 66eaf34-66eaf3a 65->86 67 66eaeeb-66eaeed 66->67 68 66eaee9 66->68 67->65 68->65 81 66eb262-66eb277 76->81 82 66eb181-66eb25c call 66e66a8 76->82 77->76 81->42 82->81 95 66eaf79-66eaf8a 85->95 96 66eaf63-66eaf69 85->96 89 66eaf3e-66eaf40 86->89 90 66eaf3c 86->90 89->85 90->85 102 66eaf8c-66eaf92 95->102 103 66eafa2-66eafd3 95->103 98 66eaf6d-66eaf6f 96->98 99 66eaf6b 96->99 98->95 99->95 104 66eaf96-66eaf98 102->104 105 66eaf94 102->105 103->60 104->103 105->103
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: 9be4ecd33ce4ef126f5dced708a5c6bb5f8c1d54163df8a6b99e3147f10bf18f
                                                      • Instruction ID: 748bc3f435107f3c1f784b75a2e6cbaa19349a26a1be1d4d1af29a5abc15828d
                                                      • Opcode Fuzzy Hash: 9be4ecd33ce4ef126f5dced708a5c6bb5f8c1d54163df8a6b99e3147f10bf18f
                                                      • Instruction Fuzzy Hash: 92E17F30E1120A8FCB69DFA9D5906AEB7B6FF84304F208569D409EB354DB35EC46CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EB748 Relevance: 8.0, Strings: 6, Instructions: 471COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 255 66eb748-66eb76a 256 66eb76c-66eb76f 255->256 257 66eb796-66eb799 256->257 258 66eb771-66eb775 256->258 261 66eb79b-66eb79f 257->261 262 66eb7b0-66eb7b3 257->262 259 66ebaed-66ebb26 258->259 260 66eb77b-66eb78b 258->260 276 66ebb28-66ebb2b 259->276 274 66eb9bb-66eb9bf 260->274 275 66eb791 260->275 261->259 263 66eb7a5-66eb7ab 261->263 264 66eb7c6-66eb7c9 262->264 265 66eb7b5-66eb7c1 262->265 263->262 266 66eb7dc-66eb7df 264->266 267 66eb7cb-66eb7d1 264->267 265->264 272 66eb81e-66eb821 266->272 273 66eb7e1-66eb7f6 266->273 270 66eb7d7 267->270 271 66eba05-66eba0b 267->271 270->266 271->259 281 66eba11-66eba15 271->281 279 66eb848-66eb84b 272->279 280 66eb823-66eb827 272->280 273->259 297 66eb7fc-66eb819 273->297 274->259 278 66eb9c5-66eb9d5 274->278 275->257 282 66ebd97-66ebd9a 276->282 283 66ebb31-66ebb59 276->283 278->280 304 66eb9db 278->304 284 66eb84d-66eb856 279->284 285 66eb85b-66eb85e 279->285 280->259 287 66eb82d-66eb83d 280->287 288 66eba1a-66eba1d 281->288 289 66ebd9c-66ebdb8 282->289 290 66ebdbd-66ebdbf 282->290 335 66ebb5b-66ebb5e 283->335 336 66ebb63-66ebba7 283->336 284->285 292 66eb86b-66eb86e 285->292 293 66eb860-66eb866 285->293 299 66eb9b0-66eb9b1 287->299 313 66eb843 287->313 298 66eba1f-66eba22 288->298 288->299 289->290 295 66ebdc6-66ebdc9 290->295 296 66ebdc1 290->296 302 66eb890-66eb893 292->302 303 66eb870-66eb88b 292->303 293->292 295->276 305 66ebdcf-66ebdd8 295->305 296->295 297->272 298->267 307 66eba28-66eba2b 298->307 300 66eb9b6-66eb9b9 299->300 300->274 308 66eb9e0-66eb9e3 300->308 311 66eb89d-66eb8a0 302->311 312 66eb895-66eb898 302->312 303->302 304->308 314 66eba2d-66eba33 307->314 315 66eba38-66eba3b 307->315 320 66eb9e5-66eb9ee 308->320 321 66eba00-66eba03 308->321 322 66eb8b7-66eb8ba 311->322 323 66eb8a2-66eb8a6 311->323 312->311 313->279 314->315 316 66eb8e2-66eb8eb 315->316 317 66eba41-66eba44 315->317 316->320 327 66eb8f1 316->327 324 66ebaa8-66ebaab 317->324 325 66eba46-66ebaa3 call 66e66a8 317->325 320->259 328 66eb9f4-66eb9fb 320->328 321->271 321->288 330 66eb8bc-66eb8d8 322->330 331 66eb8dd-66eb8e0 322->331 323->259 329 66eb8ac-66eb8b2 323->329 332 66ebabd-66ebac0 324->332 333 66ebaad 324->333 325->324 334 66eb8f6-66eb8f9 327->334 328->321 329->322 330->331 331->316 331->334 340 66ebac2-66ebacb 332->340 341 66ebad0-66ebad2 332->341 344 66ebab5-66ebab8 333->344 342 66eb8fb-66eb900 334->342 343 66eb903-66eb906 334->343 335->305 370 66ebd8c-66ebd96 336->370 371 66ebbad-66ebbb6 336->371 340->341 346 66ebad9-66ebadc 341->346 347 66ebad4 341->347 342->343 349 66eb908-66eb911 343->349 350 66eb916-66eb919 343->350 344->332 346->256 353 66ebae2-66ebaec 346->353 347->346 349->350 354 66eb91b-66eb91f 350->354 355 66eb930-66eb933 350->355 354->259 357 66eb925-66eb92b 354->357 358 66eb93a-66eb93d 355->358 359 66eb935-66eb937 355->359 357->355 360 66eb93f-66eb954 358->360 361 66eb977-66eb97a 358->361 359->358 360->259 372 66eb95a-66eb972 360->372 363 66eb97c-66eb985 361->363 364 66eb98a-66eb98d 361->364 363->364 367 66eb98f-66eb996 364->367 368 66eb9a1-66eb9a4 364->368 367->349 373 66eb99c 367->373 368->299 374 66eb9a6-66eb9a9 368->374 375 66ebbbc-66ebc28 call 66e66a8 371->375 376 66ebd82-66ebd87 371->376 372->361 373->368 374->299 378 66eb9ab-66eb9ae 374->378 389 66ebc2e-66ebc33 375->389 390 66ebd22-66ebd37 375->390 376->370 378->299 378->300 392 66ebc4f 389->392 393 66ebc35-66ebc3b 389->393 390->376 394 66ebc51-66ebc57 392->394 395 66ebc3d-66ebc3f 393->395 396 66ebc41-66ebc43 393->396 397 66ebc6c-66ebc79 394->397 398 66ebc59-66ebc5f 394->398 399 66ebc4d 395->399 396->399 406 66ebc7b-66ebc81 397->406 407 66ebc91-66ebc9e 397->407 400 66ebd0d-66ebd1c 398->400 401 66ebc65 398->401 399->394 400->389 400->390 401->397 402 66ebcd4-66ebce1 401->402 403 66ebca0-66ebcad 401->403 414 66ebcf9-66ebd06 402->414 415 66ebce3-66ebce9 402->415 412 66ebcaf-66ebcb5 403->412 413 66ebcc5-66ebcd2 403->413 409 66ebc85-66ebc87 406->409 410 66ebc83 406->410 407->400 409->407 410->407 417 66ebcb9-66ebcbb 412->417 418 66ebcb7 412->418 413->400 414->400 419 66ebced-66ebcef 415->419 420 66ebceb 415->420 417->413 418->413 419->414 420->414
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 8bd4248025b50b6cd0cc271629af307fa9c669ed5b56cf6abe1efdf84a8f21e5
                                                      • Instruction ID: 72b3d2afa398b0960215887f83c91a78b8a4c61e08c7978a697760d3d838293a
                                                      • Opcode Fuzzy Hash: 8bd4248025b50b6cd0cc271629af307fa9c669ed5b56cf6abe1efdf84a8f21e5
                                                      • Instruction Fuzzy Hash: 5F026C30E112098FDFA4CB68D6906AEB7B6FF45314F10892AD459EB355DB34EC86CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E9248 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 423 66e9248-66e926d 424 66e926f-66e9272 423->424 425 66e9298-66e929b 424->425 426 66e9274-66e9293 424->426 427 66e9b5b-66e9b5d 425->427 428 66e92a1-66e92b6 425->428 426->425 429 66e9b5f 427->429 430 66e9b64-66e9b67 427->430 435 66e92ce-66e92e4 428->435 436 66e92b8-66e92be 428->436 429->430 430->424 433 66e9b6d-66e9b77 430->433 440 66e92ef-66e92f1 435->440 437 66e92c2-66e92c4 436->437 438 66e92c0 436->438 437->435 438->435 441 66e9309-66e937a 440->441 442 66e92f3-66e92f9 440->442 453 66e937c-66e939f 441->453 454 66e93a6-66e93c2 441->454 443 66e92fd-66e92ff 442->443 444 66e92fb 442->444 443->441 444->441 453->454 459 66e93ee-66e9409 454->459 460 66e93c4-66e93e7 454->460 465 66e940b-66e942d 459->465 466 66e9434-66e944f 459->466 460->459 465->466 471 66e947a-66e9484 466->471 472 66e9451-66e9473 466->472 473 66e9486-66e948f 471->473 474 66e9494-66e950e 471->474 472->471 473->433 480 66e955b-66e9570 474->480 481 66e9510-66e952e 474->481 480->427 485 66e954a-66e9559 481->485 486 66e9530-66e953f 481->486 485->480 485->481 486->485
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 1ad79b4ce03647f5c5d3c024efaae1a47c934d08f5416abf7a414ed2cd5b6520
                                                      • Instruction ID: eeb798b0bf15d086e2ef4f0f5249db967712ac033eca69885cf2fd4d66a90085
                                                      • Opcode Fuzzy Hash: 1ad79b4ce03647f5c5d3c024efaae1a47c934d08f5416abf7a414ed2cd5b6520
                                                      • Instruction Fuzzy Hash: F1916F70B1120A9FDB54DF69D850BAEB7F6BF85304F108569D809EB398EB30DC468B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066ED040 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 489 66ed040-66ed05b 491 66ed05d-66ed060 489->491 492 66ed0a9-66ed0ac 491->492 493 66ed062-66ed0a4 491->493 494 66ed0ae-66ed0f0 492->494 495 66ed0f5-66ed0f8 492->495 493->492 494->495 497 66ed0fa-66ed13c 495->497 498 66ed141-66ed144 495->498 497->498 500 66ed18d-66ed190 498->500 501 66ed146-66ed155 498->501 502 66ed1d9-66ed1dc 500->502 503 66ed192-66ed1d4 500->503 505 66ed157-66ed15c 501->505 506 66ed164-66ed170 501->506 509 66ed1de-66ed220 502->509 510 66ed225-66ed228 502->510 503->502 505->506 511 66eda5d-66eda74 506->511 512 66ed176-66ed188 506->512 509->510 515 66ed22a-66ed246 510->515 516 66ed24b-66ed24e 510->516 526 66eda76-66eda81 511->526 527 66eda83-66eda96 511->527 512->500 515->516 520 66ed25d-66ed260 516->520 521 66ed250-66ed252 516->521 528 66ed26a-66ed26d 520->528 529 66ed262-66ed267 520->529 524 66ed258 521->524 525 66ed529 521->525 524->520 534 66ed52c-66ed538 525->534 526->527 536 66eda98-66eda9b 527->536 537 66ed26f-66ed285 528->537 538 66ed28a-66ed28d 528->538 529->528 540 66ed53e-66ed82b 534->540 541 66ed385-66ed394 534->541 542 66edace-66edad1 536->542 543 66eda9d-66edac9 536->543 537->538 546 66ed28f-66ed2d1 538->546 547 66ed2d6-66ed2d9 538->547 705 66eda52-66eda5c 540->705 706 66ed831-66ed837 540->706 552 66ed396-66ed39b 541->552 553 66ed3a3-66ed3af 541->553 555 66edad3 call 66edbb5 542->555 556 66edae0-66edae3 542->556 543->542 546->547 557 66ed2db-66ed2dd 547->557 558 66ed2e8-66ed2eb 547->558 552->553 553->511 562 66ed3b5-66ed3c7 553->562 576 66edad9-66edadb 555->576 568 66edb06-66edb08 556->568 569 66edae5-66edb01 556->569 564 66ed3e7-66ed3f0 557->564 565 66ed2e3 557->565 566 66ed2ed-66ed32f 558->566 567 66ed334-66ed337 558->567 584 66ed3cc-66ed3cf 562->584 577 66ed3ff-66ed40b 564->577 578 66ed3f2-66ed3f7 564->578 565->558 566->567 572 66ed339-66ed37b 567->572 573 66ed380-66ed383 567->573 570 66edb0f-66edb12 568->570 571 66edb0a 568->571 569->568 570->536 581 66edb14-66edb23 570->581 571->570 572->573 573->541 573->584 576->556 579 66ed51c-66ed521 577->579 580 66ed411-66ed425 577->580 578->577 579->525 580->525 601 66ed42b-66ed43d 580->601 602 66edb8a-66edb9f 581->602 603 66edb25-66edb88 call 66e66a8 581->603 584->534 591 66ed3d5-66ed3d7 584->591 597 66ed3de-66ed3e1 591->597 598 66ed3d9 591->598 597->491 597->564 598->597 613 66ed43f-66ed445 601->613 614 66ed461-66ed463 601->614 617 66edba0 602->617 603->602 619 66ed449-66ed455 613->619 620 66ed447 613->620 625 66ed46d-66ed479 614->625 617->617 624 66ed457-66ed45f 619->624 620->624 624->625 634 66ed47b-66ed485 625->634 635 66ed487 625->635 637 66ed48c-66ed48e 634->637 635->637 637->525 639 66ed494-66ed4b0 call 66e66a8 637->639 648 66ed4bf-66ed4cb 639->648 649 66ed4b2-66ed4b7 639->649 648->579 651 66ed4cd-66ed51a 648->651 649->648 651->525 707 66ed839-66ed83e 706->707 708 66ed846-66ed84f 706->708 707->708 708->511 709 66ed855-66ed868 708->709 711 66ed86e-66ed874 709->711 712 66eda42-66eda4c 709->712 713 66ed876-66ed87b 711->713 714 66ed883-66ed88c 711->714 712->705 712->706 713->714 714->511 715 66ed892-66ed8b3 714->715 718 66ed8b5-66ed8ba 715->718 719 66ed8c2-66ed8cb 715->719 718->719 719->511 720 66ed8d1-66ed8ee 719->720 720->712 723 66ed8f4-66ed8fa 720->723 723->511 724 66ed900-66ed919 723->724 726 66ed91f-66ed946 724->726 727 66eda35-66eda3c 724->727 726->511 730 66ed94c-66ed956 726->730 727->712 727->723 730->511 731 66ed95c-66ed973 730->731 733 66ed975-66ed980 731->733 734 66ed982-66ed99d 731->734 733->734 734->727 739 66ed9a3-66ed9bc call 66e66a8 734->739 743 66ed9be-66ed9c3 739->743 744 66ed9cb-66ed9d4 739->744 743->744 744->511 745 66ed9da-66eda2e 744->745 745->727
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q
                                                      • API String ID: 0-182748909
                                                      • Opcode ID: 5a99ca60118a745db1e64e625b1fa8383248860665db799c0e9943c83045bb30
                                                      • Instruction ID: 7cd3f962c065d51024f409650c1c544011ecf57a3a4658acdb5b533dd8289cc8
                                                      • Opcode Fuzzy Hash: 5a99ca60118a745db1e64e625b1fa8383248860665db799c0e9943c83045bb30
                                                      • Instruction Fuzzy Hash: 596220306402068FCB55EF68E580A5DB7B6FF85304F208A69D015DF369EB75ED4ACB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E4C78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 753 66e4c78-66e4c9c 754 66e4c9e-66e4ca1 753->754 755 66e4cc2-66e4cc5 754->755 756 66e4ca3-66e4cbd 754->756 757 66e4ccb-66e4dc3 755->757 758 66e53a4-66e53a6 755->758 756->755 776 66e4dc9-66e4e16 call 66e5521 757->776 777 66e4e46-66e4e4d 757->777 760 66e53ad-66e53b0 758->760 761 66e53a8 758->761 760->754 762 66e53b6-66e53c3 760->762 761->760 790 66e4e1c-66e4e38 776->790 778 66e4e53-66e4ec3 777->778 779 66e4ed1-66e4eda 777->779 796 66e4ece 778->796 797 66e4ec5 778->797 779->762 794 66e4e3a 790->794 795 66e4e43-66e4e44 790->795 794->795 795->777 796->779 797->796
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq$\Obq
                                                      • API String ID: 0-4057264190
                                                      • Opcode ID: d7d2d09c316108891cb8482dc8e6a7a9614088ca887ea465d9a1ba7c38ba7ef2
                                                      • Instruction ID: e3021d88809ae834e1e2cffeec7656c7709ae61ab404b392adc79e466cfd0dfd
                                                      • Opcode Fuzzy Hash: d7d2d09c316108891cb8482dc8e6a7a9614088ca887ea465d9a1ba7c38ba7ef2
                                                      • Instruction Fuzzy Hash: 89615C30F002199FEB54DFB4C8547AEBAF6FF88704F208529D10AAB395DB758C458B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E923E Relevance: 2.7, Strings: 2, Instructions: 170COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1781 66e923e-66e926d 1783 66e926f-66e9272 1781->1783 1784 66e9298-66e929b 1783->1784 1785 66e9274-66e9293 1783->1785 1786 66e9b5b-66e9b5d 1784->1786 1787 66e92a1-66e92b6 1784->1787 1785->1784 1788 66e9b5f 1786->1788 1789 66e9b64-66e9b67 1786->1789 1794 66e92ce-66e92e4 1787->1794 1795 66e92b8-66e92be 1787->1795 1788->1789 1789->1783 1792 66e9b6d-66e9b77 1789->1792 1799 66e92ef-66e92f1 1794->1799 1796 66e92c2-66e92c4 1795->1796 1797 66e92c0 1795->1797 1796->1794 1797->1794 1800 66e9309-66e937a 1799->1800 1801 66e92f3-66e92f9 1799->1801 1812 66e937c-66e939f 1800->1812 1813 66e93a6-66e93c2 1800->1813 1802 66e92fd-66e92ff 1801->1802 1803 66e92fb 1801->1803 1802->1800 1803->1800 1812->1813 1818 66e93ee-66e9409 1813->1818 1819 66e93c4-66e93e7 1813->1819 1824 66e940b-66e942d 1818->1824 1825 66e9434-66e944f 1818->1825 1819->1818 1824->1825 1830 66e947a-66e9484 1825->1830 1831 66e9451-66e9473 1825->1831 1832 66e9486-66e948f 1830->1832 1833 66e9494-66e950e 1830->1833 1831->1830 1832->1792 1839 66e955b-66e9570 1833->1839 1840 66e9510-66e952e 1833->1840 1839->1786 1844 66e954a-66e9559 1840->1844 1845 66e9530-66e953f 1840->1845 1844->1839 1844->1840 1845->1844
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: c5ed39b31c8690d7e5e3eaefa449df5db10429d53511d4f54c4b483e39dd1868
                                                      • Instruction ID: f495e2719c8b1cc45aa0052d8573dce1fdb3996ef1ba701049e7ca5aab85d2c6
                                                      • Opcode Fuzzy Hash: c5ed39b31c8690d7e5e3eaefa449df5db10429d53511d4f54c4b483e39dd1868
                                                      • Instruction Fuzzy Hash: 87514071B111069FDB55DB78D890BAEB7F6BFC5304F108569D809DB398EA30DC068B92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E4C68 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1848 66e4c68-66e4c9c 1850 66e4c9e-66e4ca1 1848->1850 1851 66e4cc2-66e4cc5 1850->1851 1852 66e4ca3-66e4cbd 1850->1852 1853 66e4ccb-66e4dc3 1851->1853 1854 66e53a4-66e53a6 1851->1854 1852->1851 1872 66e4dc9-66e4e16 call 66e5521 1853->1872 1873 66e4e46-66e4e4d 1853->1873 1856 66e53ad-66e53b0 1854->1856 1857 66e53a8 1854->1857 1856->1850 1858 66e53b6-66e53c3 1856->1858 1857->1856 1886 66e4e1c-66e4e38 1872->1886 1874 66e4e53-66e4ec3 1873->1874 1875 66e4ed1-66e4eda 1873->1875 1892 66e4ece 1874->1892 1893 66e4ec5 1874->1893 1875->1858 1890 66e4e3a 1886->1890 1891 66e4e43-66e4e44 1886->1891 1890->1891 1891->1873 1892->1875 1893->1892
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq
                                                      • API String ID: 0-2292610095
                                                      • Opcode ID: 7a5554c56570a494228a6ea263eebe4e036fb018720f3ec9c8481d76a9ea14c7
                                                      • Instruction ID: ed8bbdfb0590a76ebf23fe30e13234db8f0150ab9e9c73791c482f71e2c7f343
                                                      • Opcode Fuzzy Hash: 7a5554c56570a494228a6ea263eebe4e036fb018720f3ec9c8481d76a9ea14c7
                                                      • Instruction Fuzzy Hash: 06515D30F006099FDB54DFA9C854BAEBAF6FF88700F208529D11AAB395DA759C01CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011BEF90 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2074 11bef90-11bef9b 2075 11bef9d-11befc4 2074->2075 2076 11befc5-11befe4 call 11beb80 2074->2076 2081 11befea-11bf049 2076->2081 2082 11befe6-11befe9 2076->2082 2089 11bf04b-11bf04e 2081->2089 2090 11bf04f-11bf0dc GlobalMemoryStatusEx 2081->2090 2094 11bf0de-11bf0e4 2090->2094 2095 11bf0e5-11bf10d 2090->2095 2094->2095
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2051493124.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11b0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a2fdee692787dfa12737d67c9d4518a83f5f2522ffce255c6e5ad0fd531bb72b
                                                      • Instruction ID: 9452a009650a5c59b272a4763005cd40d37692a9e115aaf573ac1ce8e72db26e
                                                      • Opcode Fuzzy Hash: a2fdee692787dfa12737d67c9d4518a83f5f2522ffce255c6e5ad0fd531bb72b
                                                      • Instruction Fuzzy Hash: B9413371D0434A9FCB14DFB9D8446EEBBF6EF89310F04856AD508A7241EB789881CBE0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 011BEB80 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 2098 11beb80-11bf0dc GlobalMemoryStatusEx 2101 11bf0de-11bf0e4 2098->2101 2102 11bf0e5-11bf10d 2098->2102 2101->2102
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,011BEFE2), ref: 011BF0CF
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2051493124.00000000011B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011B0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_11b0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: bf66c9e8ad50696e299be29bd04460a01d570c2d0a3e7e93674b0c5b9a4bb83d
                                                      • Instruction ID: fb65d7f7bb30566242d2263ce86cb12617dd27ffee11fd4d2bf4acf5a907adf6
                                                      • Opcode Fuzzy Hash: bf66c9e8ad50696e299be29bd04460a01d570c2d0a3e7e93674b0c5b9a4bb83d
                                                      • Instruction Fuzzy Hash: 7F1103B1C0065A9BCB14DF9AC9446EEFBF4EF48310F11816AE918B7250D778A944CFE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EDBB5 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 4baa0f9b70705b47f9ed06aa21d46d16b7a3d5afea2075c2508865c0197110a3
                                                      • Instruction ID: a806bccfd9416e8f62f8252448559b3e1af0c1425882ca697e72f09942dfe404
                                                      • Opcode Fuzzy Hash: 4baa0f9b70705b47f9ed06aa21d46d16b7a3d5afea2075c2508865c0197110a3
                                                      • Instruction Fuzzy Hash: F4410130E0174ADFCB65CFA4D84069EBBB6BF85344F20452AE405EB344EBB0D846CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E22C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 8029dc9e4ec53f38f37bb77318826c04a31d37fe529b0efd49dae8a0b449a75a
                                                      • Instruction ID: 93b1e90a1c503fde789386e6f584af3a7db485d134d5287783523b72e4a47c1b
                                                      • Opcode Fuzzy Hash: 8029dc9e4ec53f38f37bb77318826c04a31d37fe529b0efd49dae8a0b449a75a
                                                      • Instruction Fuzzy Hash: 8F31FE30B002069FDB58AB74D46466E7BEBAF89640F204438D406DB398EF35DD46CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3110 Relevance: .4, Instructions: 429COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 60e4f4d6ebbe8b15b279259f6c2855d8b7a3f30b6bfd38200404397176da8caa
                                                      • Instruction ID: 7bf9805d3282eb5754236138921d187bc67b10699af5396d2728c6ffb0d83284
                                                      • Opcode Fuzzy Hash: 60e4f4d6ebbe8b15b279259f6c2855d8b7a3f30b6bfd38200404397176da8caa
                                                      • Instruction Fuzzy Hash: 38023434A012048FCBA4DBA4C594A9DBBF7FF44314F5484A9D41AAB365EB35ED46CF80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E6E20 Relevance: .3, Instructions: 257COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 77f0161ddda5f05bf12a207b21788e4d328d16196681522c009ab4ac459761d3
                                                      • Instruction ID: 29e50847dfcc91e224ba7597e7edb0776562548dceebab4ce3d257fed08414b9
                                                      • Opcode Fuzzy Hash: 77f0161ddda5f05bf12a207b21788e4d328d16196681522c009ab4ac459761d3
                                                      • Instruction Fuzzy Hash: 3FA18B30A01204DFCB64DBA8D554A9EBBF2FF84354F188568E419EB394DB35ED46CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E62F8 Relevance: .2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c2b3cff41829b5dd66d1be1b27329490832fa441ef00a85c0ba6e919cf5c1a3a
                                                      • Instruction ID: f42e65dee387157f06eedb77240181cd2ad708e82794d4f9ddb77e3d526dc0aa
                                                      • Opcode Fuzzy Hash: c2b3cff41829b5dd66d1be1b27329490832fa441ef00a85c0ba6e919cf5c1a3a
                                                      • Instruction Fuzzy Hash: DC61AF71F000214BDF64AA6AC88065FBADBAFA4224B254479D80EDB364EEB5DD0287D1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E43A9 Relevance: .2, Instructions: 227COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 543d498bbbf44fe00e9fa19753b4cea3d879467ef631aba71beb85549a09c2f1
                                                      • Instruction ID: 2eb5447d9ef49d2ce2a5832992ca0cd3694865f73a457ffaa8ee2ba394f6de83
                                                      • Opcode Fuzzy Hash: 543d498bbbf44fe00e9fa19753b4cea3d879467ef631aba71beb85549a09c2f1
                                                      • Instruction Fuzzy Hash: 0C814B30B012099FDB54DFB9D4546AEB7F7AF89304F108529D40AEB394EE74EC468B92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E46C8 Relevance: .2, Instructions: 222COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9bd20546a8bdf0a52f1dabd95238ca9024c1c30bd30e6351885597c2a155b4e8
                                                      • Instruction ID: cb6093fa1ddfd88f06e7c5a9d059158d5d42ff7f5d1f3ffbdc210c10f17dfca2
                                                      • Opcode Fuzzy Hash: 9bd20546a8bdf0a52f1dabd95238ca9024c1c30bd30e6351885597c2a155b4e8
                                                      • Instruction Fuzzy Hash: 89914B30E1021A8FDF64DFA8C890B99B7B1FF89310F208595D449BB395DB70AA85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E46E0 Relevance: .2, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 738f3aff8f748310922aa75327bf38a5e920870279861cb4446474c32fcf7c40
                                                      • Instruction ID: 33b82befd004c80ea40d70cd819cddda0326d46041c29c4ed6fedec5dfdfe15e
                                                      • Opcode Fuzzy Hash: 738f3aff8f748310922aa75327bf38a5e920870279861cb4446474c32fcf7c40
                                                      • Instruction Fuzzy Hash: 5B914D30E1021A8BDF64DF68C890B9DB7B1FF89314F208599D549BB394DB70AA85CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EEC12 Relevance: .2, Instructions: 204COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4173f9fe760abd5ddd01d079895b09c8eb157b28b45976a5e15f095d1e383c29
                                                      • Instruction ID: 65f7ca0ba6b50e60ec418275aed5fa55ce35ce2f502ebb40299ffa52ffdda434
                                                      • Opcode Fuzzy Hash: 4173f9fe760abd5ddd01d079895b09c8eb157b28b45976a5e15f095d1e383c29
                                                      • Instruction Fuzzy Hash: FE713C30A012099FDB58DFA9D980A9EBBF6FF88304F148429D419EB355DB31ED46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EEC20 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 11a5efffc6c69f6e5e76adf60dccf317978ef0ae454e292a2039bc776c90aef4
                                                      • Instruction ID: 34cc48e80b52cf48bacfa36aef367e9ae4d3bfefc99386f5395c399289c14b7b
                                                      • Opcode Fuzzy Hash: 11a5efffc6c69f6e5e76adf60dccf317978ef0ae454e292a2039bc776c90aef4
                                                      • Instruction Fuzzy Hash: FD710930A012099FDB58DFA9D990AAEBBF6FF88304F148429D419EB355DB31ED46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EFB30 Relevance: .2, Instructions: 172COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8a90f41cb559351fa4a7960083bf28b753c5993c949b9de01b3a5f0b835eb917
                                                      • Instruction ID: f9ac146cf082dc590e8a03d3c0896a11cf89fb66355285277557ee080df3ac0e
                                                      • Opcode Fuzzy Hash: 8a90f41cb559351fa4a7960083bf28b753c5993c949b9de01b3a5f0b835eb917
                                                      • Instruction Fuzzy Hash: 6651F770F112049FEFA4566CE99476F369FDB89710F204826E90AC73E9DA3CCC4583A2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EFB40 Relevance: .2, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 98f66ed87ff51652ac49dd62e271e1f46af2db41f9f0611875f61b5dbdc68d37
                                                      • Instruction ID: 1d28be8b270dc1129c18c142eecab98424338a4eb97b035d23a5975f36e653d8
                                                      • Opcode Fuzzy Hash: 98f66ed87ff51652ac49dd62e271e1f46af2db41f9f0611875f61b5dbdc68d37
                                                      • Instruction Fuzzy Hash: 5E51C870F102059FEFA4566CE99476F265FDB89710F204826E90AC73D9DA7CCC458392
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E56A0 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b1eaba89fa56e18dc435e97466bc0114de4fc935328a3f8e6207bb4d7031f6f2
                                                      • Instruction ID: 050da1215cf679f90415e531b2fc4657ce1ddaf9703e9471c4a0d226ed79e8ec
                                                      • Opcode Fuzzy Hash: b1eaba89fa56e18dc435e97466bc0114de4fc935328a3f8e6207bb4d7031f6f2
                                                      • Instruction Fuzzy Hash: 6751C474E112059FDF748A69C8C0B7EBBB2EB45318F24882AD45BDB381C636E852CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E5521 Relevance: .1, Instructions: 132COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a5d35de1f472ba519f20cfaddb5737c528ada8cccffc4e6b1fbaed6bf2431a9e
                                                      • Instruction ID: 8b50612789d8c9af690a9e05d521eff1928116bcfa067949d465a10ac64d7afa
                                                      • Opcode Fuzzy Hash: a5d35de1f472ba519f20cfaddb5737c528ada8cccffc4e6b1fbaed6bf2431a9e
                                                      • Instruction Fuzzy Hash: 8A416D71E006058FDF70CEA9D8C1AAEFBB2FB95318F10492AD216D7650D731E8558B91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EDA68 Relevance: .1, Instructions: 101COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7a9611ea4b7ddff6ba9f5f979bdb22ab62b02b5cd1f73fa7d824764befc74b96
                                                      • Instruction ID: 2a283729ff1780dbecc52c2f72d39c8bb28878206656cdfb03786df3883c49d6
                                                      • Opcode Fuzzy Hash: 7a9611ea4b7ddff6ba9f5f979bdb22ab62b02b5cd1f73fa7d824764befc74b96
                                                      • Instruction Fuzzy Hash: 3631A730E1170A9BCF25DF69D980A9EBBB6FF85304F108529E405EB344EB70E946CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E2170 Relevance: .1, Instructions: 99COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 82870b43558270186ab554444841311574b7b8c57e7e38d50cb3e2420383fbf6
                                                      • Instruction ID: f622370a60f5fe6f1c639fdf4613f0a7d504568faf0dbcd0819f0f06428e8bd3
                                                      • Opcode Fuzzy Hash: 82870b43558270186ab554444841311574b7b8c57e7e38d50cb3e2420383fbf6
                                                      • Instruction Fuzzy Hash: C7315230E102059FCB59CFA4D86569EB7BBBF89304F108529E906E7350EB71AE46CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E2180 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1141e566c7fedf5b12f767f4d9dc15066de9a98e610b365979ec1c5f0f20bb41
                                                      • Instruction ID: 09c36f43ab2459541f5e96acae5716e9f78c1bd012a1b31870b3a50d562c16a9
                                                      • Opcode Fuzzy Hash: 1141e566c7fedf5b12f767f4d9dc15066de9a98e610b365979ec1c5f0f20bb41
                                                      • Instruction Fuzzy Hash: 4E317230E102099FCB59DFA4D86469EB7BBFF89300F108529E906E7354DB71AE46CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3BA9 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e11288706531f34292a5fa8ba69a4557611f1bbd8d8294566b48e00fecf2c679
                                                      • Instruction ID: b528d29d5ff55e6bfb14cc532de6a76e7161bb1c46c9af27a7a9ab496c5b23a4
                                                      • Opcode Fuzzy Hash: e11288706531f34292a5fa8ba69a4557611f1bbd8d8294566b48e00fecf2c679
                                                      • Instruction Fuzzy Hash: C7319A71F01214AFDB50DF78EC80AAEBBF4AB48710F104169E915E7391E775D942CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3BB8 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2ef46875ce8fa5a739b82b0f6cc3dbb46ed43520baec8307e14aa470175114cd
                                                      • Instruction ID: 8832cd68c8837a18e7d8bddd3c22df00644639c4e28f11ad35402476075253bb
                                                      • Opcode Fuzzy Hash: 2ef46875ce8fa5a739b82b0f6cc3dbb46ed43520baec8307e14aa470175114cd
                                                      • Instruction Fuzzy Hash: AD21BD72F01219AFDB50DFB8D880AAEB7F5EB48710F108029E906E7390E774D802CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E6E19 Relevance: .1, Instructions: 73COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7389b6a4e186e84834bd77db56700e7db631de631df1bdd4c18afced79a0ba4e
                                                      • Instruction ID: 4fe730ef071d7fa5b978dd7de5d50beb2e1386e1c389412ac224b26869748382
                                                      • Opcode Fuzzy Hash: 7389b6a4e186e84834bd77db56700e7db631de631df1bdd4c18afced79a0ba4e
                                                      • Instruction Fuzzy Hash: 0421AE31B121059FDF48DAA8EC6069EBBB6EF84314F148479E405EB394E730ED42CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3167 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: f78c70282afe0ccc4c6dfd42da65c378211e754bbb133ac8b5906ecb3b978a6e
                                                      • Instruction ID: ec65c0654e8bccc92ce8b0ce6fee28cfa866afb4abb112f3db4c0b88eea4690f
                                                      • Opcode Fuzzy Hash: f78c70282afe0ccc4c6dfd42da65c378211e754bbb133ac8b5906ecb3b978a6e
                                                      • Instruction Fuzzy Hash: 67117F71E012159FCBA89BA8D8406EEB7B5FF89310F10856AD01AFB344EA319945CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3CC8 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a422e1920f41eaf017389d5a3304fbefc15ba546c237d76114854f2ef2d9ac4e
                                                      • Instruction ID: 95d04df3fb18279ced7cea40204497ca4128dcc088f81edaedb6bd6d5f11bb40
                                                      • Opcode Fuzzy Hash: a422e1920f41eaf017389d5a3304fbefc15ba546c237d76114854f2ef2d9ac4e
                                                      • Instruction Fuzzy Hash: A8118B36B101285FDB54E669C8146AE73EBBBC8714F008539D40AE7394EA65DC068B92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E430A Relevance: .1, Instructions: 58COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 88541244307f4a03750067f553bf2d74d559c77719133f524a626ff45338d012
                                                      • Instruction ID: 145d7b3fec59a77acd62444cf28baa2466bc1e81b833c46a33d7acef10bc4857
                                                      • Opcode Fuzzy Hash: 88541244307f4a03750067f553bf2d74d559c77719133f524a626ff45338d012
                                                      • Instruction Fuzzy Hash: 5B01F130B011100FCB66967ED810B5FB7DADBCA610F11883AE109CB395DD22DC0683E2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EEE91 Relevance: .1, Instructions: 56COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5823df94792ce88aab4b381230fa7a16d0d07f49eb0171d6b89dcd0ddbbe7fac
                                                      • Instruction ID: a815c9cbb59f2faf85c646d23ca349ee6211b1c3145767585ea91a1fc569fd31
                                                      • Opcode Fuzzy Hash: 5823df94792ce88aab4b381230fa7a16d0d07f49eb0171d6b89dcd0ddbbe7fac
                                                      • Instruction Fuzzy Hash: 9A01B531B016145FDB66D6BDD45172AB7E6EBC6714F108439E50EC7341EA26EC0683D2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3980 Relevance: .1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 6757d2aa244db6f56f4caba93142aa82747c95ec7951cf605df671fc737521b0
                                                      • Instruction ID: c6a1ffdeb7d33845182f820c5ebde4d9245aac84d16920eae3b071cdaab952c4
                                                      • Opcode Fuzzy Hash: 6757d2aa244db6f56f4caba93142aa82747c95ec7951cf605df671fc737521b0
                                                      • Instruction Fuzzy Hash: 8A21E2B1D01259AFCB10DF9AD884ACEFFB4FB49310F10816AE918B7200D3756954CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3CB7 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 399d7dd4f8dd7f06e529a31573b3a64e99e5c0d820708299da47848cbeae9838
                                                      • Instruction ID: 6774f218e96eae0b1b9145f0f0ae492a6268bf2924044790a27ace0937613825
                                                      • Opcode Fuzzy Hash: 399d7dd4f8dd7f06e529a31573b3a64e99e5c0d820708299da47848cbeae9838
                                                      • Instruction Fuzzy Hash: 1B01DF32B101286BDB54956ADC15AAF76EFABC8614F00003AE40AE3380EF61CC0287E2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E3988 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 52520f8898a2e50ccd4e2d84f3854537299396e6b011270acb8ca1d18e84d25f
                                                      • Instruction ID: 92a8fdd8ae55b5bb5b958e14991b5856ba0f6bf94f325a7ca6494affce9adea4
                                                      • Opcode Fuzzy Hash: 52520f8898a2e50ccd4e2d84f3854537299396e6b011270acb8ca1d18e84d25f
                                                      • Instruction Fuzzy Hash: C911C2B1D012599FCB00DF9AD984ADEFBB4FB49310F10816AE518B7300D3756944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E4318 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e8a67ae5c8e01ea675da7ecf8f3bebf940d887cf4267615fca63e2f7cf729fee
                                                      • Instruction ID: 8f52830619a9db8f603c6768de07d9854d05d3196e8c381d3612a4ad2e598d6a
                                                      • Opcode Fuzzy Hash: e8a67ae5c8e01ea675da7ecf8f3bebf940d887cf4267615fca63e2f7cf729fee
                                                      • Instruction Fuzzy Hash: 7B016D31B101110BDB65957ED45576EA3DBEBCA615F10883AE20ACB398ED66DC024395
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EA3F9 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7bb8de99332bd6aaed16c6e45113c0fa0319bf7919bc51f603c8bbf575958a97
                                                      • Instruction ID: 39d3c08df331d7518751feccc039f4fc55d91a0e23083b582d1b90f873006d1b
                                                      • Opcode Fuzzy Hash: 7bb8de99332bd6aaed16c6e45113c0fa0319bf7919bc51f603c8bbf575958a97
                                                      • Instruction Fuzzy Hash: 9901D4317011108FCB56DAB8E86871A77E6FB86714F10483AE10ACB394DE31DD068391
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EEEA0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 3b0886fd7e69fe2d6d7e3f942dd82af0b6ec54987b57d8e03f7e431d6dcb2d45
                                                      • Instruction ID: d64bb4912848543eb49092e9fadcd74b74f62cb17485b1175be7e9fb31308bd9
                                                      • Opcode Fuzzy Hash: 3b0886fd7e69fe2d6d7e3f942dd82af0b6ec54987b57d8e03f7e431d6dcb2d45
                                                      • Instruction Fuzzy Hash: 4401AF31B105144BDB6695BDE494B2FA3DBEBCA715F208839E50EC7344EE26DC064382
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EA408 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ef8fb220a074d199d68e6e25b8a0ae98f03f4e0a3b44357eeacfd157a601bc2
                                                      • Instruction ID: 473274189bbf851a3fe9b4aaa77922bf7a16df0de74dcb63dd13b8709fb75640
                                                      • Opcode Fuzzy Hash: 4ef8fb220a074d199d68e6e25b8a0ae98f03f4e0a3b44357eeacfd157a601bc2
                                                      • Instruction Fuzzy Hash: 9D014432B101109FDB65EABCE45871A73D6EBCA715F108839E50EDB394EE31ED068791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E6578 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1cec253406081d891899709145f5d7a931949ddd3e81423adcd507a8a78a9a77
                                                      • Instruction ID: 861e23e8f7a097e5c8cd04e50c4a3a731e4b9d7772f7667e9f79a51b9f93c61d
                                                      • Opcode Fuzzy Hash: 1cec253406081d891899709145f5d7a931949ddd3e81423adcd507a8a78a9a77
                                                      • Instruction Fuzzy Hash: 85E0D8B1E26208ABDF50CEB0DD05B5B7B6DD786204F2088A5E404D7242E176CA0183A1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 066E77A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-2843079600
                                                      • Opcode ID: 66bcbce813ca62aff64d4c87ec231f5aa674cba449d9bf4f084480012a96b8ae
                                                      • Instruction ID: c2e831b3c6e516912d29df906b718b1a131b21609c0f39dc6f3ebc5567b458dc
                                                      • Opcode Fuzzy Hash: 66bcbce813ca62aff64d4c87ec231f5aa674cba449d9bf4f084480012a96b8ae
                                                      • Instruction Fuzzy Hash: 09124230E01619CFDB68DF69D994A9EBBF6BF88304F208569D409AB354DB309D46CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EAA28 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: c4f8ccb2fc1eb138d8b718258fd4f66ad9549baad82f860767b5c3bcbd6eb50e
                                                      • Instruction ID: 3149d3be2bcd41fdd18edee4efb08debf3ffdd1da9694aad14052ff4b5c41bab
                                                      • Opcode Fuzzy Hash: c4f8ccb2fc1eb138d8b718258fd4f66ad9549baad82f860767b5c3bcbd6eb50e
                                                      • Instruction Fuzzy Hash: AD91BF34E01209DFEB68DFA8D994BAEB7F6BF84704F108529E80197394DB359D46CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E71A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-981061697
                                                      • Opcode ID: a8d6eba5954bd58de4ab62c07a1b063da43a8d129ee2c6bce505bf84714cf5c7
                                                      • Instruction ID: a04a479bda5cd66d2328e98ef9ba7db4e120ae4d8d7f0de3b77b8e820e784a56
                                                      • Opcode Fuzzy Hash: a8d6eba5954bd58de4ab62c07a1b063da43a8d129ee2c6bce505bf84714cf5c7
                                                      • Instruction Fuzzy Hash: 36F16F30B01209DFDB59EFA4D590A5EBBB6FF88304F248569D4159B3A8DB35EC46CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E84D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 86827cca0e4cb9b5f0a52ec2c476ae9cedb31e3c125ff0f7559dcdec4545ac26
                                                      • Instruction ID: f18e5212458f9389c305beb43f78d250e8d07691c10a0dfe0ac9d0554a4b094e
                                                      • Opcode Fuzzy Hash: 86827cca0e4cb9b5f0a52ec2c476ae9cedb31e3c125ff0f7559dcdec4545ac26
                                                      • Instruction Fuzzy Hash: EAB14E30E11209DFDB58EFA9D590A9EB7B6FF88304F248569D4069B354DB35DC86CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066EADB0 Relevance: 5.2, Strings: 4, Instructions: 170COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: bba07e182bfa780f42c06bf825a2af328f0789057ea88ac5ad1dcc1a7b8d5854
                                                      • Instruction ID: 973cbab3a87bc7e8c0eaa58b901244126035426bd4f75d9fcdc56227cfdf30ad
                                                      • Opcode Fuzzy Hash: bba07e182bfa780f42c06bf825a2af328f0789057ea88ac5ad1dcc1a7b8d5854
                                                      • Instruction Fuzzy Hash: AF518F30A122059FCFA9DBA8E980AAEB7B6FF88314F148569E405D7354DB35DC46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 066E88E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 00000008.00000002.2057182332.00000000066E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_8_2_66e0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q$LR]q$$]q$$]q
                                                      • API String ID: 0-3527005858
                                                      • Opcode ID: aef072b973ae9fa696dca76c5745130398a96fe106e00ad5602210252744783d
                                                      • Instruction ID: d21647d07f6b3be97e2b5a7ef49c6ee69a27d2e8ce0c74058c6d554e3e3a74b4
                                                      • Opcode Fuzzy Hash: aef072b973ae9fa696dca76c5745130398a96fe106e00ad5602210252744783d
                                                      • Instruction Fuzzy Hash: DE51A130B012059FDB58DF6CD990A6AB7E6FF88304F14856CE4169B3A9EB30EC45CB95
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:12.2%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:185
                                                      Total number of Limit Nodes:11
                                                      execution_graph 18959 5f6b710 18960 5f6b89b 18959->18960 18962 5f6b736 18959->18962 18962->18960 18963 5f68984 18962->18963 18964 5f6b990 PostMessageW 18963->18964 18965 5f6b9fc 18964->18965 18965->18962 18966 5f67efc 18967 5f67f06 18966->18967 18968 5f67edd 18967->18968 18974 5f6a4b6 18967->18974 18980 5f6a409 18967->18980 18986 5f6a448 18967->18986 18991 5f6a458 18967->18991 18969 5f6825c 18975 5f6a444 18974->18975 18977 5f6a4b9 18974->18977 18996 5f6a7c8 18975->18996 19013 5f6a7b8 18975->19013 18976 5f6a496 18976->18969 18977->18969 18981 5f6a47f 18980->18981 18983 5f6a417 18980->18983 18982 5f6a496 18981->18982 18984 5f6a7c8 12 API calls 18981->18984 18985 5f6a7b8 12 API calls 18981->18985 18982->18969 18983->18969 18984->18982 18985->18982 18987 5f6a472 18986->18987 18989 5f6a7c8 12 API calls 18987->18989 18990 5f6a7b8 12 API calls 18987->18990 18988 5f6a496 18988->18969 18989->18988 18990->18988 18993 5f6a472 18991->18993 18992 5f6a496 18992->18969 18994 5f6a7c8 12 API calls 18993->18994 18995 5f6a7b8 12 API calls 18993->18995 18994->18992 18995->18992 18997 5f6a7dd 18996->18997 18998 5f6a7ef 18997->18998 19030 5f6a900 18997->19030 19035 5f6aaa5 18997->19035 19042 5f6a966 18997->19042 19047 5f6ab91 18997->19047 19056 5f6a9f3 18997->19056 19063 5f6ad33 18997->19063 19067 5f6ae92 18997->19067 19072 5f6b315 18997->19072 19077 5f6b056 18997->19077 19084 5f6ac36 18997->19084 19089 5f6a8eb 18997->19089 19094 5f6ac6b 18997->19094 19101 5f6b0ca 18997->19101 19106 5f6ae0a 18997->19106 18998->18976 19014 5f6a7dd 19013->19014 19015 5f6ac36 2 API calls 19014->19015 19016 5f6b056 4 API calls 19014->19016 19017 5f6b315 2 API calls 19014->19017 19018 5f6ae92 2 API calls 19014->19018 19019 5f6ad33 2 API calls 19014->19019 19020 5f6a9f3 4 API calls 19014->19020 19021 5f6ab91 6 API calls 19014->19021 19022 5f6a966 2 API calls 19014->19022 19023 5f6aaa5 4 API calls 19014->19023 19024 5f6a900 2 API calls 19014->19024 19025 5f6a7ef 19014->19025 19026 5f6ae0a 2 API calls 19014->19026 19027 5f6b0ca 2 API calls 19014->19027 19028 5f6ac6b 4 API calls 19014->19028 19029 5f6a8eb 2 API calls 19014->19029 19015->19025 19016->19025 19017->19025 19018->19025 19019->19025 19020->19025 19021->19025 19022->19025 19023->19025 19024->19025 19025->18976 19026->19025 19027->19025 19028->19025 19029->19025 19031 5f6a904 19030->19031 19111 5f67aac 19031->19111 19115 5f67ab8 19031->19115 19036 5f6a9e9 19035->19036 19037 5f6aac1 19036->19037 19119 5f67830 19036->19119 19123 5f6782a 19036->19123 19127 5f67260 19036->19127 19131 5f67258 19036->19131 19037->18998 19043 5f6a8ec 19042->19043 19045 5f67aac CreateProcessA 19043->19045 19046 5f67ab8 CreateProcessA 19043->19046 19044 5f6a9be 19044->18998 19045->19044 19046->19044 19135 5f67920 19047->19135 19139 5f67918 19047->19139 19048 5f6a9e9 19049 5f6aac1 19048->19049 19050 5f67260 Wow64SetThreadContext 19048->19050 19051 5f67258 Wow64SetThreadContext 19048->19051 19052 5f67830 WriteProcessMemory 19048->19052 19053 5f6782a WriteProcessMemory 19048->19053 19049->18998 19050->19048 19051->19048 19052->19048 19053->19048 19057 5f6a9e9 19056->19057 19058 5f6aac1 19057->19058 19059 5f67830 WriteProcessMemory 19057->19059 19060 5f6782a WriteProcessMemory 19057->19060 19061 5f67260 Wow64SetThreadContext 19057->19061 19062 5f67258 Wow64SetThreadContext 19057->19062 19058->18998 19059->19057 19060->19057 19061->19057 19062->19057 19065 5f67830 WriteProcessMemory 19063->19065 19066 5f6782a WriteProcessMemory 19063->19066 19064 5f6aa6d 19064->18998 19065->19064 19066->19064 19068 5f6b1a5 19067->19068 19143 5f6b640 19068->19143 19148 5f6b62f 19068->19148 19069 5f6b1be 19073 5f6b316 19072->19073 19075 5f67830 WriteProcessMemory 19073->19075 19076 5f6782a WriteProcessMemory 19073->19076 19074 5f6b34e 19075->19074 19076->19074 19078 5f6a9e9 19077->19078 19079 5f6aac1 19078->19079 19080 5f67260 Wow64SetThreadContext 19078->19080 19081 5f67258 Wow64SetThreadContext 19078->19081 19082 5f67830 WriteProcessMemory 19078->19082 19083 5f6782a WriteProcessMemory 19078->19083 19079->18998 19080->19078 19081->19078 19082->19078 19083->19078 19085 5f6ac52 19084->19085 19153 5f6b679 19085->19153 19158 5f6b688 19085->19158 19086 5f6b173 19090 5f6a904 19089->19090 19092 5f67aac CreateProcessA 19090->19092 19093 5f67ab8 CreateProcessA 19090->19093 19091 5f6a9be 19091->18998 19091->19091 19092->19091 19093->19091 19095 5f6a9e9 19094->19095 19095->19094 19096 5f6aac1 19095->19096 19097 5f67260 Wow64SetThreadContext 19095->19097 19098 5f67258 Wow64SetThreadContext 19095->19098 19099 5f67830 WriteProcessMemory 19095->19099 19100 5f6782a WriteProcessMemory 19095->19100 19096->18998 19097->19095 19098->19095 19099->19095 19100->19095 19103 5f6b0d0 19101->19103 19102 5f6b34e 19104 5f67830 WriteProcessMemory 19103->19104 19105 5f6782a WriteProcessMemory 19103->19105 19104->19102 19105->19102 19107 5f6b218 19106->19107 19171 5f67770 19107->19171 19175 5f6776a 19107->19175 19108 5f6b236 19112 5f67b41 CreateProcessA 19111->19112 19114 5f67d03 19112->19114 19114->19114 19116 5f67b41 CreateProcessA 19115->19116 19118 5f67d03 19116->19118 19118->19118 19120 5f67878 WriteProcessMemory 19119->19120 19122 5f678cf 19120->19122 19122->19036 19124 5f67830 WriteProcessMemory 19123->19124 19126 5f678cf 19124->19126 19126->19036 19128 5f672a5 Wow64SetThreadContext 19127->19128 19130 5f672ed 19128->19130 19130->19036 19132 5f67260 Wow64SetThreadContext 19131->19132 19134 5f672ed 19132->19134 19134->19036 19136 5f6796b ReadProcessMemory 19135->19136 19138 5f679af 19136->19138 19138->19048 19140 5f67920 ReadProcessMemory 19139->19140 19142 5f679af 19140->19142 19142->19048 19144 5f6b655 19143->19144 19146 5f67260 Wow64SetThreadContext 19144->19146 19147 5f67258 Wow64SetThreadContext 19144->19147 19145 5f6b66b 19145->19069 19146->19145 19147->19145 19149 5f6b655 19148->19149 19151 5f67260 Wow64SetThreadContext 19149->19151 19152 5f67258 Wow64SetThreadContext 19149->19152 19150 5f6b66b 19150->19069 19151->19150 19152->19150 19154 5f6b69d 19153->19154 19163 5f66d70 19154->19163 19167 5f66d78 19154->19167 19155 5f6b6b0 19155->19086 19159 5f6b69d 19158->19159 19161 5f66d70 ResumeThread 19159->19161 19162 5f66d78 ResumeThread 19159->19162 19160 5f6b6b0 19160->19086 19161->19160 19162->19160 19164 5f66d78 ResumeThread 19163->19164 19166 5f66de9 19164->19166 19166->19155 19168 5f66db8 ResumeThread 19167->19168 19170 5f66de9 19168->19170 19170->19155 19172 5f677b0 VirtualAllocEx 19171->19172 19174 5f677ed 19172->19174 19174->19108 19176 5f67770 VirtualAllocEx 19175->19176 19178 5f677ed 19176->19178 19178->19108 19179 10e4a10 19180 10e4a19 19179->19180 19181 10e4a1f 19180->19181 19183 10e4b08 19180->19183 19184 10e4b2d 19183->19184 19188 10e4c08 19184->19188 19192 10e4c18 19184->19192 19189 10e4c3f 19188->19189 19191 10e4d1c 19189->19191 19196 10e4834 19189->19196 19193 10e4c3f 19192->19193 19194 10e4834 CreateActCtxA 19193->19194 19195 10e4d1c 19193->19195 19194->19195 19197 10e5ca8 CreateActCtxA 19196->19197 19199 10e5d6b 19197->19199

                                                      Executed Functions

                                                      Function 05F67AAC Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 419 5f67aac-5f67b4d 421 5f67b86-5f67ba6 419->421 422 5f67b4f-5f67b59 419->422 429 5f67bdf-5f67c0e 421->429 430 5f67ba8-5f67bb2 421->430 422->421 423 5f67b5b-5f67b5d 422->423 424 5f67b80-5f67b83 423->424 425 5f67b5f-5f67b69 423->425 424->421 427 5f67b6d-5f67b7c 425->427 428 5f67b6b 425->428 427->427 431 5f67b7e 427->431 428->427 438 5f67c47-5f67d01 CreateProcessA 429->438 439 5f67c10-5f67c1a 429->439 430->429 432 5f67bb4-5f67bb6 430->432 431->424 434 5f67bb8-5f67bc2 432->434 435 5f67bd9-5f67bdc 432->435 436 5f67bc6-5f67bd5 434->436 437 5f67bc4 434->437 435->429 436->436 440 5f67bd7 436->440 437->436 450 5f67d03-5f67d09 438->450 451 5f67d0a-5f67d90 438->451 439->438 441 5f67c1c-5f67c1e 439->441 440->435 443 5f67c20-5f67c2a 441->443 444 5f67c41-5f67c44 441->444 445 5f67c2e-5f67c3d 443->445 446 5f67c2c 443->446 444->438 445->445 448 5f67c3f 445->448 446->445 448->444 450->451 461 5f67d92-5f67d96 451->461 462 5f67da0-5f67da4 451->462 461->462 463 5f67d98 461->463 464 5f67da6-5f67daa 462->464 465 5f67db4-5f67db8 462->465 463->462 464->465 466 5f67dac 464->466 467 5f67dba-5f67dbe 465->467 468 5f67dc8-5f67dcc 465->468 466->465 467->468 469 5f67dc0 467->469 470 5f67dde-5f67de5 468->470 471 5f67dce-5f67dd4 468->471 469->468 472 5f67de7-5f67df6 470->472 473 5f67dfc 470->473 471->470 472->473 475 5f67dfd 473->475 475->475
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F67CEE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: 2d34a2113e1fdf7f69ea30f5776b9cfe28e16962b8f1c70e90d34537cdbf2101
                                                      • Instruction ID: e336ed65a9d042b475812e28be12c2e519c7bf970ac3e19d4a9ce229a59c641b
                                                      • Opcode Fuzzy Hash: 2d34a2113e1fdf7f69ea30f5776b9cfe28e16962b8f1c70e90d34537cdbf2101
                                                      • Instruction Fuzzy Hash: 60918D71D01219CFDB24EF68C845BEDBBB2FF48318F148569E809A7284DB789985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67AB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 476 5f67ab8-5f67b4d 478 5f67b86-5f67ba6 476->478 479 5f67b4f-5f67b59 476->479 486 5f67bdf-5f67c0e 478->486 487 5f67ba8-5f67bb2 478->487 479->478 480 5f67b5b-5f67b5d 479->480 481 5f67b80-5f67b83 480->481 482 5f67b5f-5f67b69 480->482 481->478 484 5f67b6d-5f67b7c 482->484 485 5f67b6b 482->485 484->484 488 5f67b7e 484->488 485->484 495 5f67c47-5f67d01 CreateProcessA 486->495 496 5f67c10-5f67c1a 486->496 487->486 489 5f67bb4-5f67bb6 487->489 488->481 491 5f67bb8-5f67bc2 489->491 492 5f67bd9-5f67bdc 489->492 493 5f67bc6-5f67bd5 491->493 494 5f67bc4 491->494 492->486 493->493 497 5f67bd7 493->497 494->493 507 5f67d03-5f67d09 495->507 508 5f67d0a-5f67d90 495->508 496->495 498 5f67c1c-5f67c1e 496->498 497->492 500 5f67c20-5f67c2a 498->500 501 5f67c41-5f67c44 498->501 502 5f67c2e-5f67c3d 500->502 503 5f67c2c 500->503 501->495 502->502 505 5f67c3f 502->505 503->502 505->501 507->508 518 5f67d92-5f67d96 508->518 519 5f67da0-5f67da4 508->519 518->519 520 5f67d98 518->520 521 5f67da6-5f67daa 519->521 522 5f67db4-5f67db8 519->522 520->519 521->522 523 5f67dac 521->523 524 5f67dba-5f67dbe 522->524 525 5f67dc8-5f67dcc 522->525 523->522 524->525 526 5f67dc0 524->526 527 5f67dde-5f67de5 525->527 528 5f67dce-5f67dd4 525->528 526->525 529 5f67de7-5f67df6 527->529 530 5f67dfc 527->530 528->527 529->530 532 5f67dfd 530->532 532->532
                                                      APIs
                                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05F67CEE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: CreateProcess
                                                      • String ID:
                                                      • API String ID: 963392458-0
                                                      • Opcode ID: da4a12f9c55c6597d4ab90d7c0167713193895dc955936d9a15896037b6b45b2
                                                      • Instruction ID: c95c5d012884d96d313c535c20725fc0573bc886993c5dac1a17d7853699ea8a
                                                      • Opcode Fuzzy Hash: da4a12f9c55c6597d4ab90d7c0167713193895dc955936d9a15896037b6b45b2
                                                      • Instruction Fuzzy Hash: A9918D71D01219CFDB24EF68C844BEDBBB2FF48318F148569E819A7284DB789985CF91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 010E5C9C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 641 10e5c9c-10e5d69 CreateActCtxA 643 10e5d6b-10e5d71 641->643 644 10e5d72-10e5dcc 641->644 643->644 651 10e5dce-10e5dd1 644->651 652 10e5ddb-10e5ddf 644->652 651->652 653 10e5df0 652->653 654 10e5de1-10e5ded 652->654 655 10e5df1 653->655 654->653 655->655
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 010E5D59
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2071270036.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_10e0000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 62bcf501a02d085694b73a1ecd34e7646f6e770f88662d2f7e28d08cb8f12a79
                                                      • Instruction ID: 7f8c5854ebb97758f59260c0ea63020ac8a491836999d42d831ac8755a7d6827
                                                      • Opcode Fuzzy Hash: 62bcf501a02d085694b73a1ecd34e7646f6e770f88662d2f7e28d08cb8f12a79
                                                      • Instruction Fuzzy Hash: 6F4102B0C00619CEDB25DFAAC888BDDBBF5BF48304F20805AD409AB255DB766946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 010E4834 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 657 10e4834-10e5d69 CreateActCtxA 660 10e5d6b-10e5d71 657->660 661 10e5d72-10e5dcc 657->661 660->661 668 10e5dce-10e5dd1 661->668 669 10e5ddb-10e5ddf 661->669 668->669 670 10e5df0 669->670 671 10e5de1-10e5ded 669->671 672 10e5df1 670->672 671->670 672->672
                                                      APIs
                                                      • CreateActCtxA.KERNEL32(?), ref: 010E5D59
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2071270036.00000000010E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010E0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_10e0000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: Create
                                                      • String ID:
                                                      • API String ID: 2289755597-0
                                                      • Opcode ID: 991531c664219cf327a5bc648fa077f4fca00df855c8d22481b77939435dee2b
                                                      • Instruction ID: 355c91631861d7494e4bbc3c06c3d34f1f0280013d24eae17cef177e510331dd
                                                      • Opcode Fuzzy Hash: 991531c664219cf327a5bc648fa077f4fca00df855c8d22481b77939435dee2b
                                                      • Instruction Fuzzy Hash: 7841FFB0C00719CEDB24DFAAC848B8EBBF5BF48304F20806AD409AB251DB756946CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F6782A Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 674 5f6782a-5f6787e 677 5f67880-5f6788c 674->677 678 5f6788e-5f678cd WriteProcessMemory 674->678 677->678 680 5f678d6-5f67906 678->680 681 5f678cf-5f678d5 678->681 681->680
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F678C0
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: 4c4d6787f298497e7ad5e3382ac2eb8f154b208b16d2cf12a126f4248e166149
                                                      • Instruction ID: 07edc33d4184dc3f257d25e33cfa087035916092698494570e7e1a00eb2a59ad
                                                      • Opcode Fuzzy Hash: 4c4d6787f298497e7ad5e3382ac2eb8f154b208b16d2cf12a126f4248e166149
                                                      • Instruction Fuzzy Hash: 152139B5D003099FCB10DFA9C885BEEBBF5FF48314F108429E919A7240D778A945CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67830 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 685 5f67830-5f6787e 687 5f67880-5f6788c 685->687 688 5f6788e-5f678cd WriteProcessMemory 685->688 687->688 690 5f678d6-5f67906 688->690 691 5f678cf-5f678d5 688->691 691->690
                                                      APIs
                                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05F678C0
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessWrite
                                                      • String ID:
                                                      • API String ID: 3559483778-0
                                                      • Opcode ID: cab541c8573a3cc7fa89558aeb2a58aebb80b099668cfef2c5533ac37aa80b09
                                                      • Instruction ID: 9f72861ec2a45d327ea976b43fbae1f98b21b511954f03fc3fcc87cd9f243c34
                                                      • Opcode Fuzzy Hash: cab541c8573a3cc7fa89558aeb2a58aebb80b099668cfef2c5533ac37aa80b09
                                                      • Instruction Fuzzy Hash: 5D2119B5D003499FCB10DFA9C885BEEBBF5FF48314F108429E919A7250D778A945CBA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67918 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 706 5f67918-5f679ad ReadProcessMemory 710 5f679b6-5f679e6 706->710 711 5f679af-5f679b5 706->711 711->710
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F679A0
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: f39716d3f4b1b80556f025b5e5d07e26378a4a1855a37c5b4a553eb6832b028d
                                                      • Instruction ID: 518657819c9e6a242611ee41bb6a91ec934ceeb90b645e544255da5c2253248b
                                                      • Opcode Fuzzy Hash: f39716d3f4b1b80556f025b5e5d07e26378a4a1855a37c5b4a553eb6832b028d
                                                      • Instruction Fuzzy Hash: 192119B1C002499FCB10DFAAC845AEEFBF5FF48310F508429E959A7250D7389945CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67258 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 695 5f67258-5f672ab 698 5f672ad-5f672b9 695->698 699 5f672bb-5f672eb Wow64SetThreadContext 695->699 698->699 701 5f672f4-5f67324 699->701 702 5f672ed-5f672f3 699->702 702->701
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F672DE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 34cd487023c71133ccb7b730d6d0041f131e6310efa5d8b95f20499cbaacdb61
                                                      • Instruction ID: acda626bf4d7602e27a306680dd6b40f693ea7e2d1e6056a0bf9e02ec65e1455
                                                      • Opcode Fuzzy Hash: 34cd487023c71133ccb7b730d6d0041f131e6310efa5d8b95f20499cbaacdb61
                                                      • Instruction Fuzzy Hash: 7C2137B1D002099FDB10DFAAC585BEEBBF4FF48314F14842AE419A7240CB789945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67920 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 725 5f67920-5f679ad ReadProcessMemory 728 5f679b6-5f679e6 725->728 729 5f679af-5f679b5 725->729 729->728
                                                      APIs
                                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05F679A0
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MemoryProcessRead
                                                      • String ID:
                                                      • API String ID: 1726664587-0
                                                      • Opcode ID: 638181c48a81d6076765407bd1719584fcbac99a1b0f080e813495596f67cea3
                                                      • Instruction ID: 83ef2beb0282edb4efbb021114a7bec53657f6c7a7061c6a822df2a2b6307aae
                                                      • Opcode Fuzzy Hash: 638181c48a81d6076765407bd1719584fcbac99a1b0f080e813495596f67cea3
                                                      • Instruction Fuzzy Hash: D12139B1C003499FCB10DFAAC841AEEFBF5FF48310F108429E519A7250C7389541CBA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67260 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 715 5f67260-5f672ab 717 5f672ad-5f672b9 715->717 718 5f672bb-5f672eb Wow64SetThreadContext 715->718 717->718 720 5f672f4-5f67324 718->720 721 5f672ed-5f672f3 718->721 721->720
                                                      APIs
                                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 05F672DE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: ContextThreadWow64
                                                      • String ID:
                                                      • API String ID: 983334009-0
                                                      • Opcode ID: 63b0837f2206da7e87e543301320474c11c2ff4bad2c4ab98deacdfc709c3a46
                                                      • Instruction ID: 7f54c3f3cb5e0452d1d46d359fb68c693b7f8401ac64c3911895e263b9556dde
                                                      • Opcode Fuzzy Hash: 63b0837f2206da7e87e543301320474c11c2ff4bad2c4ab98deacdfc709c3a46
                                                      • Instruction Fuzzy Hash: F52104B1D002098FDB10DFAAC585BAEBBF4FF48314F14842AE519A7240CB78A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F6776A Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F677DE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: 4cbcfb35f8aaab85c1d997ce4b6432f65b464daa1c14a7ff547472df6d63929e
                                                      • Instruction ID: 54690fc809e89f0707f865f727530261bab9151eb8d26c66a82e951e8c642955
                                                      • Opcode Fuzzy Hash: 4cbcfb35f8aaab85c1d997ce4b6432f65b464daa1c14a7ff547472df6d63929e
                                                      • Instruction Fuzzy Hash: 141156768002499FCB10DFAAC945BEEBBF5FF48314F208819E519A7250CB39A940CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F66D70 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: 7e1cf2106851b10e6f762b046ab7ed48f5552d16378e97250e2126fdf5d82106
                                                      • Instruction ID: f359b49972493f6ede94dd5a66aac48741a6cd3841ed843c18182f604ae515a4
                                                      • Opcode Fuzzy Hash: 7e1cf2106851b10e6f762b046ab7ed48f5552d16378e97250e2126fdf5d82106
                                                      • Instruction Fuzzy Hash: 871158B1D002098FDB10DFAAC4457AEFBF8EF88324F248419D419A7240CB39A945CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F67770 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05F677DE
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: AllocVirtual
                                                      • String ID:
                                                      • API String ID: 4275171209-0
                                                      • Opcode ID: ca67e01b9ca1d62c7ed2da612e10f4fc4b97db9d50eadbe09bdb1e29a3968ab4
                                                      • Instruction ID: 3684f0fba7463dbc1d97387cff053b911eaf0b41d2f73cd4cf13df5491d4c57b
                                                      • Opcode Fuzzy Hash: ca67e01b9ca1d62c7ed2da612e10f4fc4b97db9d50eadbe09bdb1e29a3968ab4
                                                      • Instruction Fuzzy Hash: 641126758002499FCB10DFAAC945AEEBBF5EF48314F208819E519A7250CB79A540CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F66D78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: ResumeThread
                                                      • String ID:
                                                      • API String ID: 947044025-0
                                                      • Opcode ID: dbf30333b5624c49212bd1a515875e420b195aa603f3b0168d9658e835649048
                                                      • Instruction ID: bb20bbe3e6663837ba112d0355cf80074f5e0584d89abc7ac9e93616edadcf12
                                                      • Opcode Fuzzy Hash: dbf30333b5624c49212bd1a515875e420b195aa603f3b0168d9658e835649048
                                                      • Instruction Fuzzy Hash: A31125B1D002498FCB20DFAAC4457AEFBF9EF88324F208419D519A7240CB79A945CBA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F68984 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05F6B9ED
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: 707b0654379becb81088d9d5152c8d4b27966468b4d27e4b9e68388dedc1aad7
                                                      • Instruction ID: f37266747f48e87393390bf0766c4ef8bf7bcff0eda504912819c5634b9ab680
                                                      • Opcode Fuzzy Hash: 707b0654379becb81088d9d5152c8d4b27966468b4d27e4b9e68388dedc1aad7
                                                      • Instruction Fuzzy Hash: 2C1103B58043499FDB10DF9AD485BDEFBF8FB48310F10841AE958A7240C379A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 05F6B989 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 05F6B9ED
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2077019943.0000000005F60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F60000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_5f60000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID: MessagePost
                                                      • String ID:
                                                      • API String ID: 410705778-0
                                                      • Opcode ID: f2ce4b96aaa05b3a8a955d067105b33d293c20211a0eb0fd9900dc8d10cc7f74
                                                      • Instruction ID: 1da4761b4791e520d530665f4a485012c2e477dfe97339d4abfc0e0553eed9af
                                                      • Opcode Fuzzy Hash: f2ce4b96aaa05b3a8a955d067105b33d293c20211a0eb0fd9900dc8d10cc7f74
                                                      • Instruction Fuzzy Hash: 3911FEB98003499FDB10DF99D985BDEFBF8FB08314F24881AE558A3250C378A644CFA0
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0108D080 Relevance: .1, Instructions: 86COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2070108773.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_108d000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 237130d4836ed8f2f9908b1ed3ea5b0c5aa7b718c27a4d4edb1fdc885ba031d2
                                                      • Instruction ID: b5f0df6c4fd2555c7db5054f1821f4e4822bd555645ea2750c141a575a427aad
                                                      • Opcode Fuzzy Hash: 237130d4836ed8f2f9908b1ed3ea5b0c5aa7b718c27a4d4edb1fdc885ba031d2
                                                      • Instruction Fuzzy Hash: 3D319175509380DFD712CF24C594711BF70AF46214F1886EED9888B2A3C33A940ACBA2
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0108D0DC Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2070108773.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_108d000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: a431151887f549f073e79d8ae65d3b5a48de7d275c11e480dee969712a8624b5
                                                      • Instruction ID: 2becd2d56e248252e0642fac79f266a5a47bf7db76a347e411e23756be97e9ab
                                                      • Opcode Fuzzy Hash: a431151887f549f073e79d8ae65d3b5a48de7d275c11e480dee969712a8624b5
                                                      • Instruction Fuzzy Hash: 5B21D371508204AFDF05EF68D980B16BBA5EF84314F20C6A9D9894B296C73AD846CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0108D294 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2070108773.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_108d000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 317f16ade4885b92fabb12a9d5a6c2ec39801a226a6f00563996593e7f11c2a2
                                                      • Instruction ID: ea722cb867f6cbae5e87bfe7c9b51a54bce5c2866f9bb7b30a5476e08fa36ee5
                                                      • Opcode Fuzzy Hash: 317f16ade4885b92fabb12a9d5a6c2ec39801a226a6f00563996593e7f11c2a2
                                                      • Instruction Fuzzy Hash: C721F871508204EFDB05EF54D5C0B19BFA5FB94314F24C6ADD9C94B292C33AD406CB61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0108D28F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 00000009.00000002.2070108773.000000000108D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0108D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_9_2_108d000_IeagOAdQiUHWi.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: 5038caf8a7b038f92ff988300394d36f141f9a733c746ac026cf2fc3791d120a
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: 0111DD75508280DFDB06DF54D5C4B15BFB2FB84314F24C6A9D8894B293C33AD40ACB62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Execution Graph

                                                      Execution Coverage:10.5%
                                                      Dynamic/Decrypted Code Coverage:100%
                                                      Signature Coverage:0%
                                                      Total number of Nodes:161
                                                      Total number of Limit Nodes:25
                                                      execution_graph 36514 13a0848 36516 13a084e 36514->36516 36515 13a091b 36516->36515 36520 68620f8 36516->36520 36524 6862108 36516->36524 36528 13a1390 36516->36528 36521 6862108 36520->36521 36534 68618d4 36521->36534 36525 6862117 36524->36525 36526 68618d4 3 API calls 36525->36526 36527 6862138 36526->36527 36527->36516 36530 13a139b 36528->36530 36529 13a14a8 36529->36516 36530->36529 36609 13a7fa8 36530->36609 36614 13a7e81 36530->36614 36618 13a7e90 36530->36618 36535 68618df 36534->36535 36538 6863034 36535->36538 36537 6863abe 36537->36537 36539 686303f 36538->36539 36540 68641e4 36539->36540 36542 6865e68 36539->36542 36540->36537 36543 6865e89 36542->36543 36544 6865ead 36543->36544 36546 6866018 36543->36546 36544->36540 36547 6866025 36546->36547 36548 686605e 36547->36548 36550 6864d64 36547->36550 36548->36544 36551 6864d6f 36550->36551 36553 68660d0 36551->36553 36554 6864d98 36551->36554 36553->36553 36555 6864da3 36554->36555 36561 6864da8 36555->36561 36557 686613f 36565 686b360 36557->36565 36573 686b348 36557->36573 36558 6866179 36558->36553 36564 6864db3 36561->36564 36562 68672e0 36562->36557 36563 6865e68 3 API calls 36563->36562 36564->36562 36564->36563 36566 686b366 36565->36566 36567 686b39d 36566->36567 36581 686b5c8 36566->36581 36585 686b5d8 36566->36585 36567->36558 36568 686b3dd 36588 686c8d8 36568->36588 36592 686c8c9 36568->36592 36574 686b360 36573->36574 36575 686b39d 36574->36575 36577 686b5c8 2 API calls 36574->36577 36578 686b5d8 2 API calls 36574->36578 36575->36558 36576 686b3dd 36579 686c8d8 CreateWindowExW 36576->36579 36580 686c8c9 CreateWindowExW 36576->36580 36577->36576 36578->36576 36579->36575 36580->36575 36582 686b5d8 36581->36582 36596 686b618 36582->36596 36583 686b5e2 36583->36568 36587 686b618 2 API calls 36585->36587 36586 686b5e2 36586->36568 36587->36586 36589 686c903 36588->36589 36590 686c9b2 36589->36590 36604 686dbc5 36589->36604 36593 686c903 36592->36593 36594 686c9b2 36593->36594 36595 686dbc5 CreateWindowExW 36593->36595 36595->36594 36597 686b61d 36596->36597 36598 686b65c 36597->36598 36602 686b8b2 LoadLibraryExW 36597->36602 36603 686b8c0 LoadLibraryExW 36597->36603 36598->36583 36599 686b860 GetModuleHandleW 36601 686b88d 36599->36601 36600 686b654 36600->36598 36600->36599 36601->36583 36602->36600 36603->36600 36605 686dbfd CreateWindowExW 36604->36605 36606 686dbc9 36604->36606 36608 686dd34 36605->36608 36606->36590 36608->36608 36610 13a7fb2 36609->36610 36611 13a7fcc 36610->36611 36622 688fb30 36610->36622 36626 688fb40 36610->36626 36611->36530 36615 13a7e90 36614->36615 36616 13a7f57 36615->36616 36630 13a87e0 36615->36630 36616->36530 36619 13a7ea6 36618->36619 36620 13a7f57 36619->36620 36621 13a87e0 3 API calls 36619->36621 36620->36530 36621->36619 36623 688fb40 36622->36623 36624 688fd6a 36623->36624 36625 13adb88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36623->36625 36624->36611 36625->36623 36627 688fb55 36626->36627 36628 688fd6a 36627->36628 36629 13adb88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 36627->36629 36628->36611 36629->36627 36631 13a87e5 36630->36631 36632 13a8ffd 36631->36632 36636 13aa06a 36631->36636 36641 13aa078 36631->36641 36646 13aa11b 36631->36646 36632->36615 36638 13aa078 36636->36638 36637 13aa131 36637->36637 36638->36637 36651 13aa167 36638->36651 36657 13aa178 36638->36657 36643 13aa095 36641->36643 36642 13aa131 36642->36642 36643->36642 36644 13aa178 3 API calls 36643->36644 36645 13aa167 3 API calls 36643->36645 36644->36643 36645->36643 36647 13aa0f0 36646->36647 36648 13aa131 36647->36648 36649 13aa178 3 API calls 36647->36649 36650 13aa167 3 API calls 36647->36650 36648->36648 36649->36647 36650->36647 36652 13aa133 36651->36652 36652->36651 36653 13aa252 36652->36653 36663 13aa5a6 36652->36663 36667 13aa2d8 36652->36667 36671 13aa3a8 36652->36671 36659 13aa192 36657->36659 36658 13aa252 36659->36658 36660 13aa3a8 3 API calls 36659->36660 36661 13aa2d8 3 API calls 36659->36661 36662 13aa5a6 3 API calls 36659->36662 36660->36659 36661->36659 36662->36659 36665 13aa2b1 36663->36665 36664 13aa5d5 36664->36652 36665->36664 36675 13adb88 36665->36675 36669 13aa2b1 36667->36669 36668 13aa5d5 36668->36652 36669->36667 36669->36668 36670 13adb88 3 API calls 36669->36670 36670->36669 36673 13aa2b1 36671->36673 36672 13aa5d5 36672->36652 36673->36672 36674 13adb88 3 API calls 36673->36674 36674->36673 36676 13adb8f 36675->36676 36677 13adb94 36676->36677 36680 13aef48 36676->36680 36677->36665 36681 13aef58 36680->36681 36685 13aef90 36681->36685 36693 13aef80 36681->36693 36682 13ae382 36682->36665 36686 13aef9d 36685->36686 36687 13aefc5 36685->36687 36686->36682 36702 13ae6f8 36687->36702 36689 13aefe6 36689->36682 36691 13af0ae GlobalMemoryStatusEx 36692 13af0de 36691->36692 36692->36682 36694 13aef90 36693->36694 36695 13aef9d 36694->36695 36696 13ae6f8 GlobalMemoryStatusEx 36694->36696 36695->36682 36699 13aefe2 36696->36699 36697 13aefe6 36697->36682 36698 13af04b 36698->36682 36699->36697 36699->36698 36700 13af0ae GlobalMemoryStatusEx 36699->36700 36701 13af0de 36700->36701 36701->36682 36703 13af068 GlobalMemoryStatusEx 36702->36703 36705 13aefe2 36703->36705 36705->36689 36705->36691 36706 6863210 36707 6863216 GetCurrentProcess 36706->36707 36709 68632a1 36707->36709 36710 68632a8 GetCurrentThread 36707->36710 36709->36710 36711 68632e5 GetCurrentProcess 36710->36711 36712 68632de 36710->36712 36713 686331b 36711->36713 36712->36711 36714 6863343 GetCurrentThreadId 36713->36714 36715 6863374 36714->36715 36716 6863458 DuplicateHandle 36717 68634ee 36716->36717

                                                      Executed Functions

                                                      Function 06883168 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 657 6883168-6883189 658 688318b-688318e 657->658 659 6883190-68831af 658->659 660 68831b4-68831b7 658->660 659->660 661 6883958-688395a 660->661 662 68831bd-68831dc 660->662 663 688395c 661->663 664 6883961-6883964 661->664 670 68831de-68831e1 662->670 671 68831f5-68831ff 662->671 663->664 664->658 667 688396a-6883973 664->667 670->671 672 68831e3-68831f3 670->672 675 6883205-6883214 671->675 672->675 783 6883216 call 6883988 675->783 784 6883216 call 6883980 675->784 676 688321b-6883220 677 688322d-688350a 676->677 678 6883222-6883228 676->678 699 688394a-6883957 677->699 700 6883510-68835bf 677->700 678->667 709 68835e8 700->709 710 68835c1-68835e6 700->710 712 68835f1-6883604 709->712 710->712 714 688360a-688362c 712->714 715 6883931-688393d 712->715 714->715 718 6883632-688363c 714->718 715->700 716 6883943 715->716 716->699 718->715 719 6883642-688364d 718->719 719->715 720 6883653-6883729 719->720 732 688372b-688372d 720->732 733 6883737-6883767 720->733 732->733 737 6883769-688376b 733->737 738 6883775-6883781 733->738 737->738 739 68837e1-68837e5 738->739 740 6883783-6883787 738->740 741 68837eb-6883827 739->741 742 6883922-688392b 739->742 740->739 743 6883789-68837b3 740->743 753 6883829-688382b 741->753 754 6883835-6883843 741->754 742->715 742->720 750 68837c1-68837de 743->750 751 68837b5-68837b7 743->751 750->739 751->750 753->754 757 688385a-6883865 754->757 758 6883845-6883850 754->758 762 688387d-688388e 757->762 763 6883867-688386d 757->763 758->757 761 6883852 758->761 761->757 767 6883890-6883896 762->767 768 68838a6-68838b2 762->768 764 688386f 763->764 765 6883871-6883873 763->765 764->762 765->762 769 6883898 767->769 770 688389a-688389c 767->770 772 68838ca-688391b 768->772 773 68838b4-68838ba 768->773 769->768 770->768 772->742 774 68838bc 773->774 775 68838be-68838c0 773->775 774->772 775->772 783->676 784->676
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: bbde2473111bd3bf7673a0f4ddb633eeefcc6f65bc6a88329ed12daa79e17688
                                                      • Instruction ID: 492605c8a7903948ec0919ae2bb3647b64699ca80b9de9d4645ec756516448e0
                                                      • Opcode Fuzzy Hash: bbde2473111bd3bf7673a0f4ddb633eeefcc6f65bc6a88329ed12daa79e17688
                                                      • Instruction Fuzzy Hash: 3F324031E1061A8FCB15EFB8D89459DB7B6FFC9700F64C669D409A7214EF30A985CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06887E80 Relevance: 3.0, Strings: 2, Instructions: 473COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1374 6887e80-6887e9e 1375 6887ea0-6887ea3 1374->1375 1376 6887ea5-6887ec1 1375->1376 1377 6887ec6-6887ec9 1375->1377 1376->1377 1378 6887ecb-6887ed5 1377->1378 1379 6887ed6-6887ed9 1377->1379 1381 6887edb-6887ee9 1379->1381 1382 6887ef0-6887ef3 1379->1382 1389 6887eeb 1381->1389 1390 6887f26-6887f3c 1381->1390 1383 6887f14-6887f16 1382->1383 1384 6887ef5-6887f0f 1382->1384 1385 6887f18 1383->1385 1386 6887f1d-6887f20 1383->1386 1384->1383 1385->1386 1386->1375 1386->1390 1389->1382 1394 6887f42-6887f4b 1390->1394 1395 6888157-6888161 1390->1395 1396 6887f51-6887f6e 1394->1396 1397 6888162-6888176 1394->1397 1404 6888144-6888151 1396->1404 1405 6887f74-6887f9c 1396->1405 1400 6888178-688817d 1397->1400 1401 688817e-6888197 1397->1401 1400->1401 1403 6888199-688819c 1401->1403 1406 688824f-6888252 1403->1406 1407 68881a2-68881ae 1403->1407 1404->1394 1404->1395 1405->1404 1429 6887fa2-6887fab 1405->1429 1408 6888258-6888267 1406->1408 1409 688847e-6888481 1406->1409 1411 68881b9-68881bb 1407->1411 1422 6888269-6888284 1408->1422 1423 6888286-68882c1 1408->1423 1412 6888483-688849f 1409->1412 1413 68884a4-68884a6 1409->1413 1417 68881bd-68881c3 1411->1417 1418 68881d3-68881da 1411->1418 1412->1413 1414 68884a8 1413->1414 1415 68884ad-68884b0 1413->1415 1414->1415 1415->1403 1421 68884b6-68884bf 1415->1421 1425 68881c5 1417->1425 1426 68881c7-68881c9 1417->1426 1419 68881eb 1418->1419 1420 68881dc-68881e9 1418->1420 1428 68881f0-68881f2 1419->1428 1420->1428 1422->1423 1436 6888452-6888468 1423->1436 1437 68882c7-68882d8 1423->1437 1425->1418 1426->1418 1430 6888209-6888242 1428->1430 1431 68881f4-68881f7 1428->1431 1429->1397 1434 6887fb1-6887fcd 1429->1434 1430->1408 1458 6888244-688824e 1430->1458 1431->1421 1443 6888132-688813e 1434->1443 1444 6887fd3-6887ffd 1434->1444 1436->1409 1447 688843d-688844c 1437->1447 1448 68882de-68882fb 1437->1448 1443->1404 1443->1429 1459 6888128-688812d 1444->1459 1460 6888003-688802b 1444->1460 1447->1436 1447->1437 1448->1447 1456 6888301-68883f7 call 68866a8 1448->1456 1509 68883f9-6888403 1456->1509 1510 6888405 1456->1510 1459->1443 1460->1459 1467 6888031-688805f 1460->1467 1467->1459 1472 6888065-688806e 1467->1472 1472->1459 1474 6888074-68880a6 1472->1474 1481 68880a8-68880ac 1474->1481 1482 68880b1-68880cd 1474->1482 1481->1459 1484 68880ae 1481->1484 1482->1443 1485 68880cf-6888126 call 68866a8 1482->1485 1484->1482 1485->1443 1511 688840a-688840c 1509->1511 1510->1511 1511->1447 1512 688840e-6888413 1511->1512 1513 6888421 1512->1513 1514 6888415-688841f 1512->1514 1515 6888426-6888428 1513->1515 1514->1515 1515->1447 1516 688842a-6888436 1515->1516 1516->1447
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: d8f1324a2ce979b04b42f4e52132a9db559d57b8544f81c789a4881eaecebf8f
                                                      • Instruction ID: 670e007f0e6c98c89e7338b1617dd5f2b6db7f855701604e356dde29df89a6b4
                                                      • Opcode Fuzzy Hash: d8f1324a2ce979b04b42f4e52132a9db559d57b8544f81c789a4881eaecebf8f
                                                      • Instruction Fuzzy Hash: 59029D30B0020A9FDB54EF68D990AAEB7E6FF84304F648529D915DB395DB35EC42CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068856B0 Relevance: 1.8, Strings: 1, Instructions: 590COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $
                                                      • API String ID: 0-3993045852
                                                      • Opcode ID: 2cfda338a1a5a6ed1ae6c57f01a12425d118a22759a31506d8885a91d6740bac
                                                      • Instruction ID: 64ef0bae79f6a2b3139a2f41ff9ea599056dfbb40ae884c9b484d3b5293bd2fa
                                                      • Opcode Fuzzy Hash: 2cfda338a1a5a6ed1ae6c57f01a12425d118a22759a31506d8885a91d6740bac
                                                      • Instruction Fuzzy Hash: F422C575E002058FDFA4EBA4C4906AEB7F2EF84324F248569D559EB384DB35DC42CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068866F8 Relevance: .8, Instructions: 814COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 7ff914dc915d3fc9c10876c9687cd354ec693f7a911c35447b9961a1b715a8e6
                                                      • Instruction ID: 565eb9a00a7fc1d7e06d0905ef830885395c1b2c71220f13527d0b16b13bd4c9
                                                      • Opcode Fuzzy Hash: 7ff914dc915d3fc9c10876c9687cd354ec693f7a911c35447b9961a1b715a8e6
                                                      • Instruction Fuzzy Hash: C862A234B002058FDB54EBA8D550AADB7F6FF84314F248469D50AEB395EB35EC86CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688C288 Relevance: .6, Instructions: 644COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: c492b0913b16bcb2c2c5f5a02005834683aa7fe8edc7902929306c146b5d7bce
                                                      • Instruction ID: 5c2d450082034941ec5bca3e90690c41212bd57350c781a60b262a24b39d93d1
                                                      • Opcode Fuzzy Hash: c492b0913b16bcb2c2c5f5a02005834683aa7fe8edc7902929306c146b5d7bce
                                                      • Instruction Fuzzy Hash: 8D326F30B102099FDB54EF68D990AAEB7B6FF88314F108529D505EB399DB35EC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688B31B Relevance: .6, Instructions: 566COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 2500c9d1df1974823b08dba9eda59b6bf5b5197ac4d0d73f49d53cd462bb7ac3
                                                      • Instruction ID: 108aadc39b1f98c40836a1592316834c9bd3db1490ec47e24409f42b03f88288
                                                      • Opcode Fuzzy Hash: 2500c9d1df1974823b08dba9eda59b6bf5b5197ac4d0d73f49d53cd462bb7ac3
                                                      • Instruction Fuzzy Hash: 3D227030E102098FDF64EB68D5907AEB7F6FB89310F208926E519EB395DA34DC85CB51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688ADC0 Relevance: 10.4, Strings: 8, Instructions: 395COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 529 688adc0-688adde 530 688ade0-688ade3 529->530 531 688ade5-688ae01 530->531 532 688ae06-688ae09 530->532 531->532 533 688ae19-688ae1c 532->533 534 688ae0b-688ae14 532->534 536 688ae1e-688ae27 533->536 537 688ae36-688ae39 533->537 534->533 538 688ae2d-688ae31 536->538 539 688aff7-688b005 536->539 540 688afdd-688afe6 537->540 541 688ae3f-688ae42 537->541 538->537 551 688af87-688af8a 539->551 552 688b007-688b00e 539->552 540->536 543 688afec-688aff6 540->543 544 688ae4c-688ae4f 541->544 545 688ae44-688ae49 541->545 547 688ae51-688ae5e 544->547 548 688ae63-688ae66 544->548 545->544 547->548 549 688ae68-688ae7b 548->549 550 688ae80-688ae83 548->550 549->550 556 688ae94-688ae96 550->556 557 688ae85-688ae89 550->557 553 688af8c-688af92 551->553 554 688afa2-688afd3 551->554 558 688b010-688b015 552->558 559 688b016-688b02e 552->559 564 688af94 553->564 565 688af96-688af98 553->565 587 688afda 554->587 562 688ae98 556->562 563 688ae9d-688aea0 556->563 557->543 561 688ae8f 557->561 558->559 566 688b030-688b033 559->566 561->556 562->563 563->530 568 688aea6-688aeca 563->568 564->554 565->554 569 688b035-688b051 566->569 570 688b056-688b059 566->570 568->587 588 688aed0-688aedf 568->588 569->570 571 688b05b-688b05f 570->571 572 688b066-688b069 570->572 575 688b06f-688b0aa 571->575 576 688b061 571->576 572->575 577 688b2d2-688b2d5 572->577 591 688b29d-688b2b0 575->591 592 688b0b0-688b0bc 575->592 576->572 579 688b2e2-688b2e5 577->579 580 688b2d7-688b2e1 577->580 581 688b2f4-688b2f6 579->581 582 688b2e7 call 688b31b 579->582 589 688b2f8 581->589 590 688b2fd-688b300 581->590 593 688b2ed-688b2ef 582->593 587->540 599 688aee1-688aee7 588->599 600 688aef7-688af32 call 68866a8 588->600 589->590 590->566 595 688b306-688b310 590->595 596 688b2b2 591->596 602 688b0dc-688b120 592->602 603 688b0be-688b0d7 592->603 593->581 596->577 604 688aee9 599->604 605 688aeeb-688aeed 599->605 617 688af4a-688af61 600->617 618 688af34-688af3a 600->618 619 688b13c-688b17b 602->619 620 688b122-688b134 602->620 603->596 604->600 605->600 632 688af79-688af8a 617->632 633 688af63-688af69 617->633 621 688af3c 618->621 622 688af3e-688af40 618->622 626 688b181-688b25c call 68866a8 619->626 627 688b262-688b277 619->627 620->619 621->617 622->617 626->627 627->591 632->553 632->554 635 688af6b 633->635 636 688af6d-688af6f 633->636 635->632 636->632
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: f4810e7f630e899ca91ea7c797b3e54a264542702680e0710b937619f096662e
                                                      • Instruction ID: c2b276d79c449195c4b21f1312c0dd11294fb0e943ee42963eee822534addb03
                                                      • Opcode Fuzzy Hash: f4810e7f630e899ca91ea7c797b3e54a264542702680e0710b937619f096662e
                                                      • Instruction Fuzzy Hash: FEE17230E1020A8FCB69EF69D5906AEB7B6FF85304F10892AD505EB394DB75DC46CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688B748 Relevance: 8.0, Strings: 6, Instructions: 472COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 785 688b748-688b76a 786 688b76c-688b76f 785->786 787 688b771-688b775 786->787 788 688b796-688b799 786->788 789 688b77b-688b78b 787->789 790 688baed-688bb26 787->790 791 688b79b-688b79f 788->791 792 688b7b0-688b7b3 788->792 806 688b9bb-688b9bf 789->806 807 688b791 789->807 800 688bb28-688bb2b 790->800 791->790 795 688b7a5-688b7ab 791->795 793 688b7b5-688b7c1 792->793 794 688b7c6-688b7c9 792->794 793->794 797 688b7cb-688b7d1 794->797 798 688b7dc-688b7df 794->798 795->792 802 688ba05-688ba0b 797->802 803 688b7d7 797->803 804 688b81e-688b821 798->804 805 688b7e1-688b7f6 798->805 809 688bb31-688bb59 800->809 810 688bd97-688bd9a 800->810 802->790 808 688ba11-688ba15 802->808 803->798 812 688b848-688b84b 804->812 813 688b823-688b827 804->813 805->790 829 688b7fc-688b819 805->829 806->790 811 688b9c5-688b9d5 806->811 807->788 815 688ba1a-688ba1d 808->815 865 688bb5b-688bb5e 809->865 866 688bb63-688bba7 809->866 816 688bd9c-688bdb8 810->816 817 688bdbd-688bdbf 810->817 811->813 836 688b9db 811->836 818 688b85b-688b85e 812->818 819 688b84d-688b856 812->819 813->790 814 688b82d-688b83d 813->814 822 688b9b0-688b9b1 814->822 838 688b843 814->838 821 688ba1f-688ba22 815->821 815->822 816->817 826 688bdc1 817->826 827 688bdc6-688bdc9 817->827 824 688b86b-688b86e 818->824 825 688b860-688b866 818->825 819->818 821->797 831 688ba28-688ba2b 821->831 832 688b9b6-688b9b9 822->832 834 688b890-688b893 824->834 835 688b870-688b88b 824->835 825->824 826->827 827->800 837 688bdcf-688bdd8 827->837 829->804 839 688ba38-688ba3b 831->839 840 688ba2d-688ba33 831->840 832->806 841 688b9e0-688b9e3 832->841 844 688b89d-688b8a0 834->844 845 688b895-688b898 834->845 835->834 836->841 838->812 848 688ba41-688ba44 839->848 849 688b8e2-688b8eb 839->849 840->839 852 688ba00-688ba03 841->852 853 688b9e5-688b9ee 841->853 846 688b8a2-688b8a6 844->846 847 688b8b7-688b8ba 844->847 845->844 846->790 854 688b8ac-688b8b2 846->854 855 688b8bc-688b8d8 847->855 856 688b8dd-688b8e0 847->856 857 688baa8-688baab 848->857 858 688ba46-688baa3 call 68866a8 848->858 849->853 860 688b8f1 849->860 852->802 852->815 853->790 861 688b9f4-688b9fb 853->861 854->847 855->856 856->849 864 688b8f6-688b8f9 856->864 862 688babd-688bac0 857->862 863 688baad 857->863 858->857 860->864 861->852 870 688bad0-688bad2 862->870 871 688bac2-688bacb 862->871 874 688bab5-688bab8 863->874 872 688b8fb-688b900 864->872 873 688b903-688b906 864->873 865->837 896 688bd8c-688bd96 866->896 897 688bbad-688bbb6 866->897 876 688bad9-688badc 870->876 877 688bad4 870->877 871->870 872->873 879 688b908-688b911 873->879 880 688b916-688b919 873->880 874->862 876->786 885 688bae2-688baec 876->885 877->876 879->880 881 688b91b-688b91f 880->881 882 688b930-688b933 880->882 881->790 887 688b925-688b92b 881->887 888 688b93a-688b93d 882->888 889 688b935-688b937 882->889 887->882 890 688b93f-688b954 888->890 891 688b977-688b97a 888->891 889->888 890->790 906 688b95a-688b972 890->906 894 688b98a-688b98d 891->894 895 688b97c-688b985 891->895 899 688b98f-688b996 894->899 900 688b9a1-688b9a4 894->900 895->894 904 688bbbc-688bc28 call 68866a8 897->904 905 688bd82-688bd87 897->905 899->879 902 688b99c 899->902 900->822 903 688b9a6-688b9a9 900->903 902->900 903->822 908 688b9ab-688b9ae 903->908 919 688bc2e-688bc33 904->919 920 688bd22-688bd37 904->920 905->896 906->891 908->822 908->832 921 688bc4f 919->921 922 688bc35-688bc3b 919->922 920->905 926 688bc51-688bc57 921->926 924 688bc3d-688bc3f 922->924 925 688bc41-688bc43 922->925 927 688bc4d 924->927 925->927 928 688bc59-688bc5f 926->928 929 688bc6c-688bc79 926->929 927->926 930 688bd0d-688bd1c 928->930 931 688bc65 928->931 936 688bc7b-688bc81 929->936 937 688bc91-688bc9e 929->937 930->919 930->920 931->929 932 688bca0-688bcad 931->932 933 688bcd4-688bce1 931->933 945 688bcaf-688bcb5 932->945 946 688bcc5-688bcd2 932->946 942 688bcf9-688bd06 933->942 943 688bce3-688bce9 933->943 939 688bc83 936->939 940 688bc85-688bc87 936->940 937->930 939->937 940->937 942->930 947 688bceb 943->947 948 688bced-688bcef 943->948 949 688bcb9-688bcbb 945->949 950 688bcb7 945->950 946->930 947->942 948->942 949->946 950->946
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-3723351465
                                                      • Opcode ID: 046cfabe3cf928865fc16315fe37e7729e9316c1df209e87b51b90d64144e889
                                                      • Instruction ID: a2bfc35b9282b557169d91557c15255be48180ee8750b3a0cf0750f8544a2191
                                                      • Opcode Fuzzy Hash: 046cfabe3cf928865fc16315fe37e7729e9316c1df209e87b51b90d64144e889
                                                      • Instruction Fuzzy Hash: D0027D30E102099FDBA4EF68D990AAEB7B2FF85314F10892AD555EB351DB34EC45CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686320A Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 953 686320a-686320e 954 6863216-686329f GetCurrentProcess 953->954 955 6863210-6863215 953->955 959 68632a1-68632a7 954->959 960 68632a8-68632dc GetCurrentThread 954->960 955->954 959->960 961 68632e5-6863319 GetCurrentProcess 960->961 962 68632de-68632e4 960->962 963 6863322-686333d call 68633e0 961->963 964 686331b-6863321 961->964 962->961 968 6863343-6863372 GetCurrentThreadId 963->968 964->963 969 6863374-686337a 968->969 970 686337b-68633dd 968->970 969->970
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0686328E
                                                      • GetCurrentThread.KERNEL32 ref: 068632CB
                                                      • GetCurrentProcess.KERNEL32 ref: 06863308
                                                      • GetCurrentThreadId.KERNEL32 ref: 06863361
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 85885d478262f6374efff0d7eff764bdc95dc505c47a86b268169aa164884dc2
                                                      • Instruction ID: da2be09cda6e0488150ab27d25aa8e57e3e04d34924ce905cecbdea02f1cfc28
                                                      • Opcode Fuzzy Hash: 85885d478262f6374efff0d7eff764bdc95dc505c47a86b268169aa164884dc2
                                                      • Instruction Fuzzy Hash: 735178B09003498FDB54DFAAD948BDEBBF5FF88314F208459E119A7360D734A944CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06863210 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 977 6863210-686329f GetCurrentProcess 982 68632a1-68632a7 977->982 983 68632a8-68632dc GetCurrentThread 977->983 982->983 984 68632e5-6863319 GetCurrentProcess 983->984 985 68632de-68632e4 983->985 986 6863322-686333d call 68633e0 984->986 987 686331b-6863321 984->987 985->984 991 6863343-6863372 GetCurrentThreadId 986->991 987->986 992 6863374-686337a 991->992 993 686337b-68633dd 991->993 992->993
                                                      APIs
                                                      • GetCurrentProcess.KERNEL32 ref: 0686328E
                                                      • GetCurrentThread.KERNEL32 ref: 068632CB
                                                      • GetCurrentProcess.KERNEL32 ref: 06863308
                                                      • GetCurrentThreadId.KERNEL32 ref: 06863361
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: Current$ProcessThread
                                                      • String ID:
                                                      • API String ID: 2063062207-0
                                                      • Opcode ID: 0d88166fe0af73ce8b6feecff7600661cfc01f699ebd2042e38f282e53d04be5
                                                      • Instruction ID: a4d91148559ba1a187921c83f1a53e758cb011951885b71d0e760ef995637223
                                                      • Opcode Fuzzy Hash: 0d88166fe0af73ce8b6feecff7600661cfc01f699ebd2042e38f282e53d04be5
                                                      • Instruction Fuzzy Hash: DC5157B09003498FDB54DFAAD948BEEBBF5FF88304F208459E119A7360D774A944CB65
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06889248 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1000 6889248-688926d 1001 688926f-6889272 1000->1001 1002 6889298-688929b 1001->1002 1003 6889274-6889293 1001->1003 1004 6889b5b-6889b5d 1002->1004 1005 68892a1-68892b6 1002->1005 1003->1002 1006 6889b5f 1004->1006 1007 6889b64-6889b67 1004->1007 1012 68892b8-68892be 1005->1012 1013 68892ce-68892e4 1005->1013 1006->1007 1007->1001 1009 6889b6d-6889b77 1007->1009 1014 68892c0 1012->1014 1015 68892c2-68892c4 1012->1015 1017 68892ef-68892f1 1013->1017 1014->1013 1015->1013 1018 6889309-688937a 1017->1018 1019 68892f3-68892f9 1017->1019 1030 688937c-688939f 1018->1030 1031 68893a6-68893c2 1018->1031 1020 68892fb 1019->1020 1021 68892fd-68892ff 1019->1021 1020->1018 1021->1018 1030->1031 1036 68893ee-6889409 1031->1036 1037 68893c4-68893e7 1031->1037 1042 688940b-688942d 1036->1042 1043 6889434-688944f 1036->1043 1037->1036 1042->1043 1048 688947a-6889484 1043->1048 1049 6889451-6889473 1043->1049 1050 6889494-688950e 1048->1050 1051 6889486-688948f 1048->1051 1049->1048 1057 688955b-6889570 1050->1057 1058 6889510-688952e 1050->1058 1051->1009 1057->1004 1062 688954a-6889559 1058->1062 1063 6889530-688953f 1058->1063 1062->1057 1062->1058 1063->1062
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 30941c8ca1a3b9fb7b4b6c72af80c2b7179e69919480d270bbdf1428aadd81a1
                                                      • Instruction ID: 1a0571e7039ac05a95d90287586c90e8db06785232fe50eeeb708c95ecd6faa3
                                                      • Opcode Fuzzy Hash: 30941c8ca1a3b9fb7b4b6c72af80c2b7179e69919480d270bbdf1428aadd81a1
                                                      • Instruction Fuzzy Hash: 6C913030B0021A8FDB55EF69D8607AEB3F6BF85204F108569D909EB348EE309D46CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688D040 Relevance: 4.5, Strings: 3, Instructions: 797COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1066 688d040-688d05b 1067 688d05d-688d060 1066->1067 1068 688d0a9-688d0ac 1067->1068 1069 688d062-688d0a4 1067->1069 1070 688d0ae-688d0f0 1068->1070 1071 688d0f5-688d0f8 1068->1071 1069->1068 1070->1071 1073 688d0fa-688d13c 1071->1073 1074 688d141-688d144 1071->1074 1073->1074 1076 688d18d-688d190 1074->1076 1077 688d146-688d155 1074->1077 1078 688d1d9-688d1dc 1076->1078 1079 688d192-688d1d4 1076->1079 1081 688d164-688d170 1077->1081 1082 688d157-688d15c 1077->1082 1085 688d1de-688d220 1078->1085 1086 688d225-688d228 1078->1086 1079->1078 1087 688da5d-688da96 1081->1087 1088 688d176-688d188 1081->1088 1082->1081 1085->1086 1091 688d22a-688d246 1086->1091 1092 688d24b-688d24e 1086->1092 1103 688da98-688da9b 1087->1103 1088->1076 1091->1092 1096 688d25d-688d260 1092->1096 1097 688d250-688d252 1092->1097 1100 688d26a-688d26d 1096->1100 1101 688d262-688d267 1096->1101 1107 688d258 1097->1107 1108 688d529 1097->1108 1110 688d28a-688d28d 1100->1110 1111 688d26f-688d285 1100->1111 1101->1100 1112 688da9d-688dac9 1103->1112 1113 688dace-688dad1 1103->1113 1107->1096 1114 688d52c-688d538 1108->1114 1122 688d28f-688d2d1 1110->1122 1123 688d2d6-688d2d9 1110->1123 1111->1110 1112->1113 1117 688dae0-688dae3 1113->1117 1118 688dad3 call 688dbb5 1113->1118 1120 688d53e-688d82b 1114->1120 1121 688d385-688d394 1114->1121 1131 688dae5-688db01 1117->1131 1132 688db06-688db08 1117->1132 1141 688dad9-688dadb 1118->1141 1279 688d831-688d837 1120->1279 1280 688da52-688da5c 1120->1280 1126 688d3a3-688d3af 1121->1126 1127 688d396-688d39b 1121->1127 1122->1123 1129 688d2e8-688d2eb 1123->1129 1130 688d2db-688d2dd 1123->1130 1126->1087 1135 688d3b5-688d3c7 1126->1135 1127->1126 1139 688d2ed-688d32f 1129->1139 1140 688d334-688d337 1129->1140 1137 688d2e3 1130->1137 1138 688d3e7-688d3f0 1130->1138 1131->1132 1142 688db0a 1132->1142 1143 688db0f-688db12 1132->1143 1155 688d3cc-688d3cf 1135->1155 1137->1129 1148 688d3ff-688d40b 1138->1148 1149 688d3f2-688d3f7 1138->1149 1139->1140 1152 688d339-688d37b 1140->1152 1153 688d380-688d383 1140->1153 1141->1117 1142->1143 1143->1103 1151 688db14-688db23 1143->1151 1158 688d51c-688d521 1148->1158 1159 688d411-688d425 1148->1159 1149->1148 1173 688db8a-688db9f 1151->1173 1174 688db25-688db88 call 68866a8 1151->1174 1152->1153 1153->1121 1153->1155 1155->1114 1164 688d3d5-688d3d7 1155->1164 1158->1108 1159->1108 1178 688d42b-688d43d 1159->1178 1169 688d3d9 1164->1169 1170 688d3de-688d3e1 1164->1170 1169->1170 1170->1067 1170->1138 1184 688dba0 1173->1184 1174->1173 1191 688d43f-688d445 1178->1191 1192 688d461-688d463 1178->1192 1184->1184 1195 688d449-688d455 1191->1195 1196 688d447 1191->1196 1194 688d46d-688d479 1192->1194 1207 688d47b-688d485 1194->1207 1208 688d487 1194->1208 1200 688d457-688d45f 1195->1200 1196->1200 1200->1194 1210 688d48c-688d48e 1207->1210 1208->1210 1210->1108 1212 688d494-688d4b0 call 68866a8 1210->1212 1221 688d4bf-688d4cb 1212->1221 1222 688d4b2-688d4b7 1212->1222 1221->1158 1224 688d4cd-688d51a 1221->1224 1222->1221 1224->1108 1281 688d839-688d83e 1279->1281 1282 688d846-688d84f 1279->1282 1281->1282 1282->1087 1283 688d855-688d868 1282->1283 1285 688d86e-688d874 1283->1285 1286 688da42-688da4c 1283->1286 1287 688d883-688d88c 1285->1287 1288 688d876-688d87b 1285->1288 1286->1279 1286->1280 1287->1087 1289 688d892-688d8b3 1287->1289 1288->1287 1292 688d8c2-688d8cb 1289->1292 1293 688d8b5-688d8ba 1289->1293 1292->1087 1294 688d8d1-688d8ee 1292->1294 1293->1292 1294->1286 1297 688d8f4-688d8fa 1294->1297 1297->1087 1298 688d900-688d919 1297->1298 1300 688d91f-688d946 1298->1300 1301 688da35-688da3c 1298->1301 1300->1087 1304 688d94c-688d956 1300->1304 1301->1286 1301->1297 1304->1087 1305 688d95c-688d973 1304->1305 1307 688d982-688d99d 1305->1307 1308 688d975-688d980 1305->1308 1307->1301 1313 688d9a3-688d9bc call 68866a8 1307->1313 1308->1307 1317 688d9cb-688d9d4 1313->1317 1318 688d9be-688d9c3 1313->1318 1317->1087 1319 688d9da-688da2e 1317->1319 1318->1317 1319->1301
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q
                                                      • API String ID: 0-182748909
                                                      • Opcode ID: 524c653399b1cd6f2ba073829555e9d78827d2b81fb3ffad551feef66bf5e3df
                                                      • Instruction ID: 61abde504fd5f90e9ca785fb762f466a0c2c059d97dc3f4f504fb020e519a923
                                                      • Opcode Fuzzy Hash: 524c653399b1cd6f2ba073829555e9d78827d2b81fb3ffad551feef66bf5e3df
                                                      • Instruction Fuzzy Hash: CC621D30A0020A9FCB55EF68E590A5EB7E6FF85304B21C929D009DF359DB75ED4ACB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06884C78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1327 6884c78-6884c9c 1328 6884c9e-6884ca1 1327->1328 1329 6884cc2-6884cc5 1328->1329 1330 6884ca3-6884cbd 1328->1330 1331 6884ccb-6884dc3 1329->1331 1332 68853a4-68853a6 1329->1332 1330->1329 1350 6884dc9-6884e16 call 6885521 1331->1350 1351 6884e46-6884e4d 1331->1351 1334 68853a8 1332->1334 1335 68853ad-68853b0 1332->1335 1334->1335 1335->1328 1336 68853b6-68853c3 1335->1336 1364 6884e1c-6884e38 1350->1364 1352 6884ed1-6884eda 1351->1352 1353 6884e53-6884ec3 1351->1353 1352->1336 1370 6884ece 1353->1370 1371 6884ec5 1353->1371 1368 6884e3a 1364->1368 1369 6884e43-6884e44 1364->1369 1368->1369 1369->1351 1370->1352 1371->1370
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq$\Obq
                                                      • API String ID: 0-4057264190
                                                      • Opcode ID: 53b457afe6fd9fa4141d3dd391ed6c1f86a07867478af0e22e55de11fc075544
                                                      • Instruction ID: c08531be9c5234116374c7d7063af5397799043879a405d000b5797327a0003f
                                                      • Opcode Fuzzy Hash: 53b457afe6fd9fa4141d3dd391ed6c1f86a07867478af0e22e55de11fc075544
                                                      • Instruction Fuzzy Hash: BE614E31A102199FEB54EFA8C854BAEBBF6FF88310F208429D106EB395DA754C45CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688923F Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1752 688923f-688926d 1754 688926f-6889272 1752->1754 1755 6889298-688929b 1754->1755 1756 6889274-6889293 1754->1756 1757 6889b5b-6889b5d 1755->1757 1758 68892a1-68892b6 1755->1758 1756->1755 1759 6889b5f 1757->1759 1760 6889b64-6889b67 1757->1760 1765 68892b8-68892be 1758->1765 1766 68892ce-68892e4 1758->1766 1759->1760 1760->1754 1762 6889b6d-6889b77 1760->1762 1767 68892c0 1765->1767 1768 68892c2-68892c4 1765->1768 1770 68892ef-68892f1 1766->1770 1767->1766 1768->1766 1771 6889309-688937a 1770->1771 1772 68892f3-68892f9 1770->1772 1783 688937c-688939f 1771->1783 1784 68893a6-68893c2 1771->1784 1773 68892fb 1772->1773 1774 68892fd-68892ff 1772->1774 1773->1771 1774->1771 1783->1784 1789 68893ee-6889409 1784->1789 1790 68893c4-68893e7 1784->1790 1795 688940b-688942d 1789->1795 1796 6889434-688944f 1789->1796 1790->1789 1795->1796 1801 688947a-6889484 1796->1801 1802 6889451-6889473 1796->1802 1803 6889494-688950e 1801->1803 1804 6889486-688948f 1801->1804 1802->1801 1810 688955b-6889570 1803->1810 1811 6889510-688952e 1803->1811 1804->1762 1810->1757 1815 688954a-6889559 1811->1815 1816 6889530-688953f 1811->1816 1815->1810 1815->1811 1816->1815
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q
                                                      • API String ID: 0-127220927
                                                      • Opcode ID: d8ab3f6c35b66db68d7eb33ae51c2a019fdf97653fc661ccd68502660eb5df4c
                                                      • Instruction ID: 45b00dd1762b9e7e479cc5f983b47cc11b7303c995ad255fbf384c31017b429b
                                                      • Opcode Fuzzy Hash: d8ab3f6c35b66db68d7eb33ae51c2a019fdf97653fc661ccd68502660eb5df4c
                                                      • Instruction Fuzzy Hash: EA514E30B1010A9FDB55EB78D860B6EB7F6EF88204F108569D919DB398EE31DC46CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06884C68 Relevance: 2.6, Strings: 2, Instructions: 140COMMON
                                                      Download Yara Rule

                                                      Control-flow Graph

                                                      • Executed
                                                      • Not Executed
                                                      control_flow_graph 1819 6884c68-6884c9c 1821 6884c9e-6884ca1 1819->1821 1822 6884cc2-6884cc5 1821->1822 1823 6884ca3-6884cbd 1821->1823 1824 6884ccb-6884dc3 1822->1824 1825 68853a4-68853a6 1822->1825 1823->1822 1843 6884dc9-6884e16 call 6885521 1824->1843 1844 6884e46-6884e4d 1824->1844 1827 68853a8 1825->1827 1828 68853ad-68853b0 1825->1828 1827->1828 1828->1821 1829 68853b6-68853c3 1828->1829 1857 6884e1c-6884e38 1843->1857 1845 6884ed1-6884eda 1844->1845 1846 6884e53-6884ec3 1844->1846 1845->1829 1863 6884ece 1846->1863 1864 6884ec5 1846->1864 1861 6884e3a 1857->1861 1862 6884e43-6884e44 1857->1862 1861->1862 1862->1844 1863->1845 1864->1863
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: fbq$XPbq
                                                      • API String ID: 0-2292610095
                                                      • Opcode ID: 4e801a1bc6591601a71b8713c0427ae1b711e55a517de97090d6ec220ca58f7c
                                                      • Instruction ID: 3bae1f8cb9bc9851755e9ff660bec312caf3d803f282bb783823a66260aa5794
                                                      • Opcode Fuzzy Hash: 4e801a1bc6591601a71b8713c0427ae1b711e55a517de97090d6ec220ca58f7c
                                                      • Instruction Fuzzy Hash: 8D514C31B002099FEB55DFA9C854BAEBBF6FF88710F208529D106EB395DA758C05CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686B618 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0686B87E
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 74875e279011e59f3fc4715501dbb1b62796773e2cd6732c8feabcf88e1955ba
                                                      • Instruction ID: 6874e55d4424876e5f5e205b695901ec5bb3fbad5c75af32ee6d3452c9bd470b
                                                      • Opcode Fuzzy Hash: 74875e279011e59f3fc4715501dbb1b62796773e2cd6732c8feabcf88e1955ba
                                                      • Instruction Fuzzy Hash: 33816870A00B058FD7A8DF2AD44475ABBF5FF88308F00892DE59AD7A50DB74E859CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686DBC5 Relevance: 1.6, APIs: 1, Instructions: 139COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0686DD22
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 337d1236d9638ccdbf2d88e1189ab4c0242c65fea9c7326f8d6aaa0c4d5d4f87
                                                      • Instruction ID: d28d8127cae0783f7b2e2b0b66606dbea4cb4f71a8c68870dabcd6fdc79aa8cb
                                                      • Opcode Fuzzy Hash: 337d1236d9638ccdbf2d88e1189ab4c0242c65fea9c7326f8d6aaa0c4d5d4f87
                                                      • Instruction Fuzzy Hash: 2C51D171D00249EFDF15CF9AC884ADEBFB5BF49300F14816AE918AB220D7759845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013AEF90 Relevance: 1.6, APIs: 1, Instructions: 130COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3232751784.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13a0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4cd80eeb5932697b42e017fa9456bfad2cd00cd01b66fd73c62f1b92463ede40
                                                      • Instruction ID: 055fcd1c33f030e99d74f1186d5994210c1764ac87bab9ed53003ebe1ba8577d
                                                      • Opcode Fuzzy Hash: 4cd80eeb5932697b42e017fa9456bfad2cd00cd01b66fd73c62f1b92463ede40
                                                      • Instruction Fuzzy Hash: AB412372D003599FCB14DFBDD8046AEBBF9EF89310F05856AD508A7241DB78A885CBE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686DC04 Relevance: 1.6, APIs: 1, Instructions: 119COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0686DD22
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: 917e353681fee64223898d4a1bc559c96a37f5a08d6b64629bca517a85fbe41b
                                                      • Instruction ID: 3a318c8ff5eb73be78a6fe33c9464fdafa5abb67f7eed54b913b9d7974b840eb
                                                      • Opcode Fuzzy Hash: 917e353681fee64223898d4a1bc559c96a37f5a08d6b64629bca517a85fbe41b
                                                      • Instruction Fuzzy Hash: FE51C0B1D003499FDB14DFAAC884ADEBFB5FF48310F24852AE919AB250D774A845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686DC10 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0686DD22
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: CreateWindow
                                                      • String ID:
                                                      • API String ID: 716092398-0
                                                      • Opcode ID: dc18871d550bb9ab5e45c2c62da3769720a1d10f9aa289fbb7a21d2c86457b51
                                                      • Instruction ID: 786ddba3b24530c7ed30decfa72f7b952166fc0d0209bb9b8f2afea77e78a322
                                                      • Opcode Fuzzy Hash: dc18871d550bb9ab5e45c2c62da3769720a1d10f9aa289fbb7a21d2c86457b51
                                                      • Instruction Fuzzy Hash: 7841B0B1D00349DFDB14DF9AC884ADEBBB5FF48310F24852AE919AB250D775A845CF90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06863450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068634DF
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 4b95bda9c061adc661dff13e3b0577152e32f4ba98c7b613cb86312f87b84454
                                                      • Instruction ID: 67cf85cf0a361751463bc2574cf9c7aaddc73e5742e4ab08dab25659e92adbc8
                                                      • Opcode Fuzzy Hash: 4b95bda9c061adc661dff13e3b0577152e32f4ba98c7b613cb86312f87b84454
                                                      • Instruction Fuzzy Hash: 7B21D4B5D002099FDB10CFAAD584ADEFBF8EF48310F14841AE954A7250D379A944CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06863458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 068634DF
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: DuplicateHandle
                                                      • String ID:
                                                      • API String ID: 3793708945-0
                                                      • Opcode ID: 1f097006d7e04ead75233dadea0cc6e76f9527d8342b8e738bdc8d581ea55cdf
                                                      • Instruction ID: 7a0822d73dedc5733a11da041e4718e8851772ebfd1e8c7eb23fe549dc9471f4
                                                      • Opcode Fuzzy Hash: 1f097006d7e04ead75233dadea0cc6e76f9527d8342b8e738bdc8d581ea55cdf
                                                      • Instruction Fuzzy Hash: 2D21B0B59012499FDB10CFAAD984ADEFBF9EB48310F14841AE918A3250D379A944CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686A5C0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0686B8F9,00000800,00000000,00000000), ref: 0686BAEA
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: 9edc90753b4a629d4a14f1ccde110743bbaf02fd616a582557b64350e1d83dfa
                                                      • Instruction ID: cc26103f2d207ba90085e993ae6c92d3053325210813d0ddc7a25c9fcb0dddc2
                                                      • Opcode Fuzzy Hash: 9edc90753b4a629d4a14f1ccde110743bbaf02fd616a582557b64350e1d83dfa
                                                      • Instruction Fuzzy Hash: 931114B6C012498FDB20CF9AD844AAEFBF4EF48314F10842AE519B7300C379A945CFA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 013AE6F8 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,013AEFE2), ref: 013AF0CF
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3232751784.00000000013A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013A0000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_13a0000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: GlobalMemoryStatus
                                                      • String ID:
                                                      • API String ID: 1890195054-0
                                                      • Opcode ID: cbe04e36f273153bd5970b2d9e0a5ab03ed5a3f4f436e5107f624c5816c27121
                                                      • Instruction ID: 6cd9ab4155418f9b3592bcafb4cec0b84f0ac41264ed109f7058b18773632627
                                                      • Opcode Fuzzy Hash: cbe04e36f273153bd5970b2d9e0a5ab03ed5a3f4f436e5107f624c5816c27121
                                                      • Instruction Fuzzy Hash: 891114B1C006599BCB10DF9AC444BAEFBF8EF48314F10856AD918B7240D778A944CFE1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686BA7A Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0686B8F9,00000800,00000000,00000000), ref: 0686BAEA
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: LibraryLoad
                                                      • String ID:
                                                      • API String ID: 1029625771-0
                                                      • Opcode ID: b8bf0c9d6a5774c90464738edecb42e7e59fe38521bfe8629c5b59c8351bbc2f
                                                      • Instruction ID: 2390fedf834d22ad60dbcb9668a3a21cdd7bc5e58e8162a76efc869d52361de8
                                                      • Opcode Fuzzy Hash: b8bf0c9d6a5774c90464738edecb42e7e59fe38521bfe8629c5b59c8351bbc2f
                                                      • Instruction Fuzzy Hash: 5C1123B6D002098FCB20CF9AD944ADEFBF5EF88310F14841AE519B7200C378A545CFA4
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0686B818 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                      Download Yara Rule
                                                      APIs
                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0686B87E
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239701483.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6860000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID: HandleModule
                                                      • String ID:
                                                      • API String ID: 4139908857-0
                                                      • Opcode ID: 2983a06f9a6c68984cf87f187a5c936be3e713cb71a62767899586497b94f883
                                                      • Instruction ID: be4d858ad2f05bc6cf53ed63d8212a88d9b37339b4a769ae64e234adc61d397a
                                                      • Opcode Fuzzy Hash: 2983a06f9a6c68984cf87f187a5c936be3e713cb71a62767899586497b94f883
                                                      • Instruction Fuzzy Hash: 171110B5C003498FCB10DF9AC844ADEFBF4EF88314F10842AD528A7210D379A545CFA1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688DBB5 Relevance: 1.4, Strings: 1, Instructions: 124COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 00f026bc008b4ebe57ddd302e2a05e9ba208b3b5214fc2e0b860f04dd4326429
                                                      • Instruction ID: 1090a4c3371bfb5a5f07eff420f76e72cf38221651860c93fd75be84b5370354
                                                      • Opcode Fuzzy Hash: 00f026bc008b4ebe57ddd302e2a05e9ba208b3b5214fc2e0b860f04dd4326429
                                                      • Instruction Fuzzy Hash: F941BF30E0020ADFDB65EF65D85069EBBB6BF85304F208529E505EB385EBB4D946CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068822AD Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 628320eaf65285975615779ec3ada21dda4cba9de13d222d5de4c2da7f20a845
                                                      • Instruction ID: 4ae229f612037a187bde44ad920823057c27dc434da66899c93b6735b590df87
                                                      • Opcode Fuzzy Hash: 628320eaf65285975615779ec3ada21dda4cba9de13d222d5de4c2da7f20a845
                                                      • Instruction Fuzzy Hash: 7931FE30B002058FDB69AB78C57066E7BEABF89204F108429D506DB395DF39DD46CBE5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068822C0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: PH]q
                                                      • API String ID: 0-3168235125
                                                      • Opcode ID: 4cd1b3b2f0461f5cff45a2c0e6d0b4bfc07237626b5f1ee0a014e0354bde68f2
                                                      • Instruction ID: 27882bc608a103a312d6f086c5244d2d534fc8b801872e366aeb182fc032c6da
                                                      • Opcode Fuzzy Hash: 4cd1b3b2f0461f5cff45a2c0e6d0b4bfc07237626b5f1ee0a014e0354bde68f2
                                                      • Instruction Fuzzy Hash: EC31BE30B002058FDB69AB74D57466E7BEAAF89204F108438D506DB398DE39DD46C7E5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068862F8 Relevance: .2, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 204986fcf3335fae81e0afc1956f160aecfaef36c15573caa9ae5bc758de56de
                                                      • Instruction ID: 2de1472ecc36252bebd680db79a93fb808aa549649096a15fc6f2eab82a649c3
                                                      • Opcode Fuzzy Hash: 204986fcf3335fae81e0afc1956f160aecfaef36c15573caa9ae5bc758de56de
                                                      • Instruction Fuzzy Hash: 3561C071F000114FDB14AB6ED890A6FBADBAF94220B154479D90EDB364EE75ED02C7D1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068843A9 Relevance: .2, Instructions: 223COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aa7b603e6850f8b59a31fb29f2ad781df60647741a4219dc18c4c376537e4769
                                                      • Instruction ID: 80b694e6d9d586bdfd83c69821a0aa31d0d9a5d4026eb0ef3166d234cd768a5a
                                                      • Opcode Fuzzy Hash: aa7b603e6850f8b59a31fb29f2ad781df60647741a4219dc18c4c376537e4769
                                                      • Instruction Fuzzy Hash: 13814E31B0020A8FDB54EF68D46466EB7F7AF89304F108429D50AEB395DB75DC46CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068846C8 Relevance: .2, Instructions: 220COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 5e343cb3475378e0a8021a1cff69d32fd4d5cfded587c0f708e86cda46ea6b4f
                                                      • Instruction ID: 3d69e6ef82c340baa64ca1e468619ee6401825a05a850017390e6fdcca4f4ef7
                                                      • Opcode Fuzzy Hash: 5e343cb3475378e0a8021a1cff69d32fd4d5cfded587c0f708e86cda46ea6b4f
                                                      • Instruction Fuzzy Hash: E4916E31E1021A8FDF60DF68C890B9DB7B1FF85304F208599D549EB295DB70AA85CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068846E0 Relevance: .2, Instructions: 210COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b778e40775caa7767f0edb747ad2252c1bd39be3a19fd51d77495f0a6b0a5ad8
                                                      • Instruction ID: 7ab9645bcc186f4a2514fb51afba07fa10fcb16a477e2e12dd3832d1921e4639
                                                      • Opcode Fuzzy Hash: b778e40775caa7767f0edb747ad2252c1bd39be3a19fd51d77495f0a6b0a5ad8
                                                      • Instruction Fuzzy Hash: 98915C30E1021A8FDF60DF68C890B9DB7B1FF89314F208699D549BB295DB70AA85CF51
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688EC13 Relevance: .2, Instructions: 203COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 07a40946aa633fdab71e93bf2f2707bd8bfc5bce7e2119001433892757bb3178
                                                      • Instruction ID: 9ed9034e40ed650e05fab2700826e9f1f192c8a175b40573533b227bf6c87230
                                                      • Opcode Fuzzy Hash: 07a40946aa633fdab71e93bf2f2707bd8bfc5bce7e2119001433892757bb3178
                                                      • Instruction Fuzzy Hash: 0E712930A002099FDB54EFA8D994AAEBBF6FF88304F648429D505EB355DB30ED46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688EC20 Relevance: .2, Instructions: 201COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1ce517741d3e32cc5b79ee122b536505f8c454b66c3b6e4167dabf11dc6a7f9c
                                                      • Instruction ID: 919b119b2432a2eab7be90cab9608a6a3e5b8868b3c4bfa18cc88c91dfe63375
                                                      • Opcode Fuzzy Hash: 1ce517741d3e32cc5b79ee122b536505f8c454b66c3b6e4167dabf11dc6a7f9c
                                                      • Instruction Fuzzy Hash: 45713B30A002099FDB54EFA8D994AADBBF6FF88304F648429D405EB355DB30ED46CB50
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688FB30 Relevance: .2, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b83dfcb2814d2f756a7796f82c13be180afef536c4ff2ab0049b963add9690fd
                                                      • Instruction ID: e73a2a07aa0f93ab47e6800a94f498bbf219499fc0efa4dbe43d5b9150bc4cee
                                                      • Opcode Fuzzy Hash: b83dfcb2814d2f756a7796f82c13be180afef536c4ff2ab0049b963add9690fd
                                                      • Instruction Fuzzy Hash: C7519770B102159FEF64776CD96472F365FDB89350F20482AE70AC739ACA69CC45C792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688FB40 Relevance: .2, Instructions: 163COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d4dc95747074d08efcdbdd2f676edf85987d0e1c82011f214c9c8d22d1c7f8b0
                                                      • Instruction ID: 13b96cfd69494a014cee2825f7a19f05ea5dcccb414bc540d4fd5d5c5e5215f2
                                                      • Opcode Fuzzy Hash: d4dc95747074d08efcdbdd2f676edf85987d0e1c82011f214c9c8d22d1c7f8b0
                                                      • Instruction Fuzzy Hash: DA51A870B102159FEF64776CD96472F365FDB89350F20482AD70AC339ACA69CC45C792
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068856A0 Relevance: .1, Instructions: 147COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 8974ca138370bc2c53f6cc1cc1f972e5760260c9213d26e8310c771b7d529ea1
                                                      • Instruction ID: 2fe97db026b7b0d3c31c0f3074414acd984d7bd3f69f997d5846fa79fbf1c11c
                                                      • Opcode Fuzzy Hash: 8974ca138370bc2c53f6cc1cc1f972e5760260c9213d26e8310c771b7d529ea1
                                                      • Instruction Fuzzy Hash: B151A374E102058FDFF4EA69C4C0B7EBBB2EB45314F24C82AD659DB281C635E841CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06885521 Relevance: .1, Instructions: 129COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4853982b26599a7c635410fdbbc52d782bae3d664f9eeedb07e47a0f3f993117
                                                      • Instruction ID: 0a2aa25fa2f21edf911d214eb8f07bf3d7a2a5754e6f523501c3f317da0dd982
                                                      • Opcode Fuzzy Hash: 4853982b26599a7c635410fdbbc52d782bae3d664f9eeedb07e47a0f3f993117
                                                      • Instruction Fuzzy Hash: 44414C71E006098FDFB0DFA9D881AAEBBF2EB94210F10492AD256D7650D731E845CB92
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06882170 Relevance: .1, Instructions: 98COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d20558520c14233ae7cf90908e38adb41f0f353e378c5061cd0aff7b703deee6
                                                      • Instruction ID: 7fa6b71e8f96cdd69f852af1b9994d00c495c9f51cbac45a4ff528c656047183
                                                      • Opcode Fuzzy Hash: d20558520c14233ae7cf90908e38adb41f0f353e378c5061cd0aff7b703deee6
                                                      • Instruction Fuzzy Hash: FB318231E202069FCB55DFA8D864A9EF7B2BF89300F108519E916E7354DB71AD45CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688DA68 Relevance: .1, Instructions: 97COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d37a69f5d62caa6c21982f87faf07218cbec79be2f4ba195c3ce182ddb073572
                                                      • Instruction ID: b98d77bbd2fe4e4a71cb2bf8077a22210984bd5b7f0572d6b8dbb1ca35d5e693
                                                      • Opcode Fuzzy Hash: d37a69f5d62caa6c21982f87faf07218cbec79be2f4ba195c3ce182ddb073572
                                                      • Instruction Fuzzy Hash: 09319430A1070A9FCF55DF65D990A9EB7F6FF85304F208929D505EB344EB70A946CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06882180 Relevance: .1, Instructions: 91COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: e33319dcb25dabde92d2edac8f69b273975b04dc337e032f02842803b81314b9
                                                      • Instruction ID: efee4b28317315fa8c032848907a3ca304c3a0f2c4cac0d335152d376d4eff6b
                                                      • Opcode Fuzzy Hash: e33319dcb25dabde92d2edac8f69b273975b04dc337e032f02842803b81314b9
                                                      • Instruction Fuzzy Hash: 8A314130E202099FCB55DFA8D854A9EB7B2BF89300F10C529E916E7351DB75AD41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883BA9 Relevance: .1, Instructions: 90COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 97c0b014e489e1d14092cc0f85e94dbe4b82a0bec63db22e16e39ebad91a073e
                                                      • Instruction ID: 5aea885df5cb562c389e4cfa9d1e4d11a3d3b74a4d6c3f30ee25bb808b1ef94a
                                                      • Opcode Fuzzy Hash: 97c0b014e489e1d14092cc0f85e94dbe4b82a0bec63db22e16e39ebad91a073e
                                                      • Instruction Fuzzy Hash: 7331BFB1F01218AFDB50EBB8D880AAEBBF5EF48710F044169E915E7295E775D801CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883BB8 Relevance: .1, Instructions: 78COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 778640f67d5c897621f59a77a8b86545b55718113b878a90e70be528eb1b7cbb
                                                      • Instruction ID: 9db340244db110d2144f1423f1054eda62160cf597b5a52fbfa68bb641a5586b
                                                      • Opcode Fuzzy Hash: 778640f67d5c897621f59a77a8b86545b55718113b878a90e70be528eb1b7cbb
                                                      • Instruction Fuzzy Hash: 84219DB5F002199FDB50EFB9D880AAEBBF5EB48B10F148029E905E7345EB35D901CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0131D044 Relevance: .1, Instructions: 72COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3232572026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 4ac84a02b5fd1e356f31b803785a0d1a738a7965fa72394cf07e919bbfd05b54
                                                      • Instruction ID: 69958ec31c4b97a4862a8cf91cd2ebd9a8c8cddf85948b30d8ac85f6ef5d35ad
                                                      • Opcode Fuzzy Hash: 4ac84a02b5fd1e356f31b803785a0d1a738a7965fa72394cf07e919bbfd05b54
                                                      • Instruction Fuzzy Hash: B1213771504204DFCB19CF68C9C8B26BB65FB85318F20C56DE9490B35AC73AD846CA61
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883167 Relevance: .1, Instructions: 63COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 39abfcf4dd0c19ff0078db6fac13478561fd79d9a0dd2a9ec5c80e720e33de02
                                                      • Instruction ID: 2e1eca9c2b17a7c59fbc21e2cfb12d015262510f38c2a10fe7626c7574aa2be4
                                                      • Opcode Fuzzy Hash: 39abfcf4dd0c19ff0078db6fac13478561fd79d9a0dd2a9ec5c80e720e33de02
                                                      • Instruction Fuzzy Hash: 2711B170E001199FCB68EBB8D8915EEF7B5EF89710F10856AD11AEB300DA319941CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883CC8 Relevance: .1, Instructions: 59COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 0dd47e78c7a50d6bb0043de1ec76fc54331ae326a3074faaa6d3e6830825a13c
                                                      • Instruction ID: 5fdc96dfe55b94c81435fc09c2ae8d4afddf2603000aeeed745010b7c13a6718
                                                      • Opcode Fuzzy Hash: 0dd47e78c7a50d6bb0043de1ec76fc54331ae326a3074faaa6d3e6830825a13c
                                                      • Instruction Fuzzy Hash: E711A132B100298FDB54A6B8CC146AE73ABEBC8614F008539C90AE7344EF35DC06CBD1
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688430B Relevance: .1, Instructions: 57COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: aacc5d8f307717d62eb5658f2b0848e2ed6ed79774b58d627c4703806a6f6f0e
                                                      • Instruction ID: 008fb6d19e8fb046bbac4e790fd46af2abc310be582c2b3c1a8fbb29f4a2427a
                                                      • Opcode Fuzzy Hash: aacc5d8f307717d62eb5658f2b0848e2ed6ed79774b58d627c4703806a6f6f0e
                                                      • Instruction Fuzzy Hash: 3601F532B141520FCB26967D9814B5FBBDADBC7614F15883EE249CB392D965DC028391
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688EE91 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 1a2a0e0fb7cc448eb937e1cf6bb1d8a6a72676a79336e1bf888143554c88ed5e
                                                      • Instruction ID: ce24f1173e13a420eba2b85cc5625ddb35c57f86507ba7a93d7d3984c92c358b
                                                      • Opcode Fuzzy Hash: 1a2a0e0fb7cc448eb937e1cf6bb1d8a6a72676a79336e1bf888143554c88ed5e
                                                      • Instruction Fuzzy Hash: 10017131B101155FDB66EB6DD898B2FB7DAEBC6714F108439E60ACB341DA61DC028381
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688A3F9 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 435aed4420519ddad7f80dbe4fefcb564b78fd8808ec08430a3516ad34671f1e
                                                      • Instruction ID: 3a3a1f52f7528e5da3e3d9ca2874a83582feaf00ab909b95b62c5ba630d5d791
                                                      • Opcode Fuzzy Hash: 435aed4420519ddad7f80dbe4fefcb564b78fd8808ec08430a3516ad34671f1e
                                                      • Instruction Fuzzy Hash: DE01B5317141150FCB65AB38E874B1A7BD5EBC6614F10842AE64AC73D5DD21DC02C391
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883980 Relevance: .1, Instructions: 54COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 508523b6101e2115db8cc5fdfe684968fa602988b0df805a2e9d62c206b5b977
                                                      • Instruction ID: 05df8c516051e80f0f3d7b4a4ed642eacd1ed8704a6659aaf940a2dccfd3e825
                                                      • Opcode Fuzzy Hash: 508523b6101e2115db8cc5fdfe684968fa602988b0df805a2e9d62c206b5b977
                                                      • Instruction Fuzzy Hash: 0621C0B5D01659AFCB10DF9AD884ADEFBB8FB49710F10852AE918B7200C378A554CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883CB7 Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 9fb81c75c15724c9e08583f9af377db7b29a79a9f63c64f7c5ab941e251417fe
                                                      • Instruction ID: 3a496ae70cb5df904a7c99f230ef1a96bce18e3fbe66efdfb37173f16b09e737
                                                      • Opcode Fuzzy Hash: 9fb81c75c15724c9e08583f9af377db7b29a79a9f63c64f7c5ab941e251417fe
                                                      • Instruction Fuzzy Hash: 3101B532B100694FEB95AAB9DC246AF7BABEBC5610F04453AD50AD3385EF618806C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0131D03F Relevance: .1, Instructions: 53COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3232572026.000000000131D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0131D000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_131d000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction ID: dfd28f8d7fbfb6d07e084483f592544deffd8e82e573e19548b8e8cd3054e1aa
                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                      • Instruction Fuzzy Hash: EA11DD75504284CFDB16CF68C9C8B15BFA2FB85318F24C6A9D8494B256C33AD44ACF62
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06883988 Relevance: .1, Instructions: 52COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: fda2db9e1d51655e5d306f545cf327c1215179610aa457be2936c1037af3217b
                                                      • Instruction ID: 49d8b459ea12b883edc2703f1c36d67e748bc36ee1377c46c615836643e04123
                                                      • Opcode Fuzzy Hash: fda2db9e1d51655e5d306f545cf327c1215179610aa457be2936c1037af3217b
                                                      • Instruction Fuzzy Hash: E311A2B5D016599FCB00DF9AD884ADEFBB4FF49710F10852AE518B7240C3746554CBA5
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06884318 Relevance: .1, Instructions: 51COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: b80c214a0bced0e67e27c86a87b8ea69f9979d6720f4e177595b4f752dd1fd6c
                                                      • Instruction ID: 4bc89608285785777154b9f4ee0ad313b83468ede90f7717dd09e4a28c5ac052
                                                      • Opcode Fuzzy Hash: b80c214a0bced0e67e27c86a87b8ea69f9979d6720f4e177595b4f752dd1fd6c
                                                      • Instruction Fuzzy Hash: 38018132B100120FDB65A66DD414B6FB7DBDBCA715F20883AE20EC7354ED65DC028391
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688EEA0 Relevance: .0, Instructions: 49COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: d07b84f4c323d587e4800e05dcde227e6a9e1c460006918f971ba3bd3291d411
                                                      • Instruction ID: ee93cc64ae1a6e341dc103c88f0af034c9027e66b673e79e1bab4ada48d074a0
                                                      • Opcode Fuzzy Hash: d07b84f4c323d587e4800e05dcde227e6a9e1c460006918f971ba3bd3291d411
                                                      • Instruction Fuzzy Hash: 45013131B104154FDB66A66DE468B2F77DBDBCA714F108839E60AC7341EA65DC028381
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688A408 Relevance: .0, Instructions: 46COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: ac9eb78cb8255e0941062eece414cdc38ab8933d7f08879eacd7edc421d43658
                                                      • Instruction ID: 867aa41eadd60e515c3498296cb6486306ff0951809722df96b78ed1b036a638
                                                      • Opcode Fuzzy Hash: ac9eb78cb8255e0941062eece414cdc38ab8933d7f08879eacd7edc421d43658
                                                      • Instruction Fuzzy Hash: 79011D31B100154FDB69EA68E468B5E73DAEBC5614F10883AE60AD7394EE25EC02C791
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 06886578 Relevance: .0, Instructions: 28COMMON
                                                      Download Yara Rule
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID:
                                                      • API String ID:
                                                      • Opcode ID: 65e7d8bf86c0d5c4a4fcd60e6d66d9c6581f8c6fedb030f7ea977a490eae03ba
                                                      • Instruction ID: 4dc7a6f39c5e9129917dc4534ac3782cfac898a0d81c1e507b65edf836299fc9
                                                      • Opcode Fuzzy Hash: 65e7d8bf86c0d5c4a4fcd60e6d66d9c6581f8c6fedb030f7ea977a490eae03ba
                                                      • Instruction Fuzzy Hash: 14E09271D24308AFEF90EEB4DA0575F7769D745214F208DA5D904D7146F176CA41C781
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Non-executed Functions

                                                      Function 068877A0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-2843079600
                                                      • Opcode ID: c1e4981d229fcadf99746d36e22e1a7afeb7d1c6d4d660b65079f404424cd92d
                                                      • Instruction ID: fd4e9f9016789917e5c3d4a8e73536fb8d836ebcd4dc39d7afbae0c8cd627525
                                                      • Opcode Fuzzy Hash: c1e4981d229fcadf99746d36e22e1a7afeb7d1c6d4d660b65079f404424cd92d
                                                      • Instruction Fuzzy Hash: 80123C30E002198FDB68EF69C994AADB7B6FF84304F2085A9D50AEB354DB359D45CF81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688AA28 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-1273862796
                                                      • Opcode ID: 22e503dd93a962c466f467566277e481ec36b7872ac609fd1497b04b9732bc9a
                                                      • Instruction ID: 3c2d916baf09cbd3e79b3d72a3b42ed547242606ac1d182a3fb5f9b0cf6cea4f
                                                      • Opcode Fuzzy Hash: 22e503dd93a962c466f467566277e481ec36b7872ac609fd1497b04b9732bc9a
                                                      • Instruction Fuzzy Hash: B3914C30A0020D9FEB6CEF68D594B6EB7F6EF44705F10842AE801E7294DB79AD45CB90
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068871A0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: .5uq$$]q$$]q$$]q$$]q$$]q$$]q
                                                      • API String ID: 0-981061697
                                                      • Opcode ID: 4c87d7d778fefbf63d436272240ad89494c7a54b6309a8af38216b8a9951ab1f
                                                      • Instruction ID: 0473a5808f86b37979cf902feb79204f9c7a9eb82c041340aef3ee77594b8f30
                                                      • Opcode Fuzzy Hash: 4c87d7d778fefbf63d436272240ad89494c7a54b6309a8af38216b8a9951ab1f
                                                      • Instruction Fuzzy Hash: 2BF13F34A01209DFDB59FF68D590A6EBBB6FF84304F608529D805DB368DB35AC42CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068884D0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: d5d9eb0d1aaec947aae2aab49451842bef766a6415654d6c5dd1363e95f41b35
                                                      • Instruction ID: acb4b5a69b1636dfe0dd67b7d60e973f8c58df2907370a4315829bc818532ad4
                                                      • Opcode Fuzzy Hash: d5d9eb0d1aaec947aae2aab49451842bef766a6415654d6c5dd1363e95f41b35
                                                      • Instruction Fuzzy Hash: 05B13D70A10209CFDB68EFA8D590A9EB7B6FF84304F648529D506DB355DB35DC86CB80
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688ADB0 Relevance: 5.2, Strings: 4, Instructions: 180COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: f7ecd2645b10077f7c6a5b431b6f7142cad692f833eaf36d11d08fd29cff41ae
                                                      • Instruction ID: 691d7d6aeac5ae2377583f2657f74702b82ba2dcf30531097665744ccac2f6ee
                                                      • Opcode Fuzzy Hash: f7ecd2645b10077f7c6a5b431b6f7142cad692f833eaf36d11d08fd29cff41ae
                                                      • Instruction Fuzzy Hash: 7F51B330A102099FDFADEB68D590AAEB7B6EF94304F14896BE905D7395DB30DC41CB81
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 068888E8 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: LR]q$LR]q$$]q$$]q
                                                      • API String ID: 0-3527005858
                                                      • Opcode ID: 24e3ee2280d236693e131dc72e07263a2851b1e1ccaa26664133d9d08fcb1714
                                                      • Instruction ID: e472c65515479b0232332af05da18334c17808b03ed1a11243502a93c3bef23a
                                                      • Opcode Fuzzy Hash: 24e3ee2280d236693e131dc72e07263a2851b1e1ccaa26664133d9d08fcb1714
                                                      • Instruction Fuzzy Hash: 8251A17070020A9FDB58EF68D990A6E77E6FF88304F508569D506DB3A9DB30EC41CB91
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%

                                                      Function 0688AE3C Relevance: 5.1, Strings: 4, Instructions: 116COMMON
                                                      Download Yara Rule
                                                      Strings
                                                      Memory Dump Source
                                                      • Source File: 0000000D.00000002.3239840672.0000000006880000.00000040.00000800.00020000.00000000.sdmp, Offset: 06880000, based on PE: false
                                                      Joe Sandbox IDA Plugin
                                                      • Snapshot File: hcaresult_13_2_6880000_RegSvcs.jbxd
                                                      Similarity
                                                      • API ID:
                                                      • String ID: $]q$$]q$$]q$$]q
                                                      • API String ID: 0-858218434
                                                      • Opcode ID: 415c15e3cbc48b7c3d90d6126d1ce860fd2eabb78ba7f2b69c2c8bde27c027a5
                                                      • Instruction ID: 85bb48b6d454748c7a09dc3de61ea1086391bac87f5d42497f8faddaff03e5c3
                                                      • Opcode Fuzzy Hash: 415c15e3cbc48b7c3d90d6126d1ce860fd2eabb78ba7f2b69c2c8bde27c027a5
                                                      • Instruction Fuzzy Hash: 56419230B112098FDF69FF68D5909AD73B6EF94204F14856BD905D7294DB35DC42CB41
                                                      Uniqueness

                                                      Uniqueness Score: -1.00%