Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4v7myD9mN2OaWZp.exe

Overview

General Information

Sample name:4v7myD9mN2OaWZp.exe
Analysis ID:1428408
MD5:1c03282d15f52ed3095a5c64e7c2a78d
SHA1:86530804a57608459d3ff6ffd2442758dc184f89
SHA256:e7ca5b6e85e1d8cec45ab5d12640dcc7016d6ca9c27b0b8d66f119d4639874b2
Tags:exe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4v7myD9mN2OaWZp.exe (PID: 4148 cmdline: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe" MD5: 1C03282D15F52ED3095A5C64E7C2A78D)
    • powershell.exe (PID: 5168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3504 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5972 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • 4v7myD9mN2OaWZp.exe (PID: 5696 cmdline: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe" MD5: 1C03282D15F52ED3095A5C64E7C2A78D)
  • jgHHGmfF.exe (PID: 6284 cmdline: C:\Users\user\AppData\Roaming\jgHHGmfF.exe MD5: 1C03282D15F52ED3095A5C64E7C2A78D)
    • schtasks.exe (PID: 1240 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 3448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • jgHHGmfF.exe (PID: 5860 cmdline: "C:\Users\user\AppData\Roaming\jgHHGmfF.exe" MD5: 1C03282D15F52ED3095A5C64E7C2A78D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pbjv.net", "Username": "m.muthu@pbjv.net", "Password": "muthu12345***"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3286942756.000000000297A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000C.00000002.3287087422.000000000350E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000007.00000002.3286942756.000000000294F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 14 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x316f5:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x31767:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x317f1:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x31883:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x318ed:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3195f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x319f5:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31a85:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                7.2.4v7myD9mN2OaWZp.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  7.2.4v7myD9mN2OaWZp.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe", ParentImage: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, ParentProcessId: 4148, ParentProcessName: 4v7myD9mN2OaWZp.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", ProcessId: 5168, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe", ParentImage: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, ParentProcessId: 4148, ParentProcessName: 4v7myD9mN2OaWZp.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", ProcessId: 5168, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\jgHHGmfF.exe, ParentImage: C:\Users\user\AppData\Roaming\jgHHGmfF.exe, ParentProcessId: 6284, ParentProcessName: jgHHGmfF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp", ProcessId: 1240, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 203.175.171.5, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, Initiated: true, ProcessId: 5696, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe", ParentImage: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, ParentProcessId: 4148, ParentProcessName: 4v7myD9mN2OaWZp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", ProcessId: 5972, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe", ParentImage: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, ParentProcessId: 4148, ParentProcessName: 4v7myD9mN2OaWZp.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe", ProcessId: 5168, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe", ParentImage: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe, ParentProcessId: 4148, ParentProcessName: 4v7myD9mN2OaWZp.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp", ProcessId: 5972, ProcessName: schtasks.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: 4v7myD9mN2OaWZp.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeAvira: detection malicious, Label: TR/AD.GenSteal.wsjrh
                    Found malware configuration
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.pbjv.net", "Username": "m.muthu@pbjv.net", "Password": "muthu12345***"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeReversingLabs: Detection: 60%
                    Multi AV Scanner detection for submitted file
                    Source: 4v7myD9mN2OaWZp.exeReversingLabs: Detection: 60%
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 203.175.171.5:587
                    Source: global trafficTCP traffic: 192.168.2.5:49708 -> 203.175.171.5:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownDNS traffic detected: queries for: mail.pbjv.net
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.cyo
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.pbjv.net
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pbjv.net
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.0000000002556000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 00000008.00000002.2087883900.0000000002AC3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, lK61.cs.Net Code: _1ksIYAzV
                    Source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, lK61.cs.Net Code: _1ksIYAzV

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 7.2.4v7myD9mN2OaWZp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: 0.2.4v7myD9mN2OaWZp.exe.6b20000.12.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                    Source: 0.2.4v7myD9mN2OaWZp.exe.252ad84.0.raw.unpack, SQL.csLarge array initialization: : array initializer size 13797
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_023076F80_2_023076F8
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_023077080_2_02307708
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_06840E480_2_06840E48
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_06840E380_2_06840E38
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_0684DD970_2_0684DD97
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_0684DDA80_2_0684DDA8
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B641C87_2_00B641C8
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B64A987_2_00B64A98
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B69B387_2_00B69B38
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B63E807_2_00B63E80
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B6CE807_2_00B6CE80
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 7_2_00B6B76F7_2_00B6B76F
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_00EE76F88_2_00EE76F8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_00EE77088_2_00EE7708
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_05C30E488_2_05C30E48
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_05C3DD978_2_05C3DD97
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_05C3DDA88_2_05C3DDA8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_05C30E388_2_05C30E38
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085BD5108_2_085BD510
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B68488_2_085B6848
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B6C808_2_085B6C80
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B83198_2_085B8319
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B83288_2_085B8328
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B64108_2_085B6410
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085BF5588_2_085BF558
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 8_2_085B87608_2_085B8760
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_0192937812_2_01929378
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_01929BF812_2_01929BF8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_01924A9812_2_01924A98
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_01923E8012_2_01923E80
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_0192CE8012_2_0192CE80
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_019241C812_2_019241C8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E56D812_2_068E56D8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E2EF012_2_068E2EF0
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E3F4812_2_068E3F48
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068EBD1012_2_068EBD10
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068EDD2012_2_068EDD20
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E9AE812_2_068E9AE8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E8B9812_2_068E8B98
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E004012_2_068E0040
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E364812_2_068E3648
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068E4FF812_2_068E4FF8
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_01929BF212_2_01929BF2
                    Source: 4v7myD9mN2OaWZp.exeBinary or memory string: OriginalFilename vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.00000000024F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2072980496.00000000088A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000000.2032683210.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaBOU.exe" vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.0000000002556000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename824a3756-845d-44e4-acb3-928574fce78b.exe4 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2071162001.0000000006B20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2054596977.00000000008CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.00000000026DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.00000000026DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.00000000026DE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $]q,\\StringFileInfo\\000004B0\\OriginalFilename vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename824a3756-845d-44e4-acb3-928574fce78b.exe4 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilename824a3756-845d-44e4-acb3-928574fce78b.exe4 vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3283265109.00000000008F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exeBinary or memory string: OriginalFilenameaBOU.exe" vs 4v7myD9mN2OaWZp.exe
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 7.2.4v7myD9mN2OaWZp.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: jgHHGmfF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, B2q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, B2q.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, JzkeW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, JzkeW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, JzkeW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, JzkeW.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, mVrrG0SDJrG.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, mVrrG0SDJrG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, C1QWHnwVQIm5Dj670S.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, MvaOxVN9jNsrBV4BGJ.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, MvaOxVN9jNsrBV4BGJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, MvaOxVN9jNsrBV4BGJ.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/11@1/1
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile created: C:\Users\user\AppData\Roaming\jgHHGmfF.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7088:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3C3F.tmpJump to behavior
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 4v7myD9mN2OaWZp.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: 4v7myD9mN2OaWZp.exeReversingLabs: Detection: 60%
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile read: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe:Zone.IdentifierJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\jgHHGmfF.exe C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp"
                    Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Users\user\AppData\Roaming\jgHHGmfF.exe "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Users\user\AppData\Roaming\jgHHGmfF.exe "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: textshaping.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: riched20.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: usp10.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: msls31.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 4v7myD9mN2OaWZp.exe, frmFolderSearcher.cs.Net Code: InitializeComponent
                    Source: jgHHGmfF.exe.0.dr, frmFolderSearcher.cs.Net Code: InitializeComponent
                    Source: 0.2.4v7myD9mN2OaWZp.exe.6b20000.12.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, MvaOxVN9jNsrBV4BGJ.cs.Net Code: CWq4nPdgRYLxF6R0I3s System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.4v7myD9mN2OaWZp.exe.252ad84.0.raw.unpack, SQL.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeCode function: 0_2_0684F21F pushfd ; ret 0_2_0684F222
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeCode function: 12_2_068ED9B7 push eax; retf 12_2_068ED9ED
                    Source: 4v7myD9mN2OaWZp.exeStatic PE information: section name: .text entropy: 7.942277485262483
                    Source: jgHHGmfF.exe.0.drStatic PE information: section name: .text entropy: 7.942277485262483
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, MvaOxVN9jNsrBV4BGJ.csHigh entropy of concatenated method names: 'x7kxapk3Jn', 'BZnxhrR57g', 'XYPxNw8b0N', 'z4PxOe6N3T', 'k6LxDkCuRO', 'cKixfGV1eY', 'HHAxnMMsCn', 'QdcxBWpatD', 'uHuxClNXBX', 'vZmxFKLrhl'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, H3sZAacTXO63I6OW2G.csHigh entropy of concatenated method names: 'RRiDlKTcyR', 'wvQDJtIRrm', 'oIfOVfaMme', 'cfDOrJOJto', 'WVROwq3iYk', 'AKAO0TnMoA', 'RN1OjwpEgo', 'vTkO8GFcV1', 'zMVOvNfP8t', 'mgnOuZPR8I'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, wsOdZpGBGx7yPAKJXr.csHigh entropy of concatenated method names: 'VkDey3bT9M', 'XQ7eZ0ae2X', 'yNSqMZLmoA', 'GHJqLFYGAn', 'jLSe2GRLuN', 'CkQe7q0Pev', 'xRgeWqvS5n', 'D60ei6b7Go', 'Um4e9XImpA', 'n90eYpxu4A'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, aFsjiAECnEE985c0os.csHigh entropy of concatenated method names: 'Uc4np8K4IO', 'NqJnKOXZTe', 'cG9ncbArSK', 'lsUnASaFyA', 'b2gnlqIeLJ', 'LrUnmLryr8', 'MkNnJApKmf', 'E6LnHA3wL7', 'lyOnd2yYut', 'nLGnSImxaa'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, tTjt3Tm47rYGMSbFUR.csHigh entropy of concatenated method names: 'TZFfagWkVa', 'PnxfN6iOWh', 'M0YfDqmm4x', 'owPfnYYk98', 'jipfBdrXEe', 'UOTD3kLxaj', 'PrWDTK1K1w', 'IxoDEPnuQZ', 'PZlDy5bIGa', 'RI3Dk1Bk8P'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, vZ3XpbXgCtE3FBb8Qs.csHigh entropy of concatenated method names: 'zignhlB3Ms', 'Qx7nOTVq4D', 'bSonfsqXWk', 'c2nfZQSBvc', 'LCwfzoRcdl', 'i8TnMtJ0kR', 'JhpnLa3qGk', 'Hrwn4ajvkB', 'BR3nxdI3U5', 'HvSnPbOZIB'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, kofpfDqjcPMk7nlupX.csHigh entropy of concatenated method names: 'XjlcuOi4l', 'OhvAVI7AV', 'Qu3mxIGas', 'PNmJAbYwe', 'r7jdSEg4A', 'LnNShcwue', 'DxbIU90uC6lQlkkpve', 'OErtJ5LPwNbB4Tmr66', 'keLTTCwSZXtKdQTlZP', 'FwmqcKs4P'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, C1QWHnwVQIm5Dj670S.csHigh entropy of concatenated method names: 'YCgNiEbaIv', 'S6ZN9lMTm9', 'kRINYni8Am', 'Ut4NbPwQA3', 'JfEN3WkGvV', 'USgNTPdNsN', 'PV0NEwoY69', 'IYbNymf36A', 'uGvNkmOVi2', 'DMiNZqe0v0'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, PqE9na55SZNiMgZombN.csHigh entropy of concatenated method names: 'ToString', 's7koxGsuN8', 'jqhoPBKMKM', 'oJMoaGkM0t', 'Y7yohYw9x3', 'SnioNOQRo4', 'EycoOby4AN', 'dlioD24Fpv', 'ej1F4x2SwlSrkEPyPnj', 'CqcFTe2FLpc3ct9FNI7'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, q9Bf6YzBRrhMk148K3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fPiU5ogsYg', 'pkyUIsJkdI', 'GxZU1wJitA', 'rpVUeg5PdK', 'KbHUqy9jxS', 'fniUUwmwLl', 'lNwUotvAd1'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, mSEFvYisQAYDHI3YJ3.csHigh entropy of concatenated method names: 'zQIqQ3biZ6', 'wSsqta8uY5', 'ffCqVcxqqT', 'N5JqrCwBxe', 'XK0qiLDJlJ', 'C4nqwJc08p', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, M3KYsdRwEa2RGpSTJy.csHigh entropy of concatenated method names: 'CE65Hcgb9D', 'rhg5deRvyD', 'Pd85Qbyy7v', 'zae5tKiM5b', 'DF05rJOWSr', 'XAk5wuEcKI', 'KA85jb6kVN', 'qct587ojuB', 'Uvy5uapfFR', 'mdf52kRHDo'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, a7kAOKWfMFYbxLrCs2.csHigh entropy of concatenated method names: 'ukwOAkPURm', 'zMGOmuHVGQ', 'Um3OHqNdeF', 'g9bOdug7W4', 'WrpOIMqwtg', 'fucO1WDfjC', 'wLnOex6yA3', 'z2yOq89rmU', 'rnhOUBd3VF', 'oitOo0Wl99'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, TNhOLF5STRb3eeVAmKD.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'mXaoijsFpC', 'Ei2o9NmJAu', 'eD2oYY80sG', 'jyWobgFOQD', 'nb6o3WDvYr', 'DNKoTc6MSJ', 'pURoEO9vMw'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, k4RA6Y2DIdFxxs76Gi.csHigh entropy of concatenated method names: 'sRPULlrYsh', 'cV5UxAFgyV', 'UUdUP3Sq1k', 'vOBUhRckBO', 'YulUNKR8jE', 'YY0UDVipS0', 'W4AUfe6Rc8', 'LU8qE2Bm73', 'B7BqyKwday', 'zo8qkM8RAZ'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, YteQxN595vU84hxiTdT.csHigh entropy of concatenated method names: 'OwUUpA97f3', 'OdTUKvYMOU', 'vtbUcaewmA', 'gdpUAGjx3i', 'B1pUlQQH1V', 'THkUmZlxLy', 'iE2UJujQEO', 'TnQUHM1jXr', 'zC8Udp1nsR', 'ADCUSRoYMV'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, JoZ5parQoGDSXOB4SU.csHigh entropy of concatenated method names: 'PLIqhoHOgI', 'b2RqNl56li', 'FjGqOTTI4C', 'EbiqDjCZHn', 'Tq3qfg3aeS', 'ExiqnHXe05', 'eHFqBiiYoq', 'zT3qCJ0oI9', 'sV3qF9sYaX', 'Jddq6rRfxJ'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, XJQ7U6BCc2uQqlKhcl.csHigh entropy of concatenated method names: 'V67LnNRxxH', 'LrwLBPWwEN', 'BZmLF9knwK', 'MGbL6noAkh', 'H6QLI35SAV', 'eQ4L1KZj70', 'J5KucCFjymCQW1lpcy', 'YWthFVTbeW1dX6J16t', 'jFgLLYaWNI', 'kZrLxOr2Wf'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, jE8HlS3b8r4piKL6Ai.csHigh entropy of concatenated method names: 'ToString', 'zZq129rDq6', 'Nxe1ttjOFZ', 'Sh61VBFwuR', 'uKl1rV16GR', 'auR1w78W14', 'Qrx105c0Mc', 'HBL1jmmCiy', 'cIk18RnD5r', 'iSe1vruq2l'
                    Source: 0.2.4v7myD9mN2OaWZp.exe.88a0000.15.raw.unpack, aJ90VmahFrFnR2a7Gu.csHigh entropy of concatenated method names: 'Dispose', 'oWSLkwDTsi', 'H7L4t6oDQM', 'vlQGG2rdxn', 'LyoLZL767V', 'sQkLzxgLy4', 'ProcessDialogKey', 'SB84MEKe2R', 'aFN4LbQGoA', 'bNc44jqVl0'
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile created: C:\Users\user\AppData\Roaming\jgHHGmfF.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 4148, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 24F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 2260000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 8940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 9940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 9C50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: AC50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: B60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: 2680000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: EE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 2A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 4A70000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 89B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 99B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 9CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: ACB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 1920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 34C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory allocated: 3390000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6770Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1549Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWindow / User API: threadDelayed 4834Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWindow / User API: threadDelayed 5019Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWindow / User API: threadDelayed 2453Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWindow / User API: threadDelayed 5816Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 5692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 652Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3992Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep count: 34 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -31359464925306218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 7104Thread sleep count: 4834 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99891s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 7104Thread sleep count: 5019 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99417s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99309s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98198s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -98093s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97873s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97766s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97547s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97219s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96984s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96845s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96266s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -96047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95937s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95828s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95594s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95466s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95250s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -95097s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94969s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94516s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe TID: 6044Thread sleep time: -94406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 3376Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 4460Thread sleep count: 2453 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99760s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 4460Thread sleep count: 5816 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99547s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -99091s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98984s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98875s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98766s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98388s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98280s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98172s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -98018s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97891s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97781s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97672s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97563s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97438s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97197s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -97094s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96969s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96859s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96750s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96641s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96531s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96422s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96313s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96188s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -96078s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95969s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95844s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95734s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95625s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95516s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -95406s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exe TID: 5692Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99891Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99546Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99417Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99309Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98765Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98656Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98547Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98437Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98328Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98198Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 98093Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97984Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97873Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97766Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97656Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97547Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97437Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97328Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97219Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96984Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96845Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96719Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96594Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96484Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96375Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96266Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96156Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 96047Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95937Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95828Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95719Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95594Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95466Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95359Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95250Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 95097Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94969Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94844Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94734Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94625Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94516Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeThread delayed: delay time: 94406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99760Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99547Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 99091Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98984Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98875Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98766Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98388Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98280Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98172Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 98018Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97891Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97781Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97672Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97563Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97438Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97197Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 97094Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96859Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96750Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96641Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96531Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96422Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96313Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96188Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 96078Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95969Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95844Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95734Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95625Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95516Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 95406Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: jgHHGmfF.exe, 00000008.00000002.2085505280.0000000000DEC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                    Source: 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C3B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllstringPNPDeviceID
                    Source: jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                    Source: 4v7myD9mN2OaWZp.exe, 00000000.00000002.2056560313.00000000009B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\?
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeMemory written: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeMemory written: C:\Users\user\AppData\Roaming\jgHHGmfF.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeProcess created: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe "C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeProcess created: C:\Users\user\AppData\Roaming\jgHHGmfF.exe "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Users\user\AppData\Roaming\jgHHGmfF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Users\user\AppData\Roaming\jgHHGmfF.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.4v7myD9mN2OaWZp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3286942756.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.000000000350E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3286942756.000000000294F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3286942756.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 4148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jgHHGmfF.exe PID: 5860, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\4v7myD9mN2OaWZp.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\jgHHGmfF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.4v7myD9mN2OaWZp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3286942756.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 4148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jgHHGmfF.exe PID: 5860, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.4v7myD9mN2OaWZp.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.37907e8.10.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.4v7myD9mN2OaWZp.exe.3755dc8.11.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000007.00000002.3286942756.000000000297A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.000000000350E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3286942756.000000000294F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.0000000003539000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.3286942756.0000000002901000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.3287087422.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 4148, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: 4v7myD9mN2OaWZp.exe PID: 5696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: jgHHGmfF.exe PID: 5860, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Encrypted Channel                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		1
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Non-Standard Port                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		2
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model1
                    Input Capture                    		11
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets1
                    Process Discovery                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428408 Sample: 4v7myD9mN2OaWZp.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 38 mail.pbjv.net 2->38 40 pbjv.net 2->40 44 Found malware configuration 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus / Scanner detection for submitted sample 2->48 50 9 other signatures 2->50 8 4v7myD9mN2OaWZp.exe 7 2->8         started        12 jgHHGmfF.exe 5 2->12         started        signatures3 process4 file5 34 C:\Users\user\AppData\Roaming\jgHHGmfF.exe, PE32 8->34 dropped 36 C:\Users\user\AppData\Local\...\tmp3C3F.tmp, XML 8->36 dropped 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->52 54 Uses schtasks.exe or at.exe to add and modify task schedules 8->54 56 Adds a directory exclusion to Windows Defender 8->56 14 4v7myD9mN2OaWZp.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 schtasks.exe 1 8->20         started        58 Antivirus detection for dropped file 12->58 60 Multi AV Scanner detection for dropped file 12->60 62 Injects a PE file into a foreign processes 12->62 22 jgHHGmfF.exe 2 12->22         started        24 schtasks.exe 1 12->24         started        signatures6 process7 dnsIp8 42 pbjv.net 203.175.171.5, 49708, 49711, 587 SGGS-AS-APSGGSSG Singapore 14->42 64 Loading BitLocker PowerShell Module 18->64 26 WmiPrvSE.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->66 68 Tries to steal Mail credentials (via file / registry access) 22->68 70 Tries to harvest and steal ftp login credentials 22->70 72 Tries to harvest and steal browser information (history, passwords, etc) 22->72 32 conhost.exe 24->32         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    4v7myD9mN2OaWZp.exe61%ReversingLabsWin32.Spyware.Negasteal
                    4v7myD9mN2OaWZp.exe100%AviraTR/AD.GenSteal.wsjrh

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\jgHHGmfF.exe100%AviraTR/AD.GenSteal.wsjrh
                    C:\Users\user\AppData\Roaming\jgHHGmfF.exe61%ReversingLabsWin32.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://sectigo.com/CPS00%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    pbjv.net
                    		203.175.171.5
                    		truefalse
                      		unknown
                      mail.pbjv.net
                      		unknown
                      		unknowntrue
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://sectigo.com/CPS04v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3283392168.00000000015C5000.00000004.00000020.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://mail.pbjv.net4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          https://account.dyn.com/4v7myD9mN2OaWZp.exe, 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, 4v7myD9mN2OaWZp.exe, 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4v7myD9mN2OaWZp.exe, 00000000.00000002.2057776056.0000000002556000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 00000008.00000002.2087883900.0000000002AC3000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://crl.cyo4v7myD9mN2OaWZp.exe, 00000007.00000002.3284009513.0000000000C69000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://pbjv.net4v7myD9mN2OaWZp.exe, 00000007.00000002.3286942756.0000000002957000.00000004.00000800.00020000.00000000.sdmp, jgHHGmfF.exe, 0000000C.00000002.3287087422.0000000003516000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  203.175.171.5
                                  		pbjv.netSingapore
                                  		24482SGGS-AS-APSGGSSGfalse

                                  General Information

                                  Joe Sandbox version:40.0.0 Tourmaline
                                  Analysis ID:1428408
                                  Start date and time:2024-04-18 22:34:12 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 7m 43s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:15
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:4v7myD9mN2OaWZp.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@16/11@1/1
                                  EGA Information:
                                  • Successful, ratio: 75%
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 161
                                  • Number of non-executed functions: 4
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Execution Graph export aborted for target 4v7myD9mN2OaWZp.exe, PID 5696 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size getting too big, too many NtCreateKey calls found.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: 4v7myD9mN2OaWZp.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  22:35:03API Interceptor53x Sleep call for process: 4v7myD9mN2OaWZp.exe modified
                                  22:35:05API Interceptor15x Sleep call for process: powershell.exe modified
                                  22:35:06Task SchedulerRun new task: jgHHGmfF path: C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                  22:35:07API Interceptor42x Sleep call for process: jgHHGmfF.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  203.175.171.5rNNA.exeGet hashmaliciousAgentTeslaBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    SGGS-AS-APSGGSSGrNNA.exeGet hashmaliciousAgentTeslaBrowse
                                    • 203.175.171.5
                                    wg2vKIF0SU.elfGet hashmaliciousGafgytBrowse
                                    • 103.14.247.45
                                    LF6B2XTwcV.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 103.14.247.32
                                    JzaLI8CCY4.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 103.14.247.67
                                    cIUrcTpbFS.elfGet hashmaliciousGafgytBrowse
                                    • 103.14.247.79
                                    Wv63rJCTZB.elfGet hashmaliciousGafgyt, MiraiBrowse
                                    • 103.14.247.67
                                    3FKykOcbPa.elfGet hashmaliciousMiraiBrowse
                                    • 103.14.247.74
                                    2tneBBzaBb.elfGet hashmaliciousMiraiBrowse
                                    • 103.14.247.18
                                    64Tgzu2FKh.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                    • 203.175.174.69
                                    zp.exeGet hashmaliciousGuLoader, RHADAMANTHYSBrowse
                                    • 203.175.174.69

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4v7myD9mN2OaWZp.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\jgHHGmfF.exe.log

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):1216
                                    Entropy (8bit):5.34331486778365
                                    Encrypted:false
                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                    MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                    SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                    SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                    SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):2232
                                    Entropy (8bit):5.380747059108785
                                    Encrypted:false
                                    SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
                                    MD5:4D3B8C97355CF67072ABECB12613F72B
                                    SHA1:07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
                                    SHA-256:75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
                                    SHA-512:8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
                                    Malicious:false
                                    Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kxwtkhsm.bob.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_o4c5dfhy.c4k.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_pdwwyaxr.y0i.ps1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zs0jdql5.2j5.psm1

                                    Download File
                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:ASCII text, with no line terminators
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.038920595031593
                                    Encrypted:false
                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                    Malicious:false
                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                    C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp

                                    Download File
                                    Process:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1581
                                    Entropy (8bit):5.10674267140765
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgergYrFdOFzOzN33ODOiDdKrsuTLv
                                    MD5:C82C6C846CE5E862BDDBCBF263E20B8A
                                    SHA1:62A55113831963F0A05DD7EDEE290AC1FBB3D7BD
                                    SHA-256:DD938AF41C30BA323CBE1D0B773E6EC70312BB7BD3EE13CF65AED5DB12CAE9E4
                                    SHA-512:7628E6E8D05AB61921C002D6858E1CDC165CC12A4F3BFDBE3E3D6631BC52299885E15D748788ACC2D833F4935C658931F488EA2FB2F89B8D72FCA3E5EFCF4AA7
                                    Malicious:true
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                    C:\Users\user\AppData\Local\Temp\tmp493F.tmp

                                    Download File
                                    Process:C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                    File Type:XML 1.0 document, ASCII text
                                    Category:dropped
                                    Size (bytes):1581
                                    Entropy (8bit):5.10674267140765
                                    Encrypted:false
                                    SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt1xvn:cgergYrFdOFzOzN33ODOiDdKrsuTLv
                                    MD5:C82C6C846CE5E862BDDBCBF263E20B8A
                                    SHA1:62A55113831963F0A05DD7EDEE290AC1FBB3D7BD
                                    SHA-256:DD938AF41C30BA323CBE1D0B773E6EC70312BB7BD3EE13CF65AED5DB12CAE9E4
                                    SHA-512:7628E6E8D05AB61921C002D6858E1CDC165CC12A4F3BFDBE3E3D6631BC52299885E15D748788ACC2D833F4935C658931F488EA2FB2F89B8D72FCA3E5EFCF4AA7
                                    Malicious:false
                                    Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                    C:\Users\user\AppData\Roaming\jgHHGmfF.exe

                                    Download File
                                    Process:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):769024
                                    Entropy (8bit):7.937687229342054
                                    Encrypted:false
                                    SSDEEP:12288:Is8NBIu1GLMKsoXtsXVBwNlTqNwp1aUJbypdAt9XhyfOSlF8+50NgxkI:R8Nyuo/soXoVBwjgwp1bOCyGSlF8+5OU
                                    MD5:1C03282D15F52ED3095A5C64E7C2A78D
                                    SHA1:86530804A57608459D3FF6FFD2442758DC184F89
                                    SHA-256:E7CA5B6E85E1D8CEC45AB5D12640DCC7016D6CA9C27B0B8D66F119D4639874B2
                                    SHA-512:FF866D1ED0B7766AF3DB5F8980E1C60AA72C32F8AC1BBCE2728E5CE2E1D8A0C48A4658B2D6DCC0BDA42E276F66C2B982701B520C810CBC3C9674D32AC6BC93D2
                                    Malicious:true
                                    Antivirus:
                                    • Antivirus: Avira, Detection: 100%
                                    • Antivirus: ReversingLabs, Detection: 61%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.................. ... ....@.. ....................... ............`.................................<...O.... ............................................................................... ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B................p.......H.......`....c......=.......P&...........................................0...........s....}.....r...p}.....r...p}.....r...p}......}.....(....}.....(....}.....(....}......}.....s"...}......}.....(.......(......(....}.....{.........,...s ...}.....*...0..;.......sJ.....(!...}v.....}y.....}w.....}x.....}u....|v.....(...+*..0............{+...r...po#....(....r...po$.....W...%..,.o%......(....r+..po$.....W...%..,.o%.......{.....o#.....{.....o#....(&...rK..p('...((........W...%..,.o%

                                    C:\Users\user\AppData\Roaming\jgHHGmfF.exe:Zone.Identifier

                                    Download File
                                    Process:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    File Type:ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):26
                                    Entropy (8bit):3.95006375643621
                                    Encrypted:false
                                    SSDEEP:3:ggPYV:rPYV
                                    MD5:187F488E27DB4AF347237FE461A079AD
                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                    Malicious:false
                                    Preview:[ZoneTransfer]....ZoneId=0

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):7.937687229342054
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    • DOS Executable Generic (2002/1) 0.01%
                                    File name:4v7myD9mN2OaWZp.exe
                                    File size:769'024 bytes
                                    MD5:1c03282d15f52ed3095a5c64e7c2a78d
                                    SHA1:86530804a57608459d3ff6ffd2442758dc184f89
                                    SHA256:e7ca5b6e85e1d8cec45ab5d12640dcc7016d6ca9c27b0b8d66f119d4639874b2
                                    SHA512:ff866d1ed0b7766af3db5f8980e1c60aa72c32f8ac1bbce2728e5ce2e1d8a0c48a4658b2d6dcc0bda42e276f66c2b982701b520c810cbc3c9674d32ac6bc93d2
                                    SSDEEP:12288:Is8NBIu1GLMKsoXtsXVBwNlTqNwp1aUJbypdAt9XhyfOSlF8+50NgxkI:R8Nyuo/soXoVBwjgwp1bOCyGSlF8+5OU
                                    TLSH:C1F4220037A9CF37DA7F6BF8187828A103B135A6F428F74D9D9920C82715F4587A1E9B
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.................. ... ....@.. ....................... ............`................................

                                    File Icon

                                    Icon Hash:8b2f2f93b3a38178

                                    Static PE Info

                                    General

                                    Entrypoint:0x4b0e8e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x661C85B4 [Mon Apr 15 01:41:08 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    inc edi
                                    aaa
                                    cmp byte ptr [edi], dh
                                    inc edi
                                    pop edx
                                    dec edx
                                    xor eax, 31554837h
                                    push ecx
                                    inc edx
                                    xor byte ptr [eax], bh
                                    inc ebp
                                    xor eax, 004A5135h
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xb0e3c0x4f.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xb20000xc61c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc00000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xaeeac0xaf00098ca74a293ea282d39004238d093a212False0.94849609375data7.942277485262483IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xb20000xc61c0xc8002b7f50fe2e27108fa4f4864ddbcba05eFalse0.9658984375data7.903181940996179IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0xc00000xc0x20011642e4a9e48e70b29b83ba6aa3ae2e9False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0xb21000xbfb9PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9901998736782054
                                    RT_GROUP_ICON0xbe0cc0x14data1.1
                                    RT_VERSION0xbe0f00x32cdata0.4482758620689655
                                    RT_MANIFEST0xbe42c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 18, 2024 22:35:07.692651033 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:08.037513018 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:08.037653923 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:08.730602980 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:08.731512070 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.076284885 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.076459885 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.422821045 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.427187920 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.686801910 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.780085087 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.780148983 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.780189037 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.780225039 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.780245066 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.780586004 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:09.782396078 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:09.820755005 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.032252073 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.032491922 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.166321993 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.180419922 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.381711006 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.381934881 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.525082111 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.525949001 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.727372885 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.727586031 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:10.871089935 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:10.876271963 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.074789047 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.078078985 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.226083994 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.226511002 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.431603909 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.431629896 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.431657076 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.431751966 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.431819916 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.431895018 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.434056997 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.435962915 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.571216106 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.573618889 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.781521082 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.794255972 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:11.929220915 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:11.929409027 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.139583111 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.140326023 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.274224997 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.274960995 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.275319099 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.275363922 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.275387049 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.486089945 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.486562014 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.619518042 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.619702101 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.619745016 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.642951965 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.698116064 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:12.836965084 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:12.837469101 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.182744026 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:13.183233976 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.539624929 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:13.539839983 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.885159969 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:13.887279034 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.892997980 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.893168926 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:13.893402100 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:35:14.232646942 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:14.238181114 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:14.238193989 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:14.238327026 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:14.260200977 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:35:14.307486057 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:36:46.776750088 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:36:47.122876883 CEST58749708203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:36:47.128629923 CEST49708587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:36:49.698443890 CEST49711587192.168.2.5203.175.171.5
                                    Apr 18, 2024 22:36:50.044967890 CEST58749711203.175.171.5192.168.2.5
                                    Apr 18, 2024 22:36:50.048518896 CEST49711587192.168.2.5203.175.171.5

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Apr 18, 2024 22:35:06.754538059 CEST5147153192.168.2.51.1.1.1
                                    Apr 18, 2024 22:35:07.685604095 CEST53514711.1.1.1192.168.2.5

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Apr 18, 2024 22:35:06.754538059 CEST192.168.2.51.1.1.10xcbStandard query (0)mail.pbjv.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Apr 18, 2024 22:35:07.685604095 CEST1.1.1.1192.168.2.50xcbNo error (0)mail.pbjv.netpbjv.netCNAME (Canonical name)IN (0x0001)false
                                    Apr 18, 2024 22:35:07.685604095 CEST1.1.1.1192.168.2.50xcbNo error (0)pbjv.net203.175.171.5A (IP address)IN (0x0001)false

                                    SMTP Packets

                                    TimestampSource PortDest PortSource IPDest IPCommands
                                    Apr 18, 2024 22:35:08.730602980 CEST58749708203.175.171.5192.168.2.5220-bh.pbjv.net ESMTP Exim 4.96.2 #2 Fri, 19 Apr 2024 04:35:08 +0800
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Apr 18, 2024 22:35:08.731512070 CEST49708587192.168.2.5203.175.171.5EHLO 767668
                                    Apr 18, 2024 22:35:09.076284885 CEST58749708203.175.171.5192.168.2.5250-bh.pbjv.net Hello 767668 [81.181.57.52]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Apr 18, 2024 22:35:09.076459885 CEST49708587192.168.2.5203.175.171.5STARTTLS
                                    Apr 18, 2024 22:35:09.422821045 CEST58749708203.175.171.5192.168.2.5220 TLS go ahead
                                    Apr 18, 2024 22:35:10.381711006 CEST58749711203.175.171.5192.168.2.5220-bh.pbjv.net ESMTP Exim 4.96.2 #2 Fri, 19 Apr 2024 04:35:10 +0800
                                    220-We do not authorize the use of this system to transport unsolicited,
                                    220 and/or bulk e-mail.
                                    Apr 18, 2024 22:35:10.381934881 CEST49711587192.168.2.5203.175.171.5EHLO 767668
                                    Apr 18, 2024 22:35:10.727372885 CEST58749711203.175.171.5192.168.2.5250-bh.pbjv.net Hello 767668 [81.181.57.52]
                                    250-SIZE 52428800
                                    250-8BITMIME
                                    250-PIPELINING
                                    250-PIPECONNECT
                                    250-AUTH PLAIN LOGIN
                                    250-STARTTLS
                                    250 HELP
                                    Apr 18, 2024 22:35:10.727586031 CEST49711587192.168.2.5203.175.171.5STARTTLS
                                    Apr 18, 2024 22:35:11.074789047 CEST58749711203.175.171.5192.168.2.5220 TLS go ahead

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:22:35:03
                                    Start date:18/04/2024
                                    Path:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"
                                    Imagebase:0x60000
                                    File size:769'024 bytes
                                    MD5 hash:1C03282D15F52ED3095A5C64E7C2A78D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2064994079.00000000036CE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:3
                                    Start time:22:35:04
                                    Start date:18/04/2024
                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\jgHHGmfF.exe"
                                    Imagebase:0xc80000
                                    File size:433'152 bytes
                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:22:35:04
                                    Start date:18/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:22:35:04
                                    Start date:18/04/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp3C3F.tmp"
                                    Imagebase:0xcb0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:22:35:04
                                    Start date:18/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:7
                                    Start time:22:35:05
                                    Start date:18/04/2024
                                    Path:C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\4v7myD9mN2OaWZp.exe"
                                    Imagebase:0x470000
                                    File size:769'024 bytes
                                    MD5 hash:1C03282D15F52ED3095A5C64E7C2A78D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3286942756.000000000297A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3282959752.0000000000415000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3286942756.000000000294F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.3286942756.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.3286942756.0000000002901000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    General

                                    Target ID:8
                                    Start time:22:35:06
                                    Start date:18/04/2024
                                    Path:C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                    Imagebase:0x6a0000
                                    File size:769'024 bytes
                                    MD5 hash:1C03282D15F52ED3095A5C64E7C2A78D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Antivirus matches:
                                    • Detection: 100%, Avira
                                    • Detection: 61%, ReversingLabs
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:22:35:06
                                    Start date:18/04/2024
                                    Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                    Imagebase:0x7ff6ef0c0000
                                    File size:496'640 bytes
                                    MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                    Has elevated privileges:true
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:10
                                    Start time:22:35:07
                                    Start date:18/04/2024
                                    Path:C:\Windows\SysWOW64\schtasks.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jgHHGmfF" /XML "C:\Users\user\AppData\Local\Temp\tmp493F.tmp"
                                    Imagebase:0xcb0000
                                    File size:187'904 bytes
                                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:11
                                    Start time:22:35:07
                                    Start date:18/04/2024
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff6d64d0000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:12
                                    Start time:22:35:08
                                    Start date:18/04/2024
                                    Path:C:\Users\user\AppData\Roaming\jgHHGmfF.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\AppData\Roaming\jgHHGmfF.exe"
                                    Imagebase:0xfe0000
                                    File size:769'024 bytes
                                    MD5 hash:1C03282D15F52ED3095A5C64E7C2A78D
                                    Has elevated privileges:false
                                    Has administrator privileges:false
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3287087422.000000000350E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3287087422.0000000003539000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.3287087422.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.3287087422.00000000034C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:9.7%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:44
                                      Total number of Limit Nodes:3
                                      execution_graph 22004 230e0a0 22005 230e0e6 GetCurrentProcess 22004->22005 22007 230e131 22005->22007 22008 230e138 GetCurrentThread 22005->22008 22007->22008 22009 230e175 GetCurrentProcess 22008->22009 22010 230e16e 22008->22010 22011 230e1ab 22009->22011 22010->22009 22012 230e1d3 GetCurrentThreadId 22011->22012 22013 230e204 22012->22013 21981 230bd38 21984 230be21 21981->21984 21982 230bd47 21985 230be41 21984->21985 21986 230be64 21984->21986 21985->21986 21992 230c0b8 21985->21992 21996 230c0c8 21985->21996 21986->21982 21987 230be5c 21987->21986 21988 230c068 GetModuleHandleW 21987->21988 21989 230c095 21988->21989 21989->21982 21994 230c0dc 21992->21994 21993 230c101 21993->21987 21994->21993 22000 230b858 21994->22000 21997 230c0dc 21996->21997 21998 230b858 LoadLibraryExW 21997->21998 21999 230c101 21997->21999 21998->21999 21999->21987 22001 230c288 LoadLibraryExW 22000->22001 22003 230c301 22001->22003 22003->21993 22014 2304668 22015 230467a 22014->22015 22016 2304686 22015->22016 22018 2304779 22015->22018 22019 230479d 22018->22019 22023 2304888 22019->22023 22027 2304879 22019->22027 22025 23048af 22023->22025 22024 230498c 22025->22024 22031 23044e4 22025->22031 22029 23048af 22027->22029 22028 230498c 22028->22028 22029->22028 22030 23044e4 CreateActCtxA 22029->22030 22030->22028 22032 2305918 CreateActCtxA 22031->22032 22034 23059db 22032->22034 22035 230e2e8 DuplicateHandle 22036 230e37e 22035->22036

                                      Executed Functions

                                      Function 06840E48 Relevance: .6, Instructions: 596COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2069854121.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6840000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 621f801ca2b5734d6ae712e4bf217c3714cd46a85a136c0b91be7148cc6f21d5
                                      • Instruction ID: e842db639d539ad7be922e6e28cd62572d4df8cb481256886d64102da797a6cb
                                      • Opcode Fuzzy Hash: 621f801ca2b5734d6ae712e4bf217c3714cd46a85a136c0b91be7148cc6f21d5
                                      • Instruction Fuzzy Hash: F0527D34A00349CFCB14DF28C844B99B7B2FF85314F2586A9D5586F3A2DB75A986CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 06840E38 Relevance: .6, Instructions: 589COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2069854121.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6840000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cb3e21a39406de5b992658e2ca3ed89a6bb4aef084907ad2ce8f4b288d59e058
                                      • Instruction ID: ab564bc7be8bf807bb860336f20e54740b55fac735d76ca34f7c261aa744eabc
                                      • Opcode Fuzzy Hash: cb3e21a39406de5b992658e2ca3ed89a6bb4aef084907ad2ce8f4b288d59e058
                                      • Instruction Fuzzy Hash: 5B528C30A00349CFCB14DF28C844B99B7B2FF85314F2586A9D5586F3A2DB75A986CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230E090 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 977 230e090-230e12f GetCurrentProcess 981 230e131-230e137 977->981 982 230e138-230e16c GetCurrentThread 977->982 981->982 983 230e175-230e1a9 GetCurrentProcess 982->983 984 230e16e-230e174 982->984 986 230e1b2-230e1cd call 230e270 983->986 987 230e1ab-230e1b1 983->987 984->983 990 230e1d3-230e202 GetCurrentThreadId 986->990 987->986 991 230e204-230e20a 990->991 992 230e20b-230e26d 990->992 991->992
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0230E11E
                                      • GetCurrentThread.KERNEL32 ref: 0230E15B
                                      • GetCurrentProcess.KERNEL32 ref: 0230E198
                                      • GetCurrentThreadId.KERNEL32 ref: 0230E1F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: ef153ec11fe1de3174aa0017638f4a7ff028245809e5d6027205d6147f220397
                                      • Instruction ID: 9007b565a41848c835c39e071280ef38d4e50e7f496509e258e5381ec98c02fb
                                      • Opcode Fuzzy Hash: ef153ec11fe1de3174aa0017638f4a7ff028245809e5d6027205d6147f220397
                                      • Instruction Fuzzy Hash: BB5168B0A043498FDB18DFA9D588B9EBFF1EF49304F208469E419A73A1C7789945CB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230E0A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 999 230e0a0-230e12f GetCurrentProcess 1003 230e131-230e137 999->1003 1004 230e138-230e16c GetCurrentThread 999->1004 1003->1004 1005 230e175-230e1a9 GetCurrentProcess 1004->1005 1006 230e16e-230e174 1004->1006 1008 230e1b2-230e1cd call 230e270 1005->1008 1009 230e1ab-230e1b1 1005->1009 1006->1005 1012 230e1d3-230e202 GetCurrentThreadId 1008->1012 1009->1008 1013 230e204-230e20a 1012->1013 1014 230e20b-230e26d 1012->1014 1013->1014
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 0230E11E
                                      • GetCurrentThread.KERNEL32 ref: 0230E15B
                                      • GetCurrentProcess.KERNEL32 ref: 0230E198
                                      • GetCurrentThreadId.KERNEL32 ref: 0230E1F1
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: dd6e8aa61f30712a375e8c302685a6c2710e31dc62ef8d636fb41a957762639c
                                      • Instruction ID: 6751e06ab06aa3e66870229792411d0bc510660af25cb0ba8badc9bf20d98178
                                      • Opcode Fuzzy Hash: dd6e8aa61f30712a375e8c302685a6c2710e31dc62ef8d636fb41a957762639c
                                      • Instruction Fuzzy Hash: CF5158B0A00309CFDB18DFA9D588B9EBBF5FF49304F208469E419A7390D778A945CB65
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230BE21 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0230C086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 66f5e480e944f4d5484b4a43edfbcff61d7dfd4179f7e8e2189950b13c830a5f
                                      • Instruction ID: e8c10b0b9a477c1b332cbd8a3212cb89fd932f368f78428e3a7783cbabf549dd
                                      • Opcode Fuzzy Hash: 66f5e480e944f4d5484b4a43edfbcff61d7dfd4179f7e8e2189950b13c830a5f
                                      • Instruction Fuzzy Hash: 36813770A00B458FD724DF29D49475ABBF2FF88708F008A29D486D7A90D775E945CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230590D Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 023059C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 13c78ecb0317a0177774cc071257d65ec0988c8c00cf02f0a8c56051df2c99a9
                                      • Instruction ID: 9df4f90e8c6044a2bc05511ad11f99228af7a45d252cf732ff59e265f04cc427
                                      • Opcode Fuzzy Hash: 13c78ecb0317a0177774cc071257d65ec0988c8c00cf02f0a8c56051df2c99a9
                                      • Instruction Fuzzy Hash: 0541D4B0C0061DCFDB25CFA9C894BDDBBB5BF49304F20816AD408AB255D775694ACF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 023044E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 023059C9
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: afc4c968f2c0eae1223f13c8b7d7b473aea5165295c384de0d5a8178224efc8e
                                      • Instruction ID: 3601985e355c007418bb657ea90e665700c66198f01f41e56e058550137b1116
                                      • Opcode Fuzzy Hash: afc4c968f2c0eae1223f13c8b7d7b473aea5165295c384de0d5a8178224efc8e
                                      • Instruction Fuzzy Hash: 3D41D2B0C0071DCBDB24DFA9C894B9DBBF5BF49304F60806AD408AB255DB756949CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 02305A84 Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0726e089172fce4a2faa7a8896f5ef100669f682bb2329980bb9d772aa015c9d
                                      • Instruction ID: 95d7eb25362dd0539c85e63779dac5b030cb15f9e96af43e79ced5fb968a1074
                                      • Opcode Fuzzy Hash: 0726e089172fce4a2faa7a8896f5ef100669f682bb2329980bb9d772aa015c9d
                                      • Instruction Fuzzy Hash: C431CFB1C04648CFDB02CFE8C8A479DBBF1BF46308F54409AD405AB291C779A94ACF21
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230E2E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0230E36F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 7e8bb5a6badfb5c914f90c496fc2bfca83d50fe6f5cd0d61319975ba023766bc
                                      • Instruction ID: 42e2db30ae415a4e52a6b706b66112829550109f621eea431fd4b9d4f425f818
                                      • Opcode Fuzzy Hash: 7e8bb5a6badfb5c914f90c496fc2bfca83d50fe6f5cd0d61319975ba023766bc
                                      • Instruction Fuzzy Hash: 5421E4B5901248AFDB10CF9AD984ADEBFF9FF48314F14845AE918A7350D378A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230E2E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0230E36F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 59866f3ba0eb357e183756b44bd485c39502c19df9ef1ac625947943755589db
                                      • Instruction ID: bdf3cdc085a550400166e1e5ea51693b95b1da873649f2cb2f700c8a4cf832d7
                                      • Opcode Fuzzy Hash: 59866f3ba0eb357e183756b44bd485c39502c19df9ef1ac625947943755589db
                                      • Instruction Fuzzy Hash: A821F5B59002489FDB10CF9AD984ADEFFF8FB48310F14845AE918A3350D378A944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230C281 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230C101,00000800,00000000,00000000), ref: 0230C2F2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 7039b86c11073ee291dacf901b2db2b57f8dd9d95c1a372719db1e5c49a14f77
                                      • Instruction ID: deb1a0fd79b0baab9770cbcfc69b432a8b04a282c4558ba996a8dc0d7504ae7e
                                      • Opcode Fuzzy Hash: 7039b86c11073ee291dacf901b2db2b57f8dd9d95c1a372719db1e5c49a14f77
                                      • Instruction Fuzzy Hash: CE1153B6C002488FCB10CF9AC484ADEFBF8EF48320F10852AD818A7640C379A545CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230B858 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0230C101,00000800,00000000,00000000), ref: 0230C2F2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 43297c78e5a511cde7ab35e7ee28c1f41e272d1b52c9b541a00de98355527fa6
                                      • Instruction ID: 6de7208514c61441a4cc1cfd93fd476970ced5aff1fb028890273167401baf6b
                                      • Opcode Fuzzy Hash: 43297c78e5a511cde7ab35e7ee28c1f41e272d1b52c9b541a00de98355527fa6
                                      • Instruction Fuzzy Hash: E31153B68003488FDB20CF9AC484ADEFBF8EB58314F10852AE419A7640C379A945CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0230C020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0230C086
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 08c2616ee7aa8f103aa6711cb579606b1cbc662db04d38d0406f058ef2198f4f
                                      • Instruction ID: a6d07d2ec8fdca6d791946ed5f597017f6bbee5d8d7c7e0ca2f5b07e8116d9e6
                                      • Opcode Fuzzy Hash: 08c2616ee7aa8f103aa6711cb579606b1cbc662db04d38d0406f058ef2198f4f
                                      • Instruction Fuzzy Hash: C3110FB5C002498FCB10DF9AC484A9EFBF8EB88214F10852AD418A7240C379A549CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 007FD4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2053949501.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7fd000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e3053f6ebd64ee902454af937339429c66f879786b3fc8888824895b4a9c7b0
                                      • Instruction ID: 89a61db23750cdd7f2103e43e1b1b7233c0184027912fc751c23b46f8c1bc2db
                                      • Opcode Fuzzy Hash: 2e3053f6ebd64ee902454af937339429c66f879786b3fc8888824895b4a9c7b0
                                      • Instruction Fuzzy Hash: F321F471504248DFCB25DF14D980B36BF66FB98318F20C569EA090B356C33AD826D6A2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0080D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2054040250.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_80d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a4df1a1571943c85a6f54970d097e3c6cdac2be9e55de7f1a0b14ea9371e5711
                                      • Instruction ID: 3ab0dbc08e4a4bb8a6921546993d509dea65b826f2c01813228f0745dab9ea5f
                                      • Opcode Fuzzy Hash: a4df1a1571943c85a6f54970d097e3c6cdac2be9e55de7f1a0b14ea9371e5711
                                      • Instruction Fuzzy Hash: 75210771504304EFDB45DF94D9C0F26BB65FB84314F20C56DE9098B396C33AE806CA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0080D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2054040250.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_80d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 91096250c3c88bc213fa2786cbf65be1962cf62dcf0a244a637b4455675de531
                                      • Instruction ID: 232a114ec1da6ea5d69aefa1655d01ca3a0c271c3c03b0942b176a47283c2d38
                                      • Opcode Fuzzy Hash: 91096250c3c88bc213fa2786cbf65be1962cf62dcf0a244a637b4455675de531
                                      • Instruction Fuzzy Hash: A021F271604704DFDB54DF64D984B26BF65FB88314F20C569D94E8B396C33AD807CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 007FD4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2053949501.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7fd000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction ID: 361fcb06110147fa5a9552040da69f3939df64c81b5cf4dc25ae114589a29b21
                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction Fuzzy Hash: 9E110372404284CFCB12CF10D5C4B26BF72FB98314F24C6A9D9490B356C33AD86ADBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0080D017 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2054040250.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_80d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction ID: bec1ee6e0f9b08df8fd4d160d1e9f82f7498207b9aaec2857e494dbc6190f2c3
                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction Fuzzy Hash: 7611BE75504780CFCB11CF54D9C4B15BB61FB44314F24C6A9D8498B696C33AD80ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0080D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2054040250.000000000080D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0080D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_80d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction ID: 7a16caebdbeaf369d09b7a71645fb8c28a206fc6cc11048bcfc83b9b8e465290
                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction Fuzzy Hash: 5F11BB75504380DFDB02CF54C9C4B15BBA2FB84314F24C6A9D8498B696C33AE80ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 007FD745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2053949501.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7fd000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1bf585ddaae8d645b54668d509d2480024e8cec6f92b31f87e03f1be51dbe3c5
                                      • Instruction ID: 9086b07475415791aab54859eb86624df021a446af17379bfbedf96677a1ef62
                                      • Opcode Fuzzy Hash: 1bf585ddaae8d645b54668d509d2480024e8cec6f92b31f87e03f1be51dbe3c5
                                      • Instruction Fuzzy Hash: D301A7711043489AE730AA6ACD84B76BF9DEF55324F18C52AEE090E396D27D9C41CA71
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 007FD744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2053949501.00000000007FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 007FD000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7fd000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b95dfbed647e74b9fef07eec4b4a1cd6d17ecea32ea2e3d026e6493cf472ce44
                                      • Instruction ID: e1805dac847b497b44dce4455411f53d3e9319a4644584cb227547c039ecd849
                                      • Opcode Fuzzy Hash: b95dfbed647e74b9fef07eec4b4a1cd6d17ecea32ea2e3d026e6493cf472ce44
                                      • Instruction Fuzzy Hash: 5FF062714043449AE7209E1ACC88B62FF98EF55734F18C45AEE484E396C2799C44CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Non-executed Functions

                                      Function 02307708 Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1284d6925f669ca9fd3e9c899c11cc5d12ab1f8186f3b10ea66fcd5ccfe4de2f
                                      • Instruction ID: 1e1193155c49bcfc15ef4699c7eec1f63b179912d7bfb7fb79e83abfe700883a
                                      • Opcode Fuzzy Hash: 1284d6925f669ca9fd3e9c899c11cc5d12ab1f8186f3b10ea66fcd5ccfe4de2f
                                      • Instruction Fuzzy Hash: 9E12D6B0D817458BE75ADF25E84C189BBB6FB81319FD08B09C2616F2E1DBB4116ACF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0684DD97 Relevance: .3, Instructions: 272COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2069854121.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6840000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8fb411784c15fb66eec9ab799dc3870b13ab49ec4d1ec3c8f91cc1891eaabf8
                                      • Instruction ID: 19b8029e779c2012ab4a32b6ac49e11ab3426f5feb2359c26a18652852071f4e
                                      • Opcode Fuzzy Hash: b8fb411784c15fb66eec9ab799dc3870b13ab49ec4d1ec3c8f91cc1891eaabf8
                                      • Instruction Fuzzy Hash: B4D13735D2075ACACB11EF64D954A9DB3B1FF96300F15879AD1093B224EB70AAC8CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0684DDA8 Relevance: .3, Instructions: 264COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2069854121.0000000006840000.00000040.00000800.00020000.00000000.sdmp, Offset: 06840000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_6840000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d63cae9356aeb08dd997e47fd9021a0e18d77eb120aaeef70bc1b69e38b65223
                                      • Instruction ID: 365ba916b67c2f0c8c4ffba439b33374ca3e12c65d9c078bd3f9d98f4e6df04c
                                      • Opcode Fuzzy Hash: d63cae9356aeb08dd997e47fd9021a0e18d77eb120aaeef70bc1b69e38b65223
                                      • Instruction Fuzzy Hash: 50D11735D2065ACACB11EF64D954A9DB3B2FF95300F15C79AD1093B224EB70AAC9CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 023076F8 Relevance: .2, Instructions: 224COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2056708865.0000000002300000.00000040.00000800.00020000.00000000.sdmp, Offset: 02300000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2300000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16da2bf84be02693d95ab743c018b5c8e852da6b580826ab6870ef39c304f096
                                      • Instruction ID: 052836499558640b4bfa26cba250caca63ec2fa37cf4eb2b57b4b416dd731743
                                      • Opcode Fuzzy Hash: 16da2bf84be02693d95ab743c018b5c8e852da6b580826ab6870ef39c304f096
                                      • Instruction Fuzzy Hash: FBC138B0C807468BE75ADF25E84C189BBB6FB85319FD08B09D1616F2E1DBB4146ACF44
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Executed Functions

                                      Function 00B69B38 Relevance: 2.8, Instructions: 2841COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 373178aacd039f2dc8bfab68cb64d61d7ea6fa9b6929641348a3756a41b3f399
                                      • Instruction ID: 1b2fa90f8cd8131143dfe077ea84b89d548df6fb692946a87f3fc571803c3abc
                                      • Opcode Fuzzy Hash: 373178aacd039f2dc8bfab68cb64d61d7ea6fa9b6929641348a3756a41b3f399
                                      • Instruction Fuzzy Hash: 8F63F731D10B1A8ACB11EF68C8945A9F7B1FF99300F15D79AE458B7121EB70AAD4CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6CE80 Relevance: 2.3, Instructions: 2303COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 896d28de4644d97d52c6d2658c6bca7dbc8ff502e414e43c00d29484663ff373
                                      • Instruction ID: 80f728b93b6c2836cc41b40acbcf1d1353c579e60e223930c520859ba102f966
                                      • Opcode Fuzzy Hash: 896d28de4644d97d52c6d2658c6bca7dbc8ff502e414e43c00d29484663ff373
                                      • Instruction Fuzzy Hash: 91331E31D107198ECB11EF68C8946ADF7B1FF99300F15C79AE459A7221EB70AAC5CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B641C8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 205ab17590a210d7052a819f9e4a054b87ab5169b19cc7d15c82554fca4df795
                                      • Instruction ID: 065d458adc7f94b5d6a0fe7ce47b6394c2aaa593c7f893c0227e5bd97f6fcc5e
                                      • Opcode Fuzzy Hash: 205ab17590a210d7052a819f9e4a054b87ab5169b19cc7d15c82554fca4df795
                                      • Instruction Fuzzy Hash: 4CB14D70E00609CFDF14DFA9C9957AEBBF2EF88304F148169E819A7354EB789845CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64A98 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 436a237591bf70905fa9f906d55ec2e2cfc3c61174c40e46ebd46fd5d2dea2e7
                                      • Instruction ID: eb28f6a01870732c86256358344001be936f9e25aa3046026974bab32dbc773a
                                      • Opcode Fuzzy Hash: 436a237591bf70905fa9f906d55ec2e2cfc3c61174c40e46ebd46fd5d2dea2e7
                                      • Instruction Fuzzy Hash: 07B14C71E006098FDF14CFA9C9817ADBBF2EF88314F188569D819A7354EB789885CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B63E80 Relevance: .2, Instructions: 238COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e1dc2324c6d518226318945dad39875f4a9332b93d6898bd3110a7fa1785ea5
                                      • Instruction ID: 52ceb75d7e8727991416633628ec7e118da62b9435039f5bb5d04601eb91e5d8
                                      • Opcode Fuzzy Hash: 6e1dc2324c6d518226318945dad39875f4a9332b93d6898bd3110a7fa1785ea5
                                      • Instruction Fuzzy Hash: B2917B70E00609DFDF14CFA9C9817DEBBF2EF88704F148169E419A7254EB789986CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B66ED7 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q$LR]q
                                      • API String ID: 0-3917262905
                                      • Opcode ID: 9053abf357393d0441bb46fc0be2f2b6530b21feb63b5c044d98135505e77b24
                                      • Instruction ID: af97ab31a463670b75aefe7b3b7f6201533dcfaa2c42eee3f2f780dcd5a691c2
                                      • Opcode Fuzzy Hash: 9053abf357393d0441bb46fc0be2f2b6530b21feb63b5c044d98135505e77b24
                                      • Instruction Fuzzy Hash: 4451BF30E142059FDB15DF78C4547AEB7F2EF95304F2088AAE406EB280EB799C46CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6F3BD Relevance: 1.4, Strings: 1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH]q
                                      • API String ID: 0-3168235125
                                      • Opcode ID: 5da70565c56bd6a94d07961c218a73234460d73042b33ea14e2d51e93f2846ef
                                      • Instruction ID: 814d25e6c5e0ffe02c7ea9fbe699c490df16a033fe2aa840f049f84dde4cff00
                                      • Opcode Fuzzy Hash: 5da70565c56bd6a94d07961c218a73234460d73042b33ea14e2d51e93f2846ef
                                      • Instruction Fuzzy Hash: B141EE307002068FDB19AB34A56567F3BE6EF85350F2444B8D406DB396EE39CC46CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B66F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q
                                      • API String ID: 0-3081347316
                                      • Opcode ID: 719e6198194c8298f08f21b39e8f194228676e017592e9cffa0fd5c9c96011d4
                                      • Instruction ID: fc75b1720f09edd98b28354a79384f6bc89b7563fabc9c653f71eef9ac379e42
                                      • Opcode Fuzzy Hash: 719e6198194c8298f08f21b39e8f194228676e017592e9cffa0fd5c9c96011d4
                                      • Instruction Fuzzy Hash: BC318F30E10209CBDB14CFA4D45079EB7F1EF95304F2085A9E906EB280EB75AC46CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B66BA0 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q
                                      • API String ID: 0-3081347316
                                      • Opcode ID: c7baba055816af3a937ae0cb5dd8ce509fb0e779d21bdbe318b8e60da1b0ce0b
                                      • Instruction ID: 68720b9532ddce4ffc679a862090f2be9a747081d162fc01f4434fd3b26b1994
                                      • Opcode Fuzzy Hash: c7baba055816af3a937ae0cb5dd8ce509fb0e779d21bdbe318b8e60da1b0ce0b
                                      • Instruction Fuzzy Hash: BB11C6306092805FC316AB79C45465EBFF6DF8B700B0448EFD085CB292DA35984AC792
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B67908 Relevance: .6, Instructions: 556COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58707c2c6f0212811e430548c94857d5dc073887ebd2f61e63c002c5c31d5d65
                                      • Instruction ID: cfcb533ab7cac7eba990f98f8b3752498519d2dfa1845b12f47164e504750227
                                      • Opcode Fuzzy Hash: 58707c2c6f0212811e430548c94857d5dc073887ebd2f61e63c002c5c31d5d65
                                      • Instruction Fuzzy Hash: 6F12BF347512019FCB19AB38E45862C37EAFB85344B284979E102CBBA5DF39DC4AD791
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B696E0 Relevance: .4, Instructions: 353COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 56345498fb6218e35e37e3a53ebe33b351b0ec242001fbbad811518c7a6a491f
                                      • Instruction ID: 1948d8842e62ab75af2d4ed0e1c4d2afc496d1d40af2246311e93f12b20df535
                                      • Opcode Fuzzy Hash: 56345498fb6218e35e37e3a53ebe33b351b0ec242001fbbad811518c7a6a491f
                                      • Instruction Fuzzy Hash: 23C1AC75A002058FDB14CFA9D5807AEBBF6FB88310F2485AAE409DB395DB38DC45CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B69364 Relevance: .3, Instructions: 318COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 86e5491f484568310a298ca6c44812ba5ea2d3d15b32503bbd0e40b362ea36a6
                                      • Instruction ID: 25a9404cdd9177496924144006b1de87f7e265b38fbb2439a2295c4f1eeac196
                                      • Opcode Fuzzy Hash: 86e5491f484568310a298ca6c44812ba5ea2d3d15b32503bbd0e40b362ea36a6
                                      • Instruction Fuzzy Hash: E3C16E34A002058FCB15DF68D594AADBBF6FF88310F1485A9E80AEB395DB39DD42CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B641BC Relevance: .3, Instructions: 275COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ffdb207d538fcda24724ca7431704e4dd28805cf6321dd539361d85dce587257
                                      • Instruction ID: 0e20be37522fbdfd7471b8436a8c947cb225d6e4c43426d6ecf7f1a4fcb55bc1
                                      • Opcode Fuzzy Hash: ffdb207d538fcda24724ca7431704e4dd28805cf6321dd539361d85dce587257
                                      • Instruction Fuzzy Hash: 77B13C70E00609CFDF10DFA9C98579DBBF2EF88304F248169E819A7254EB789885CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64A8C Relevance: .3, Instructions: 262COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3aeb2f9c3dd271b750882cb3ca678e57a3d12a6f6161bf22cdeca238666f75f5
                                      • Instruction ID: ddde75568832723480127a51cc779509b2f38d9a9ff9df673d4e7aff49aa9e10
                                      • Opcode Fuzzy Hash: 3aeb2f9c3dd271b750882cb3ca678e57a3d12a6f6161bf22cdeca238666f75f5
                                      • Instruction Fuzzy Hash: 6DB14A70E00609CFDF10CFA9D9817EDBBF1EF88314F288569D819A7254EB789885CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B63E74 Relevance: .2, Instructions: 248COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7266393373a1fc285abffc21a8bac045f7d3510f1a021f95fe4eddc93916946e
                                      • Instruction ID: 901abfa76f1893133fa0ec4f9cdee1127ba2e68596bbea30c9f66fafa8379298
                                      • Opcode Fuzzy Hash: 7266393373a1fc285abffc21a8bac045f7d3510f1a021f95fe4eddc93916946e
                                      • Instruction Fuzzy Hash: 92A16871E00609DFDF10CFA8C9817DEBBF2EF88714F148169E419A7254EB789986CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64804 Relevance: .2, Instructions: 181COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2d4176a6ebedd9b94a73895eebefaeb456f4eecef84d8667df674ccc2e968f9
                                      • Instruction ID: cb0ae03abff3b20d4784c7e9962e1c02f1e064194ea33103c398d81627ca0f37
                                      • Opcode Fuzzy Hash: b2d4176a6ebedd9b94a73895eebefaeb456f4eecef84d8667df674ccc2e968f9
                                      • Instruction Fuzzy Hash: C27189B0E00649DFDB10DFA9C9817DEBBF2FF88314F148169E418A7290EB789841CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64810 Relevance: .2, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 96139cf1366545ce6d0e4fdd03522b0e0afaca11c552305880de8a3363e0a213
                                      • Instruction ID: 05099715eef5b0370affc15193bc255cef4e55a3c9160ee72799036173151559
                                      • Opcode Fuzzy Hash: 96139cf1366545ce6d0e4fdd03522b0e0afaca11c552305880de8a3363e0a213
                                      • Instruction Fuzzy Hash: FC719AB0E00649DFDF14DFA9C98179EBBF2FF88304F148129E418A7294EB389841CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B66CDD Relevance: .1, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 638c4144bfca59276ec2dccb45b6794a81a1a036b51fdf028400e1aa2f4df25c
                                      • Instruction ID: ee11d82e685e666725589cba1030a7af6f5226068be0d6402b118a779cfb5d13
                                      • Opcode Fuzzy Hash: 638c4144bfca59276ec2dccb45b6794a81a1a036b51fdf028400e1aa2f4df25c
                                      • Instruction Fuzzy Hash: 42510475E102188FDB18CFA9C885BADBBF1FF48304F148169E819BB291D778A845CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B66CE8 Relevance: .1, Instructions: 132COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2d7a566ab1840a3e54b3190d0a12020bad47a4cc904f2a40516c7b84896cca2
                                      • Instruction ID: 1714b9323239f681552e391c4ec300f5d2aaefb49f19338bec4d4136796dc639
                                      • Opcode Fuzzy Hash: b2d7a566ab1840a3e54b3190d0a12020bad47a4cc904f2a40516c7b84896cca2
                                      • Instruction Fuzzy Hash: 42511375E002188FDB18DFA9C885B9DBBF1FF48304F148169E819BB391D778A844CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61128 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 66ff972647a89b2a92ed985d61ed5c4d42eeea07ebe0cf51876664a61f2c35e5
                                      • Instruction ID: f42f3a0246d647164561a39d0e614e65949a7b31c19cde00e7ffca37d55b4936
                                      • Opcode Fuzzy Hash: 66ff972647a89b2a92ed985d61ed5c4d42eeea07ebe0cf51876664a61f2c35e5
                                      • Instruction Fuzzy Hash: 7251EA3021A241CFCB0AEF78F9C49853F65FF96B083409969D1855F23EDB306949DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61138 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba8070b0c5c0a52b191d742bebb2bd5370442634c7fbeaf0ed87df8932d13a42
                                      • Instruction ID: 607627d9cab4fc6398e1628828c42fb4f5f0328377e82c33f4cb9591c3a7ae38
                                      • Opcode Fuzzy Hash: ba8070b0c5c0a52b191d742bebb2bd5370442634c7fbeaf0ed87df8932d13a42
                                      • Instruction Fuzzy Hash: DC51C97121A141CFCB0AFF78F9C4A493F6AFF96B083408969D1855F23EDB646909DB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6F280 Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d4bce22c62258b518269bbac7a73608b8f9a1e9933d69f7b4bbc8e63e645eb07
                                      • Instruction ID: 1f57498aede54290c43950bde74e1dbe6985e8f2bd417856a79049fb8ee081ed
                                      • Opcode Fuzzy Hash: d4bce22c62258b518269bbac7a73608b8f9a1e9933d69f7b4bbc8e63e645eb07
                                      • Instruction Fuzzy Hash: 50315B35E002068FCB19CFA5E4946AEBBF2EF89300F108569E906EB350DF74AD46CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6F290 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f895f4efe398c489580d84fff379596364bf8558133201f5e79ebc4322c8f66
                                      • Instruction ID: d4ecfe770248644fc50cc8ed4cf639201b2ac3c29b99b89070ac12c87c3f9422
                                      • Opcode Fuzzy Hash: 6f895f4efe398c489580d84fff379596364bf8558133201f5e79ebc4322c8f66
                                      • Instruction Fuzzy Hash: B0316E35E1020A9BCB19CFA5E4946AEB7F6FF89300F108529E906EB350DF74AC46CB55
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B626DE Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a71a84b372678598e744ce217b9931f7c2ad1738220e4e0d5a73c37efbdf2bf8
                                      • Instruction ID: 45f3440afae386010f5d500e6357752ea687015759d1858a2d1531e81dce1bf4
                                      • Opcode Fuzzy Hash: a71a84b372678598e744ce217b9931f7c2ad1738220e4e0d5a73c37efbdf2bf8
                                      • Instruction Fuzzy Hash: 62410FB4D00649DFDB14DFA9C584ADEBFF5FF48300F24846AE409AB264DB39A945CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B626E8 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 56d5b71f6eec031637550fdc59bf85e30ed21d2068d190b70963d4ab9dbb4d72
                                      • Instruction ID: 54a494afd34ad27ff4b485bc95423e9831ee1bf0b7a820bbf418110f0cc34d73
                                      • Opcode Fuzzy Hash: 56d5b71f6eec031637550fdc59bf85e30ed21d2068d190b70963d4ab9dbb4d72
                                      • Instruction Fuzzy Hash: D1410EB4D003489FDB14DFA9C884ADEBFF5FF48310F208029E809AB254DB79A945CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B650A8 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 038a59fe13546e68ad61ff584dd0086e9c49f22e74d0eab34c4eecb8f7caf2a2
                                      • Instruction ID: 536a322a4d6a6d7f9fb45ddf17f9259bc209223347d244fe995ea8bf508cdaed
                                      • Opcode Fuzzy Hash: 038a59fe13546e68ad61ff584dd0086e9c49f22e74d0eab34c4eecb8f7caf2a2
                                      • Instruction Fuzzy Hash: 3E314C30A056158FDB28EB78C9647AE77F6EF49744F1009A8D402AB399DF3ADC41CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B65097 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c9db90552afb3e517701d487505d84ed814107156c8de804b28b856ff4ca88cc
                                      • Instruction ID: 7e6a5a9919264d5147404e7e66689d734bc074cf5520617be38b13f3cbfcd81d
                                      • Opcode Fuzzy Hash: c9db90552afb3e517701d487505d84ed814107156c8de804b28b856ff4ca88cc
                                      • Instruction Fuzzy Hash: A8315C306056158FDF28EB74C5647AE77F2EF49344F1009A8D441AB3A5DF3A9D42CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61488 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f206cd6e69ac6995e03ff8c60f3ab7ae2185553a2e1ede316b1cb917c602267d
                                      • Instruction ID: daa7416cba88fb946a110395be7b5fe9dd4c11717c64f44cad7bc5f827f96625
                                      • Opcode Fuzzy Hash: f206cd6e69ac6995e03ff8c60f3ab7ae2185553a2e1ede316b1cb917c602267d
                                      • Instruction Fuzzy Hash: D821A371A012115FDF31AB7D94952AEBBE1EB54315F1808F9E40AD7341DA3DCD818B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61382 Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d19144bc3f02682c78400313938d78137dedb74f426a54a26d2ea4f874fb393c
                                      • Instruction ID: 10f98d01be9b913bd91d0b82e9ad618c09bde3ea4830619ed61bdc93d0b636da
                                      • Opcode Fuzzy Hash: d19144bc3f02682c78400313938d78137dedb74f426a54a26d2ea4f874fb393c
                                      • Instruction Fuzzy Hash: 1321C474A462405FEB326B7C94847293BE5EB12315F080CEAE04ACB3D1DB6D8C89C751
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6169F Relevance: .1, Instructions: 84COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c56458c27cbd05717a7b87f06754befaa47d25756841ef7c5102d039fe952ef1
                                      • Instruction ID: d3cc2c7749b7276ad160dea6f31d1b2b8d63ad37654b8d04ae42049e412d0714
                                      • Opcode Fuzzy Hash: c56458c27cbd05717a7b87f06754befaa47d25756841ef7c5102d039fe952ef1
                                      • Instruction Fuzzy Hash: 3621BA785041005FDB16EB7CE8C8B6937A9EB55308F184EA5D00ACB279E72CCC4ACB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B69150 Relevance: .1, Instructions: 83COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea3b69888ad061f0d64b6b09cd90a71cf5869f8a8d32bead46698be22b58635d
                                      • Instruction ID: 053f2ec2c863e569429715b4a3cbb1f21aa779a682e9c14dc90e49ddd329180d
                                      • Opcode Fuzzy Hash: ea3b69888ad061f0d64b6b09cd90a71cf5869f8a8d32bead46698be22b58635d
                                      • Instruction Fuzzy Hash: DA31D531E00206ABCB09CF64D4545EEB7F6EF8A300F24855AE855BB340DB74AD46CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B6924F Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 03a47535fc3db32a7f17190466474ed83c4567672dbd9bad5c90706e0d4a29a4
                                      • Instruction ID: 9f17169822575dd8d043600aabdc9c8b36f8642ba47b4d91e61ec9821662bc71
                                      • Opcode Fuzzy Hash: 03a47535fc3db32a7f17190466474ed83c4567672dbd9bad5c90706e0d4a29a4
                                      • Instruction Fuzzy Hash: DC314B31E002069BCB09DFA4D59069EBBF6EF89304F14855AE805EB290EB749C46CB85
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B69260 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e9cc91507cf109910e845bc17ffe2caac96b5c34e7a3c3cf2864cebbad4aedcd
                                      • Instruction ID: 09cb0bd09e75c80d484713d30234c1ae573e8ea3fe71b8203957fc6a1bb30669
                                      • Opcode Fuzzy Hash: e9cc91507cf109910e845bc17ffe2caac96b5c34e7a3c3cf2864cebbad4aedcd
                                      • Instruction Fuzzy Hash: 98214B31E0020A9BCB09CFA5D49069EBBF6FF89304F14C659E905EB354DB749C46CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B1D030 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283633079.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b1d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b29d31c30a8e5cae3a25f42c1a60a60e077d05bac78cdba197bdfe71cfc9da3d
                                      • Instruction ID: d99399790772c610be96f6209c2ec063fde2e9235c57bb45a7882c219db87e13
                                      • Opcode Fuzzy Hash: b29d31c30a8e5cae3a25f42c1a60a60e077d05bac78cdba197bdfe71cfc9da3d
                                      • Instruction Fuzzy Hash: A3213471604204DFCB14DF14D9D8F26BBA5FB88314F70C6ADD8094B296C33AD887CA62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61878 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 14eee38585ad5f4acdd941737ae4165260e7006dd0053fa72edb074d27cfa8cd
                                      • Instruction ID: c33218a133705a0a8904a7ea13a76dc6844050f6823c999c0e1543d015ea0755
                                      • Opcode Fuzzy Hash: 14eee38585ad5f4acdd941737ae4165260e7006dd0053fa72edb074d27cfa8cd
                                      • Instruction Fuzzy Hash: 3C213B30A05205CFDB14EB78C5697AE77F1EF49345F1408A9D045EB2A4DB3A8D41DBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64F8A Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 79b81a07d245a6215fa498fcbfd15dcaf1877a697094aa8ee3f9e38b4b5cdb5d
                                      • Instruction ID: a235006d7203c9f1a4ad2bb8bc508b9dabbfa19903d37fdafc41db8a5df5765d
                                      • Opcode Fuzzy Hash: 79b81a07d245a6215fa498fcbfd15dcaf1877a697094aa8ee3f9e38b4b5cdb5d
                                      • Instruction Fuzzy Hash: 14212834600605CFDB64EF78D558A9EB7F1EF49704F2004A8E406EB3A5DB369D45CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B69160 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 57b3ef6aa76a4a42b7c7474348bc279148904c4390f16303a5a7d1c619047e42
                                      • Instruction ID: 22003d5f52132a7bb3d57e331b4d123ad507b8270f2c5d57c947d2ed49e46d82
                                      • Opcode Fuzzy Hash: 57b3ef6aa76a4a42b7c7474348bc279148904c4390f16303a5a7d1c619047e42
                                      • Instruction Fuzzy Hash: E3218031E0060A9BCB08CFA5D85469EB7F6EF89300F20855AEC15FB350DB749D46CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61888 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d1b98c66142bd82ab46f804021174cd9387a79db2ce3b194c07e2583c9efe723
                                      • Instruction ID: b8636964e7b36f180c7868fbe38c579cab7a6d0d6df0997abf9610458d7b1189
                                      • Opcode Fuzzy Hash: d1b98c66142bd82ab46f804021174cd9387a79db2ce3b194c07e2583c9efe723
                                      • Instruction Fuzzy Hash: 2A213C30B042058FDB14EB78C5657AE77F6EF49345F1408A9D406EB2A4DF3A9D41CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B616B0 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f99db1c4d1152e7e9766cb5c81d48931dc6488dbf6b633028064ccbbf848ccc
                                      • Instruction ID: 3daee28611e6fcbcf200a956ef1c473b6b582232e1e3ee5295b0aec135e0bcb9
                                      • Opcode Fuzzy Hash: 4f99db1c4d1152e7e9766cb5c81d48931dc6488dbf6b633028064ccbbf848ccc
                                      • Instruction Fuzzy Hash: 322154786141015FDF16EB68F884B69379AEB45308F144E75D00ACB279DB68DC4ACB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B64F98 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 39b750c01d596250fb4438838192f55fb9d419795395d6d29caf5b912e489f40
                                      • Instruction ID: 22d6309f091eebc94be8f4771a6d36094d951e99fddd7bae0ce2a15a1b46953b
                                      • Opcode Fuzzy Hash: 39b750c01d596250fb4438838192f55fb9d419795395d6d29caf5b912e489f40
                                      • Instruction Fuzzy Hash: FF21E934600609CFDB64EB78D959A9E77F1EF49704F2044A8E406EB3A5DB75DD01CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B60838 Relevance: .1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9cc870c4ca4a71881eb29e81a8b2d17ead32a39b10c45315d6bbf0eb7aa6f605
                                      • Instruction ID: 1ac63cfefe1261ad3b0799d1bb3f06a25325c5730e04a3a53c3be2dfa2111e79
                                      • Opcode Fuzzy Hash: 9cc870c4ca4a71881eb29e81a8b2d17ead32a39b10c45315d6bbf0eb7aa6f605
                                      • Instruction Fuzzy Hash: 6511C130A243044BEF21BA7AD85036F76D5EB52354F1089FAD006CF292EA29CC858BD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B60848 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e9ae3ee44395a7ed8333d20384c6541e2069118b5494e77670d1e2de6749fe3a
                                      • Instruction ID: b0f06266a34453cc5180b55c30e5da10875f24148e8b3a535587a47538dc5e71
                                      • Opcode Fuzzy Hash: e9ae3ee44395a7ed8333d20384c6541e2069118b5494e77670d1e2de6749fe3a
                                      • Instruction Fuzzy Hash: E4119130B202044FEF64FA7AE84472F76D5EB95354F2049B9D006CF2A5EA69CD858BD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B617C2 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4e892fa8db423498e3aac4b6619bfc6f28efb50e62c390ce9762a704d9b6062
                                      • Instruction ID: b3db22cda6760ac0700d25dc4d89cdada1c993ab6415f97f5e2d151c39ceda44
                                      • Opcode Fuzzy Hash: b4e892fa8db423498e3aac4b6619bfc6f28efb50e62c390ce9762a704d9b6062
                                      • Instruction Fuzzy Hash: C811C279F01211DFDF60AB79984865EBBF5EF48710F144D79E949D7340EA348842C781
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B1D02B Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283633079.0000000000B1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B1D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b1d000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction ID: e74a7003c5dc28891af3d889b2c20acdcae0462177931fa0e00d38770e6d8f96
                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction Fuzzy Hash: AD11BB75504280DFCB12CF14D5D4B15BBA2FB88314F28C6AAD8498B656C33AD88ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61498 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 91767d471bdf406b581164ca5e78b27b2ecdc47d1a040a6b9041274c8bf41111
                                      • Instruction ID: f9c0f7ccc371f15b72a0736cfe47eb95a2071f00e4bf25b14bdd953b8a219514
                                      • Opcode Fuzzy Hash: 91767d471bdf406b581164ca5e78b27b2ecdc47d1a040a6b9041274c8bf41111
                                      • Instruction Fuzzy Hash: 97014431A102159FCB25EFB9845119EB7F5EF58310F1444B9E806E7302EB79D9418B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B69889 Relevance: .0, Instructions: 49COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2090d02ae4fce70fe0c9b10ecbcba8faa510a9c95e0c723ccf8d7d63d4655cc4
                                      • Instruction ID: a058c786a5d9a283d798e77fd0855ccbd8c9acd24900211fbc510e1cc592184e
                                      • Opcode Fuzzy Hash: 2090d02ae4fce70fe0c9b10ecbcba8faa510a9c95e0c723ccf8d7d63d4655cc4
                                      • Instruction Fuzzy Hash: 6911C435A102048FCB04DFA4E98578A7BEAFF84710F5581B5C8085B29AE778DD46C791
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B640FF Relevance: .0, Instructions: 43COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2bb872be95ce7a0a2d261d6216abf3305c6570dff68698d32b6538d28d760aa8
                                      • Instruction ID: b8eaa13ee6b46218b8f78e17cf8785e88857102ed63956269b2321b7a7cc7acc
                                      • Opcode Fuzzy Hash: 2bb872be95ce7a0a2d261d6216abf3305c6570dff68698d32b6538d28d760aa8
                                      • Instruction Fuzzy Hash: 6E110930D10A09DFCF24EA94D98A7EDBBF2EF62319F1414AAD011B2191DB784CC6CB16
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B680F0 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 406a6d2792ca707e3446f4a1d20025af4615b73e6fa17c86acf7d8b6e1803b6b
                                      • Instruction ID: cfeb4c64dcaa2b86a9f6271c4a163b354003b8497cd4ef3bab3cc16867d842a5
                                      • Opcode Fuzzy Hash: 406a6d2792ca707e3446f4a1d20025af4615b73e6fa17c86acf7d8b6e1803b6b
                                      • Instruction Fuzzy Hash: 2A012130904209DFCB09EFB4F98599D7BB9DF41708B4045B9C4089F2A6EB356A09CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B61524 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0899bd3604e31ce9e7595be851d54392dd24f6f66ac537406c8fc8ed3846654e
                                      • Instruction ID: 8eced7422d14ec1566f4b7e56bf392e50a6869d2725597c5e19bfd6f24d192d6
                                      • Opcode Fuzzy Hash: 0899bd3604e31ce9e7595be851d54392dd24f6f66ac537406c8fc8ed3846654e
                                      • Instruction Fuzzy Hash: 8BF0F637A041508FCB229BA894921ACBBE1EEA4311B1C44E7D407DB312D769D906CB11
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B67090 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 260bb24bc8c38667b8f23f3cb680d5f4f0689843632691caaf9c31415c054090
                                      • Instruction ID: a380b2c135f17b76a4a5aa8cb9a8d645763ebeb4fa998f10f7b5b7e768c8b8a6
                                      • Opcode Fuzzy Hash: 260bb24bc8c38667b8f23f3cb680d5f4f0689843632691caaf9c31415c054090
                                      • Instruction Fuzzy Hash: 82F0B239B40218CFC714DB64D598A6C77B2EB88619F1044A8E506DB3A0CB35AD46CB40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00B68100 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000007.00000002.3283890524.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_7_2_b60000_4v7myD9mN2OaWZp.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db3db080b2c8e720aee14156e4e871e6638723f8b45cf21aceae58efefc2c099
                                      • Instruction ID: f8a0b10ca3b30110001d0232073fc938cafe9e2f7aa5ad1e91c16cc05168a30a
                                      • Opcode Fuzzy Hash: db3db080b2c8e720aee14156e4e871e6638723f8b45cf21aceae58efefc2c099
                                      • Instruction Fuzzy Hash: F3F03130910109DFCB09FFB4F985A9D7BBAEF40308F504679C4089B269EB316E09DB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:9.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:171
                                      Total number of Limit Nodes:8
                                      execution_graph 34324 85bc758 34325 85bc8e3 34324->34325 34327 85bc77e 34324->34327 34327->34325 34328 85babe4 34327->34328 34329 85bc9d8 PostMessageW 34328->34329 34331 85bca44 34329->34331 34331->34327 34332 eee2e8 DuplicateHandle 34333 eee37e 34332->34333 34334 ee4668 34335 ee467a 34334->34335 34336 ee4686 34335->34336 34338 ee4779 34335->34338 34339 ee479d 34338->34339 34343 ee4888 34339->34343 34347 ee4879 34339->34347 34345 ee48af 34343->34345 34344 ee498c 34344->34344 34345->34344 34351 ee44e4 34345->34351 34348 ee48af 34347->34348 34349 ee44e4 CreateActCtxA 34348->34349 34350 ee498c 34348->34350 34349->34350 34352 ee5918 CreateActCtxA 34351->34352 34354 ee59db 34352->34354 34365 eebd38 34366 eebd47 34365->34366 34368 eebe21 34365->34368 34369 eebe41 34368->34369 34370 eebe64 34368->34370 34369->34370 34376 eec0c8 34369->34376 34380 eec0b8 34369->34380 34370->34366 34371 eebe5c 34371->34370 34372 eec068 GetModuleHandleW 34371->34372 34373 eec095 34372->34373 34373->34366 34377 eec0dc 34376->34377 34379 eec101 34377->34379 34384 eeb858 34377->34384 34379->34371 34381 eec0dc 34380->34381 34382 eec101 34381->34382 34383 eeb858 LoadLibraryExW 34381->34383 34382->34371 34383->34382 34385 eec288 LoadLibraryExW 34384->34385 34387 eec301 34385->34387 34387->34379 34388 85b98bd 34389 85b9978 34388->34389 34390 85b98c7 34388->34390 34393 85bb5d9 34390->34393 34407 85bb5e8 34390->34407 34394 85bb602 34393->34394 34421 85bba8d 34394->34421 34426 85bbaad 34394->34426 34431 85bc11e 34394->34431 34435 85bbb38 34394->34435 34440 85bc1fb 34394->34440 34445 85bbb65 34394->34445 34449 85bba36 34394->34449 34453 85bbd00 34394->34453 34458 85bbc70 34394->34458 34466 85bbbb2 34394->34466 34471 85bbe52 34394->34471 34395 85bb626 34395->34389 34408 85bb602 34407->34408 34410 85bc1fb 2 API calls 34408->34410 34411 85bbb38 2 API calls 34408->34411 34412 85bc11e 2 API calls 34408->34412 34413 85bbaad 2 API calls 34408->34413 34414 85bba8d 2 API calls 34408->34414 34415 85bbe52 4 API calls 34408->34415 34416 85bbbb2 2 API calls 34408->34416 34417 85bbc70 4 API calls 34408->34417 34418 85bbd00 2 API calls 34408->34418 34419 85bba36 2 API calls 34408->34419 34420 85bbb65 2 API calls 34408->34420 34409 85bb626 34409->34389 34410->34409 34411->34409 34412->34409 34413->34409 34414->34409 34415->34409 34416->34409 34417->34409 34418->34409 34419->34409 34420->34409 34422 85bba95 34421->34422 34423 85bbf41 34422->34423 34480 85b92b9 34422->34480 34484 85b92c0 34422->34484 34423->34395 34428 85bbaba 34426->34428 34427 85bc39f 34488 85b8f88 34428->34488 34492 85b8f80 34428->34492 34496 85b9038 34431->34496 34500 85b9031 34431->34500 34432 85bc0ec 34432->34395 34436 85bc25d 34435->34436 34504 85b91c9 34436->34504 34508 85b91d0 34436->34508 34437 85bc2a2 34441 85bc154 34440->34441 34443 85b8f88 ResumeThread 34441->34443 34444 85b8f80 ResumeThread 34441->34444 34442 85bc39f 34443->34442 34444->34442 34447 85b91c9 WriteProcessMemory 34445->34447 34448 85b91d0 WriteProcessMemory 34445->34448 34446 85bbb96 34446->34395 34447->34446 34448->34446 34512 85b9458 34449->34512 34516 85b944c 34449->34516 34455 85bba95 34453->34455 34454 85bbf41 34454->34395 34455->34453 34455->34454 34456 85b92b9 ReadProcessMemory 34455->34456 34457 85b92c0 ReadProcessMemory 34455->34457 34456->34455 34457->34455 34459 85bbe18 34458->34459 34462 85b9038 Wow64SetThreadContext 34459->34462 34463 85b9031 Wow64SetThreadContext 34459->34463 34460 85bbe33 34464 85b8f88 ResumeThread 34460->34464 34465 85b8f80 ResumeThread 34460->34465 34461 85bc39f 34462->34460 34463->34460 34464->34461 34465->34461 34467 85bbbb8 34466->34467 34469 85b91c9 WriteProcessMemory 34467->34469 34470 85b91d0 WriteProcessMemory 34467->34470 34468 85bbbed 34469->34468 34470->34468 34520 85bc6b8 34471->34520 34525 85bc638 34471->34525 34530 85bc67a 34471->34530 34536 85bc627 34471->34536 34472 85bbbed 34472->34395 34473 85bbbc9 34473->34472 34474 85b91c9 WriteProcessMemory 34473->34474 34475 85b91d0 WriteProcessMemory 34473->34475 34474->34472 34475->34472 34481 85b930b ReadProcessMemory 34480->34481 34483 85b934f 34481->34483 34483->34422 34485 85b930b ReadProcessMemory 34484->34485 34487 85b934f 34485->34487 34487->34422 34489 85b8fc8 ResumeThread 34488->34489 34491 85b8ff9 34489->34491 34491->34427 34493 85b8fc8 ResumeThread 34492->34493 34495 85b8ff9 34493->34495 34495->34427 34497 85b907d Wow64SetThreadContext 34496->34497 34499 85b90c5 34497->34499 34499->34432 34501 85b907d Wow64SetThreadContext 34500->34501 34503 85b90c5 34501->34503 34503->34432 34505 85b9218 WriteProcessMemory 34504->34505 34507 85b926f 34505->34507 34507->34437 34509 85b9218 WriteProcessMemory 34508->34509 34511 85b926f 34509->34511 34511->34437 34513 85b94e1 34512->34513 34513->34513 34514 85b9646 CreateProcessA 34513->34514 34515 85b96a3 34514->34515 34517 85b94e1 34516->34517 34517->34517 34518 85b9646 CreateProcessA 34517->34518 34519 85b96a3 34518->34519 34521 85bc667 34520->34521 34522 85bc66c 34520->34522 34541 85b9109 34521->34541 34545 85b9110 34521->34545 34522->34473 34526 85bc64d 34525->34526 34528 85b9109 VirtualAllocEx 34526->34528 34529 85b9110 VirtualAllocEx 34526->34529 34527 85bc66c 34527->34473 34528->34527 34529->34527 34531 85bc683 34530->34531 34532 85bc62f 34530->34532 34531->34473 34534 85b9109 VirtualAllocEx 34532->34534 34535 85b9110 VirtualAllocEx 34532->34535 34533 85bc66c 34533->34473 34534->34533 34535->34533 34537 85bc637 34536->34537 34539 85b9109 VirtualAllocEx 34537->34539 34540 85b9110 VirtualAllocEx 34537->34540 34538 85bc66c 34538->34473 34539->34538 34540->34538 34542 85b9150 VirtualAllocEx 34541->34542 34544 85b918d 34542->34544 34544->34522 34546 85b9150 VirtualAllocEx 34545->34546 34548 85b918d 34546->34548 34548->34522 34355 eee0a0 34356 eee0e6 GetCurrentProcess 34355->34356 34358 eee138 GetCurrentThread 34356->34358 34359 eee131 34356->34359 34360 eee16e 34358->34360 34361 eee175 GetCurrentProcess 34358->34361 34359->34358 34360->34361 34362 eee1ab 34361->34362 34363 eee1d3 GetCurrentThreadId 34362->34363 34364 eee204 34363->34364

                                      Executed Functions

                                      Function 00EEE090 Relevance: 6.1, APIs: 4, Instructions: 133threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 901 eee090-eee12f GetCurrentProcess 905 eee138-eee16c GetCurrentThread 901->905 906 eee131-eee137 901->906 907 eee16e-eee174 905->907 908 eee175-eee1a9 GetCurrentProcess 905->908 906->905 907->908 909 eee1ab-eee1b1 908->909 910 eee1b2-eee1cd call eee270 908->910 909->910 914 eee1d3-eee202 GetCurrentThreadId 910->914 915 eee20b-eee26d 914->915 916 eee204-eee20a 914->916 916->915
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00EEE11E
                                      • GetCurrentThread.KERNEL32 ref: 00EEE15B
                                      • GetCurrentProcess.KERNEL32 ref: 00EEE198
                                      • GetCurrentThreadId.KERNEL32 ref: 00EEE1F1
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 01c50d0fa02baf75d6480be46a72d4ea45f73b897f7a4086d529d749ec468cc1
                                      • Instruction ID: d7bffd889b80b428d05d305fe32f0ba9b97fd8f01d229ebe2898bbda5a61d33d
                                      • Opcode Fuzzy Hash: 01c50d0fa02baf75d6480be46a72d4ea45f73b897f7a4086d529d749ec468cc1
                                      • Instruction Fuzzy Hash: 8D5147B0901349CFDB14DFAAD548BAEBBF1EF89304F208459D418A7361DB789985CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEE0A0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 923 eee0a0-eee12f GetCurrentProcess 927 eee138-eee16c GetCurrentThread 923->927 928 eee131-eee137 923->928 929 eee16e-eee174 927->929 930 eee175-eee1a9 GetCurrentProcess 927->930 928->927 929->930 931 eee1ab-eee1b1 930->931 932 eee1b2-eee1cd call eee270 930->932 931->932 936 eee1d3-eee202 GetCurrentThreadId 932->936 937 eee20b-eee26d 936->937 938 eee204-eee20a 936->938 938->937
                                      APIs
                                      • GetCurrentProcess.KERNEL32 ref: 00EEE11E
                                      • GetCurrentThread.KERNEL32 ref: 00EEE15B
                                      • GetCurrentProcess.KERNEL32 ref: 00EEE198
                                      • GetCurrentThreadId.KERNEL32 ref: 00EEE1F1
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: Current$ProcessThread
                                      • String ID:
                                      • API String ID: 2063062207-0
                                      • Opcode ID: 500ebf5f8b8597c10c6fd2e777bbcfdce7e4f1c6edce3cd30afca358e13cf100
                                      • Instruction ID: d319fdd9355ff9d1713b0847bad874dedcc51ec299824de11a875d3688be91a4
                                      • Opcode Fuzzy Hash: 500ebf5f8b8597c10c6fd2e777bbcfdce7e4f1c6edce3cd30afca358e13cf100
                                      • Instruction Fuzzy Hash: CA5155B0901349CFDB14DFAAD548BAEBBF1EF88304F208459D418A7360DB389984CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B944C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1247 85b944c-85b94ed 1249 85b94ef-85b94f9 1247->1249 1250 85b9526-85b9546 1247->1250 1249->1250 1251 85b94fb-85b94fd 1249->1251 1257 85b9548-85b9552 1250->1257 1258 85b957f-85b95ae 1250->1258 1252 85b94ff-85b9509 1251->1252 1253 85b9520-85b9523 1251->1253 1255 85b950b 1252->1255 1256 85b950d-85b951c 1252->1256 1253->1250 1255->1256 1256->1256 1259 85b951e 1256->1259 1257->1258 1260 85b9554-85b9556 1257->1260 1266 85b95b0-85b95ba 1258->1266 1267 85b95e7-85b96a1 CreateProcessA 1258->1267 1259->1253 1262 85b9579-85b957c 1260->1262 1263 85b9558-85b9562 1260->1263 1262->1258 1264 85b9566-85b9575 1263->1264 1265 85b9564 1263->1265 1264->1264 1268 85b9577 1264->1268 1265->1264 1266->1267 1269 85b95bc-85b95be 1266->1269 1278 85b96aa-85b9730 1267->1278 1279 85b96a3-85b96a9 1267->1279 1268->1262 1271 85b95e1-85b95e4 1269->1271 1272 85b95c0-85b95ca 1269->1272 1271->1267 1273 85b95ce-85b95dd 1272->1273 1274 85b95cc 1272->1274 1273->1273 1276 85b95df 1273->1276 1274->1273 1276->1271 1289 85b9732-85b9736 1278->1289 1290 85b9740-85b9744 1278->1290 1279->1278 1289->1290 1291 85b9738 1289->1291 1292 85b9746-85b974a 1290->1292 1293 85b9754-85b9758 1290->1293 1291->1290 1292->1293 1296 85b974c 1292->1296 1294 85b975a-85b975e 1293->1294 1295 85b9768-85b976c 1293->1295 1294->1295 1297 85b9760 1294->1297 1298 85b977e-85b9785 1295->1298 1299 85b976e-85b9774 1295->1299 1296->1293 1297->1295 1300 85b979c 1298->1300 1301 85b9787-85b9796 1298->1301 1299->1298 1303 85b979d 1300->1303 1301->1300 1303->1303
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085B968E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 1d06aae94246f54dc485818a2c0cf6a4dcbec0519a12dd9a793d33f3bcf3a2fe
                                      • Instruction ID: b9fc041f9065e8a180c343c96cd0beaac2dad940c55236ec538f875abc65f789
                                      • Opcode Fuzzy Hash: 1d06aae94246f54dc485818a2c0cf6a4dcbec0519a12dd9a793d33f3bcf3a2fe
                                      • Instruction Fuzzy Hash: 77A16A71D00219CFDB24DF68C841BEDBBF2BF49301F148569D909A7290EB749986CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B9458 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1304 85b9458-85b94ed 1306 85b94ef-85b94f9 1304->1306 1307 85b9526-85b9546 1304->1307 1306->1307 1308 85b94fb-85b94fd 1306->1308 1314 85b9548-85b9552 1307->1314 1315 85b957f-85b95ae 1307->1315 1309 85b94ff-85b9509 1308->1309 1310 85b9520-85b9523 1308->1310 1312 85b950b 1309->1312 1313 85b950d-85b951c 1309->1313 1310->1307 1312->1313 1313->1313 1316 85b951e 1313->1316 1314->1315 1317 85b9554-85b9556 1314->1317 1323 85b95b0-85b95ba 1315->1323 1324 85b95e7-85b96a1 CreateProcessA 1315->1324 1316->1310 1319 85b9579-85b957c 1317->1319 1320 85b9558-85b9562 1317->1320 1319->1315 1321 85b9566-85b9575 1320->1321 1322 85b9564 1320->1322 1321->1321 1325 85b9577 1321->1325 1322->1321 1323->1324 1326 85b95bc-85b95be 1323->1326 1335 85b96aa-85b9730 1324->1335 1336 85b96a3-85b96a9 1324->1336 1325->1319 1328 85b95e1-85b95e4 1326->1328 1329 85b95c0-85b95ca 1326->1329 1328->1324 1330 85b95ce-85b95dd 1329->1330 1331 85b95cc 1329->1331 1330->1330 1333 85b95df 1330->1333 1331->1330 1333->1328 1346 85b9732-85b9736 1335->1346 1347 85b9740-85b9744 1335->1347 1336->1335 1346->1347 1348 85b9738 1346->1348 1349 85b9746-85b974a 1347->1349 1350 85b9754-85b9758 1347->1350 1348->1347 1349->1350 1353 85b974c 1349->1353 1351 85b975a-85b975e 1350->1351 1352 85b9768-85b976c 1350->1352 1351->1352 1354 85b9760 1351->1354 1355 85b977e-85b9785 1352->1355 1356 85b976e-85b9774 1352->1356 1353->1350 1354->1352 1357 85b979c 1355->1357 1358 85b9787-85b9796 1355->1358 1356->1355 1360 85b979d 1357->1360 1358->1357 1360->1360
                                      APIs
                                      • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 085B968E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: d4063021eebe366e5787934084bce2d6e4cc4fe519b1b84753a6982acc5b88fb
                                      • Instruction ID: 32d5d28348e6e496919d47f569a86e811b4e7a325f459cede11cd8038ba2d138
                                      • Opcode Fuzzy Hash: d4063021eebe366e5787934084bce2d6e4cc4fe519b1b84753a6982acc5b88fb
                                      • Instruction Fuzzy Hash: 7E915971D00219CFDB20DF69C841BEDBBF2BF49311F148569D909A7290EB749986CF91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEBE21 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00EEC086
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: b7346c3c151052769e93f97b86fd2572d097984995f7f9fbbeaa2de64e3e1aa3
                                      • Instruction ID: f8801900abcbd043c2f3fdf2ce56386b6d70283b0dffb857a69a37f4feecde08
                                      • Opcode Fuzzy Hash: b7346c3c151052769e93f97b86fd2572d097984995f7f9fbbeaa2de64e3e1aa3
                                      • Instruction Fuzzy Hash: E6814570A00B898FD724DF2AD44179BBBF5FF88304F108929E486E7A50D775E809CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EE5A84 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20c059045b9eb23e1be57cfd152992a652c424d2885925caf0bb55a60371b368
                                      • Instruction ID: ffcfc20fba4890df9eaed6f52b2fdaf3668aa4fd72553ab1e21fa0403b546964
                                      • Opcode Fuzzy Hash: 20c059045b9eb23e1be57cfd152992a652c424d2885925caf0bb55a60371b368
                                      • Instruction Fuzzy Hash: F3418872800A9DCEDB20CFA9C8457DEBBF1BF85318F24809AC419BB251CB76590ACF51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EE44E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00EE59C9
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: cf205a14b82fe47bf6ff029576bcc2742a19634c8dab7bc6d085bf6dbad9ec1f
                                      • Instruction ID: f0bc6c1434a1e7932ee493631b6791d4a99dd81741732387f2f83b026651588a
                                      • Opcode Fuzzy Hash: cf205a14b82fe47bf6ff029576bcc2742a19634c8dab7bc6d085bf6dbad9ec1f
                                      • Instruction Fuzzy Hash: 7941E0B1C0075DCADB24DFAAC884B9EBBF5BF49708F20806AD418BB251DB756945CF90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EE590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateActCtxA.KERNEL32(?), ref: 00EE59C9
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: Create
                                      • String ID:
                                      • API String ID: 2289755597-0
                                      • Opcode ID: 495c5ce7c231aac8c9c0cc96fef9b9f9783f330ad1431838d9671f2dc907f906
                                      • Instruction ID: 212f6ecd7b00d9e30a4aef86a70a259d5949a9bfda0ff72f2bd87a9c019833dd
                                      • Opcode Fuzzy Hash: 495c5ce7c231aac8c9c0cc96fef9b9f9783f330ad1431838d9671f2dc907f906
                                      • Instruction Fuzzy Hash: 0A41E0B1C0065DCADB24CFAAC884ADEBBF1BF49308F20816AD418AB255DB75594ACF50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B91C9 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085B9260
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 5e244f0dde8fa875c9f7482882dd161110145edf933df1946d1144920dcd714f
                                      • Instruction ID: be6929052c9ff36fec91aae3510a5fbe2f6b51c15f856aeb9206b9a46d4cbc8b
                                      • Opcode Fuzzy Hash: 5e244f0dde8fa875c9f7482882dd161110145edf933df1946d1144920dcd714f
                                      • Instruction Fuzzy Hash: EB2120B59002499FCB10DFAAD881BEEBBF5FF48310F10842AE919A7250C7789955CBA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085BCA6A Relevance: 1.6, APIs: 1, Instructions: 70windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 085BCA35
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 3d47cfaba1d6b0d152ea2face58c76b529fac1698a449abbf71353993047b2cd
                                      • Instruction ID: 6dcb4f5832f0d78624cf59114280ed6a54325b48a87bcf497ff0b49526409e3b
                                      • Opcode Fuzzy Hash: 3d47cfaba1d6b0d152ea2face58c76b529fac1698a449abbf71353993047b2cd
                                      • Instruction Fuzzy Hash: 9921A9B2D042198BEB20DFA9E8447EEBBF4FBA9701F14845ED405B7280C7786D05CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B91D0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 085B9260
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 6c9214c186a63e4a164441638864ccaf3760a3d9237db8239809cbe80898f136
                                      • Instruction ID: 90dc854b596a2b149136a809ad9b82ff7a4bf2542978643e3c2fe28a8e1dbc0e
                                      • Opcode Fuzzy Hash: 6c9214c186a63e4a164441638864ccaf3760a3d9237db8239809cbe80898f136
                                      • Instruction Fuzzy Hash: 9F21E2B59002499FDB10DFAAC885BEEFBF5FF48310F10842AE919A7250D7789954CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B92B9 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085B9340
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: e89f184d538076d7f823d41022e953aad180473ab432593f4f882e2e5f5798e0
                                      • Instruction ID: 55a0937e8f75ef4d8a43a67a964392f8c5f1f17b9058438027b3f8214d85f783
                                      • Opcode Fuzzy Hash: e89f184d538076d7f823d41022e953aad180473ab432593f4f882e2e5f5798e0
                                      • Instruction Fuzzy Hash: C32136B1C002499FDB10DFAAD881AEEFBF5FF48310F10842AE519A7650C7389545CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B9031 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085B90B6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 5a6575683629716684dc272a76a2d565f07641713027c0ffbc5af5b7491d484d
                                      • Instruction ID: f412d891fab760018c39fd44ce94126b728ad0a60080207edfb4cd2c15c3ac19
                                      • Opcode Fuzzy Hash: 5a6575683629716684dc272a76a2d565f07641713027c0ffbc5af5b7491d484d
                                      • Instruction Fuzzy Hash: E62134B19002098FDB10DFAAC485BEEBFF4AF88314F14842AD519A7241C7789985CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEE2E0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEE36F
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 272ddb09f9b409f254a21a6e7681dad120acfa3fa4b780320112b1d2e88369f2
                                      • Instruction ID: 95dfe74fda2ec4f08363e32ff56961e5d72ff8102e1f9e7c091d0dfdb3173163
                                      • Opcode Fuzzy Hash: 272ddb09f9b409f254a21a6e7681dad120acfa3fa4b780320112b1d2e88369f2
                                      • Instruction Fuzzy Hash: 1E21E5B5901248AFDB10CF9AD584ADEBBF5EB48310F14801AE918A7350D3789954CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B9038 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 085B90B6
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 42c514111958f2ad62a146bbed64bc4d17eac4e138d64f72c70bedd818d47da2
                                      • Instruction ID: 1fdf0f3b807c7e8a67db264dee776e2226098aac6785cd9c07672eee28bbe531
                                      • Opcode Fuzzy Hash: 42c514111958f2ad62a146bbed64bc4d17eac4e138d64f72c70bedd818d47da2
                                      • Instruction Fuzzy Hash: 0D213771D002098FDB10DFAAC4857EEBBF4FF48314F108429D519A7240DB789944CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B92C0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      APIs
                                      • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 085B9340
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: ef63507666150af04ae8acb61b05f831cabc0763b1965b3c146a7c1638938982
                                      • Instruction ID: 11086b199d158240a33cc37561b3115cf6dbbfabe741a86b73958846c68ac62d
                                      • Opcode Fuzzy Hash: ef63507666150af04ae8acb61b05f831cabc0763b1965b3c146a7c1638938982
                                      • Instruction Fuzzy Hash: BE2138B1C003499FCB10DFAAC880AEEFBF5FF48310F10842AE519A7250D7389940CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEE2E8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                      Download Yara Rule
                                      APIs
                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00EEE36F
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: DuplicateHandle
                                      • String ID:
                                      • API String ID: 3793708945-0
                                      • Opcode ID: 17230f7c40e0220a70636702f8eab3a7b846cc7abbf8ddca0e438e586ccfee79
                                      • Instruction ID: 58af66ceb08e63618fde8f151cbd0b742d79030310ebdfe28b2fedb271c3c8db
                                      • Opcode Fuzzy Hash: 17230f7c40e0220a70636702f8eab3a7b846cc7abbf8ddca0e438e586ccfee79
                                      • Instruction Fuzzy Hash: 8621C4B5900248AFDB10DF9AD584AEEBBF9FB48310F14841AE918A3350D378A954CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B9109 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085B917E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 121f0ebf82cb15ecdb4937a4782aef57882b7b1abe20fdafebdac24fee1465fa
                                      • Instruction ID: 76f1f32b7bb7221262eea0aca6131699dc972dde2b36ec7b43c3f5fc207eb09e
                                      • Opcode Fuzzy Hash: 121f0ebf82cb15ecdb4937a4782aef57882b7b1abe20fdafebdac24fee1465fa
                                      • Instruction Fuzzy Hash: 001189758002499FCB20DFA9C844AEFBFF5FF88310F208419D519A7250C7399545CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEB858 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EEC101,00000800,00000000,00000000), ref: 00EEC2F2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: debeea8f6b67ed5fd175644a5edc7b6e7feb9771a72eb4e7a6b0dd79df65f1d7
                                      • Instruction ID: eefef493cdce13e31bb679d15288516d42b21b05f8391c198b890d1dd26ad153
                                      • Opcode Fuzzy Hash: debeea8f6b67ed5fd175644a5edc7b6e7feb9771a72eb4e7a6b0dd79df65f1d7
                                      • Instruction Fuzzy Hash: 2B1126B6D007889FDB20DF9AC444ADEFBF4EB58314F10842AD919B7210C3B9A945CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEC281 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00EEC101,00000800,00000000,00000000), ref: 00EEC2F2
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: f686a61873d94baa84d5e271e2c600e347dec159028003d0960a27729c575845
                                      • Instruction ID: f1958e32161e4e8c30098df12150803ec453510a919841e8e980879db9b64cd7
                                      • Opcode Fuzzy Hash: f686a61873d94baa84d5e271e2c600e347dec159028003d0960a27729c575845
                                      • Instruction Fuzzy Hash: 021123B6C003888FDB20DF9AD444ADEFBF4EB98314F10842AD519B7210C3B9A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B8F80 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 70fd0dc80eff0ffb81e5f9509744e63df1afebf6a9d57bf34f7f836120d7ee28
                                      • Instruction ID: c074a33405b5f08869d162fc28531c779fa2ec391f53dbd176442b69e89ff039
                                      • Opcode Fuzzy Hash: 70fd0dc80eff0ffb81e5f9509744e63df1afebf6a9d57bf34f7f836120d7ee28
                                      • Instruction Fuzzy Hash: 431146B5D002498ECB20DFAAD445BEEFFF5EF88324F208419D419A7650C778A985CFA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B9110 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 085B917E
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 1862c374a77ff2f0b8bc7cbd0f28c9804eab5a8d95d44fc173b1671c10f6ab88
                                      • Instruction ID: 78c9ee2a89575b3d4da03f36b78cdd08dae427be8a54657617289c9c629c099f
                                      • Opcode Fuzzy Hash: 1862c374a77ff2f0b8bc7cbd0f28c9804eab5a8d95d44fc173b1671c10f6ab88
                                      • Instruction Fuzzy Hash: 6A1137719002499FCB10DFAAC844AEEBFF5FF88314F108419E519A7250C779A550DFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085B8F88 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: c9ce29464b41c9c0453095abea5df60c07465d94da8b10859abb73dc43e321f9
                                      • Instruction ID: 8332f97ccd7047b32dbbbdaac3bd70d052a59309779fb6ba1a85f88111d701a4
                                      • Opcode Fuzzy Hash: c9ce29464b41c9c0453095abea5df60c07465d94da8b10859abb73dc43e321f9
                                      • Instruction Fuzzy Hash: 0F1128B1D002488BDB20DFAAC4457EEFBF9EF89314F208419D519A7240CB79A544CBA4
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085BC9D2 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 085BCA35
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 950dad76208a1ec9f8cf01f8ade14aff8df669ba02bcd837103457b58273d95a
                                      • Instruction ID: 284c5b468f9e902dcd3817846564daa2f22fd52a7c75c20aaa2958a5b50dff17
                                      • Opcode Fuzzy Hash: 950dad76208a1ec9f8cf01f8ade14aff8df669ba02bcd837103457b58273d95a
                                      • Instruction Fuzzy Hash: 0A1133B58003499FDB10DF9AD885BEEBFF8FB48310F108409E518A7640C378A984CFA0
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 085BABE4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • PostMessageW.USER32(?,00000010,00000000,?), ref: 085BCA35
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2097770028.00000000085B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 085B0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_85b0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: MessagePost
                                      • String ID:
                                      • API String ID: 410705778-0
                                      • Opcode ID: 35403ef1a59de18916698755b1abdeb523658e84c19c3f56494f3839520d2e57
                                      • Instruction ID: e493069a95e2e611cfed9b4c81bad80af4ecb8d96445db59bfb4406e58161c83
                                      • Opcode Fuzzy Hash: 35403ef1a59de18916698755b1abdeb523658e84c19c3f56494f3839520d2e57
                                      • Instruction Fuzzy Hash: 5911E0B58003489FDB10DF9AD445BEEBBF8FB58310F10845AE918A7600C379A944CFA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00EEC020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 00EEC086
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2086332252.0000000000EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EE0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_ee0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: HandleModule
                                      • String ID:
                                      • API String ID: 4139908857-0
                                      • Opcode ID: 96f45bb67aeac82ac8789161c9272098d56dec8c5ea2100da4799eb0ad760329
                                      • Instruction ID: 36c1256ae6d213760f667a96ee6f1fdea133143a1629b33068029e3fee40b74d
                                      • Opcode Fuzzy Hash: 96f45bb67aeac82ac8789161c9272098d56dec8c5ea2100da4799eb0ad760329
                                      • Instruction Fuzzy Hash: F911DFB6C00789CFDB20DF9AD444A9EFBF4AB89714F20851AD419B7610C379A545CFA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E4D4C4 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085677751.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e4d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cfd962cfdaff2e438ef0206645325d1aa25310b64db387b36bba3977fc919cf
                                      • Instruction ID: 5f3a36c8861e189827c1de43649188cacabfedf0d24eab445814c1a6fae7c2dd
                                      • Opcode Fuzzy Hash: 3cfd962cfdaff2e438ef0206645325d1aa25310b64db387b36bba3977fc919cf
                                      • Instruction Fuzzy Hash: 8C212271608240DFCB05DF14EDC0F26BF65FB98328F20C569E9091B256C73AD816DBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5D1D4 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085757206.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e5d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c961d54aacdace27afe67f30e951ce97a45b0f1ad6fc667437170c70678c5aef
                                      • Instruction ID: 34994eba3374aa7910f4b015441199f5ec0454f0d3cf57cf218eb9c42ea69695
                                      • Opcode Fuzzy Hash: c961d54aacdace27afe67f30e951ce97a45b0f1ad6fc667437170c70678c5aef
                                      • Instruction Fuzzy Hash: F6212575508304DFCB25DF54D9C0B26BB65FB84319F20C96DDC095B262C33AD84ACA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5D01C Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085757206.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e5d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5727620a1623f47cbfcca193db25294245c25c330cb52fe34936a985eb143bae
                                      • Instruction ID: a2171b70b5ad92e8e963e8e8c48c01a79cafccaadfce9e7be201a03a13a78d91
                                      • Opcode Fuzzy Hash: 5727620a1623f47cbfcca193db25294245c25c330cb52fe34936a985eb143bae
                                      • Instruction Fuzzy Hash: 7E21F571508204DFDB25DF24D9C4B16BF66FB84315F20C969DD095B396C33AD80BCA61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5D005 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085757206.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e5d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: db71958d101445b4e9ff21a76d36dafaed314978739570113ef1902177462bd1
                                      • Instruction ID: 87afcf32b829107a024d198cc1047061bcc5b3644a7d2c58d8f15587f3e8651e
                                      • Opcode Fuzzy Hash: db71958d101445b4e9ff21a76d36dafaed314978739570113ef1902177462bd1
                                      • Instruction Fuzzy Hash: 2821537550D3808FDB12CF24D994715BF71EB46314F28C5EAD8498B6A7C33A980ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E4D4BF Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085677751.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e4d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction ID: 355196aa9f3e84d1fd786b2401a2c2f008d11fd1ca8fba68c2d5eb466782e898
                                      • Opcode Fuzzy Hash: be84e5d2ba6eb25d2e30d29f2c5ffdc4cdcd384a79140dda988d9b090738847a
                                      • Instruction Fuzzy Hash: 1311E976504240CFCB16CF14E9C4B16BF71FB94318F24C5A9D9494B656C33AD456CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E5D1CF Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085757206.0000000000E5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E5D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e5d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction ID: 0962ee494749b84558bf769e8cdc854dc2c656bd004156564d2765470b3ad5cb
                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction Fuzzy Hash: D811BE79508240DFCB12CF50C9C4B15BB61FB84318F24CAADDC494B266C33AD85ACB61
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E4D745 Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085677751.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e4d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31dcf8654367e5ca92af81944763a6b3b1a1bee76c67ea70927df2cee0027f5f
                                      • Instruction ID: 35a08c3da830074e83597cfbd71c851d6ae083573bf142e7c92fc32d40729225
                                      • Opcode Fuzzy Hash: 31dcf8654367e5ca92af81944763a6b3b1a1bee76c67ea70927df2cee0027f5f
                                      • Instruction Fuzzy Hash: 9A01DB710083449AE7209F15DD8CBA7BF9CEF56334F18C56BED095A286D2799841CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 00E4D744 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000008.00000002.2085677751.0000000000E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E4D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_8_2_e4d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef0bfa2bd96572d2e9d1aa7f7bcc3260a01e8a5dcd0e3b0c36ed824d49e1d5c6
                                      • Instruction ID: 7bbf82125d7451bd0ca91f65337fa4e8a2e283f32aa51b4b373ab32d7679a995
                                      • Opcode Fuzzy Hash: ef0bfa2bd96572d2e9d1aa7f7bcc3260a01e8a5dcd0e3b0c36ed824d49e1d5c6
                                      • Instruction Fuzzy Hash: 15F062714083449EE7209E16DC88B66FF98EF56738F18C45AED485A286C2799844CAB1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Execution Graph

                                      Execution Coverage:13.6%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:31
                                      Total number of Limit Nodes:5
                                      execution_graph 28324 1920848 28326 192084e 28324->28326 28325 192091b 28326->28325 28329 1921382 28326->28329 28334 192148a 28326->28334 28331 1921396 28329->28331 28330 1921480 28330->28326 28331->28330 28332 192148a 4 API calls 28331->28332 28340 1927090 28331->28340 28332->28331 28336 1921396 28334->28336 28337 1921497 28334->28337 28335 1921480 28335->28326 28336->28335 28338 1927090 4 API calls 28336->28338 28339 192148a 4 API calls 28336->28339 28337->28326 28338->28336 28339->28336 28341 192709a 28340->28341 28342 19270d7 28341->28342 28347 68ed390 28341->28347 28352 68ed3a0 28341->28352 28342->28331 28343 19270b4 28343->28342 28357 68ee337 28343->28357 28349 68ed39a 28347->28349 28348 68ed5ca 28348->28343 28349->28348 28350 68ed5e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28349->28350 28351 68ed5f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28349->28351 28350->28349 28351->28349 28353 68ed3b5 28352->28353 28354 68ed5ca 28353->28354 28355 68ed5e0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28353->28355 28356 68ed5f0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28353->28356 28354->28343 28355->28353 28356->28353 28358 68ee2f3 GlobalMemoryStatusEx 28357->28358 28360 68ee33e 28357->28360 28359 68ee306 28358->28359 28359->28342 28360->28342

                                      Executed Functions

                                      Function 01929BF8 Relevance: 3.0, Instructions: 3019COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24e49fc1d64d883d71886c7b9fda06774b048fe8e64d8cf9e46ab701898c8f9f
                                      • Instruction ID: 9deb4ae667a70d73d029cbd6bf00f94b6152a03190d103092157a31c5865201e
                                      • Opcode Fuzzy Hash: 24e49fc1d64d883d71886c7b9fda06774b048fe8e64d8cf9e46ab701898c8f9f
                                      • Instruction Fuzzy Hash: 0C630831D10B1A8ADB11EF68C8946ADF7B1FF99300F15D69AE44C77121EB70AAD4CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929BF2 Relevance: 2.5, Instructions: 2464COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad86bd6a494d76725138dc1ad1c867c2c44c54338bc0e04fa39d95f29417f390
                                      • Instruction ID: 8653646b0afcbf21f665533774c0a81bc725520d9853cab14c1d0d9047e82b4a
                                      • Opcode Fuzzy Hash: ad86bd6a494d76725138dc1ad1c867c2c44c54338bc0e04fa39d95f29417f390
                                      • Instruction Fuzzy Hash: 3843E431D10B1A8ADB11EF68C8946A9F7B1FF99300F15D79AE44877121EB70AAD4CF81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192CE80 Relevance: 2.3, Instructions: 2309COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f4305e37ab70d32ffa2ce2989e62110ec7af9192e629996e53f7c6a9cc785dbe
                                      • Instruction ID: 1ab1d7350f9f33a741425f391d2f2559bfe18acf85bf75ce2178dad9870c7387
                                      • Opcode Fuzzy Hash: f4305e37ab70d32ffa2ce2989e62110ec7af9192e629996e53f7c6a9cc785dbe
                                      • Instruction Fuzzy Hash: 26332F31D1071A8EDB11EF68C8905ADF7B5FF99300F15C79AE448A7225EB70AAC5CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929378 Relevance: .6, Instructions: 615COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a993fde12052917b3b63554acd2ca20af49f27bd0920630ecf0a1886554dfddc
                                      • Instruction ID: 7dcfe939c48eb94696308c2b57b3803942aeaeee01a849dd912dfdcac0c146ed
                                      • Opcode Fuzzy Hash: a993fde12052917b3b63554acd2ca20af49f27bd0920630ecf0a1886554dfddc
                                      • Instruction Fuzzy Hash: CC32B030B002258FDB15CF68D980AAEBBB6FF88314F14846AE509EB359DB35DC45CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924A98 Relevance: .3, Instructions: 266COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2fa2e0e1b05725b8648e63adec72a0f90bb7d16f2c9fe546a31c87275168a7e3
                                      • Instruction ID: 9fe1bcb2e9ad34c3e901b610c9c57ecc652ef1fdfb9b3252e3617c0ab5447bae
                                      • Opcode Fuzzy Hash: 2fa2e0e1b05725b8648e63adec72a0f90bb7d16f2c9fe546a31c87275168a7e3
                                      • Instruction Fuzzy Hash: 4CB15E70E002298FDF11CFADD8857EDBBF6AF88315F148529D819E7258EB749885CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01923E80 Relevance: .2, Instructions: 238COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 31bd657df58ec2e0b0715c426fcf3625cea2cb29a286ed079a3415543b6d7355
                                      • Instruction ID: 1c17c336046208bc07253c013b42db933fdfeb65ef4857fb7ea5b1ca591d1a3f
                                      • Opcode Fuzzy Hash: 31bd657df58ec2e0b0715c426fcf3625cea2cb29a286ed079a3415543b6d7355
                                      • Instruction Fuzzy Hash: B1917070E00219DFDF10CFA9D985BDDBBF6BF98304F148129E419A7258EB789985CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 068EE337 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 174COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1053 68ee337-68ee33c 1054 68ee33e-68ee36a 1053->1054 1055 68ee2f3-68ee304 GlobalMemoryStatusEx 1053->1055 1058 68ee36c-68ee36f 1054->1058 1056 68ee30d-68ee335 1055->1056 1057 68ee306-68ee30c 1055->1057 1057->1056 1059 68ee387-68ee38a 1058->1059 1060 68ee371-68ee382 1058->1060 1061 68ee38c-68ee38e 1059->1061 1062 68ee399-68ee39c 1059->1062 1060->1059 1066 68ee77f-68ee7ba 1061->1066 1067 68ee394 1061->1067 1068 68ee39e-68ee3a2 1062->1068 1069 68ee3ad-68ee3b0 1062->1069 1094 68ee7cc 1066->1094 1095 68ee7bc-68ee7ca 1066->1095 1067->1062 1068->1066 1070 68ee3a8 1068->1070 1071 68ee3cd-68ee3d0 1069->1071 1072 68ee3b2-68ee3c8 1069->1072 1070->1069 1074 68ee3d2-68ee3fe 1071->1074 1075 68ee403-68ee406 1071->1075 1072->1071 1074->1075 1076 68ee408-68ee41d 1075->1076 1077 68ee422-68ee425 1075->1077 1076->1077 1080 68ee427-68ee43a 1077->1080 1081 68ee445-68ee448 1077->1081 1083 68ee5ad-68ee5b4 1080->1083 1084 68ee440 1080->1084 1085 68ee44a-68ee463 call 68e1b54 1081->1085 1086 68ee468-68ee46b 1081->1086 1090 68ee5b9-68ee5bc 1083->1090 1084->1081 1085->1086 1086->1061 1088 68ee471-68ee474 1086->1088 1091 68ee49c-68ee49f 1088->1091 1092 68ee476-68ee497 1088->1092 1096 68ee5be-68ee5ce 1090->1096 1097 68ee5d3-68ee5d6 1090->1097 1101 68ee4fb-68ee4fe 1091->1101 1102 68ee4a1-68ee4f6 1091->1102 1092->1091 1110 68ee7d4-68ee7e9 1094->1110 1095->1110 1096->1097 1099 68ee5ed-68ee5f0 1097->1099 1100 68ee5d8-68ee5e2 1097->1100 1107 68ee5fa-68ee5fd 1099->1107 1108 68ee5f2-68ee5f7 1099->1108 1114 68ee50f-68ee530 1100->1114 1119 68ee5e8 1100->1119 1105 68ee50a-68ee50d 1101->1105 1106 68ee500-68ee507 1101->1106 1102->1101 1105->1114 1115 68ee535-68ee538 1105->1115 1116 68ee5ff-68ee647 1107->1116 1117 68ee64c-68ee64f 1107->1117 1108->1107 1141 68ee7fb 1110->1141 1142 68ee7eb-68ee7f9 1110->1142 1114->1115 1123 68ee55c-68ee55f 1115->1123 1124 68ee53a-68ee557 1115->1124 1116->1117 1120 68ee664-68ee667 1117->1120 1121 68ee651-68ee65f 1117->1121 1119->1099 1127 68ee68a-68ee68c 1120->1127 1128 68ee669-68ee685 1120->1128 1121->1120 1131 68ee57c-68ee57f 1123->1131 1132 68ee561-68ee577 1123->1132 1124->1123 1138 68ee68e 1127->1138 1139 68ee693-68ee696 1127->1139 1128->1127 1134 68ee58d-68ee590 1131->1134 1135 68ee581-68ee588 1131->1135 1132->1131 1143 68ee5a8-68ee5ab 1134->1143 1144 68ee592-68ee5a3 1134->1144 1135->1134 1138->1139 1139->1058 1149 68ee69c-68ee6ab 1139->1149 1154 68ee803-68ee843 1141->1154 1142->1154 1143->1083 1143->1090 1144->1143 1159 68ee767-68ee77c 1149->1159 1160 68ee6b1-68ee761 call 68e1b54 1149->1160 1174 68ee84b-68ee87e 1154->1174 1159->1066 1160->1159 1183 68ee88b 1174->1183 1184 68ee880-68ee885 1174->1184 1186 68ee88c 1183->1186 1184->1183 1186->1186
                                      APIs
                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EE20A), ref: 068EE2F7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3297436178.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_68e0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID: Te]q
                                      • API String ID: 1890195054-52440209
                                      • Opcode ID: de5502f169637fd385a86793d6b20c1d94d48b5e26d23177e8fec24fb508c35e
                                      • Instruction ID: 91e6727bfe46c6f286fcffaaa312d3aa8b536b31aecc9cde06729ea1722fbe03
                                      • Opcode Fuzzy Hash: de5502f169637fd385a86793d6b20c1d94d48b5e26d23177e8fec24fb508c35e
                                      • Instruction Fuzzy Hash: 4851B031E102149FDF60CFA8C4847ADBBB2EF8A314F24852AE408EB351CB749D45CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01926ED7 Relevance: 2.6, Strings: 2, Instructions: 148COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2142 1926ed7-1926f42 call 1926c40 2151 1926f44-1926f5d call 1926764 2142->2151 2152 1926f5e-1926f8c 2142->2152 2156 1926f8e-1926f91 2152->2156 2158 1926f93-1926fa7 2156->2158 2159 1926fc4-1926fc7 2156->2159 2165 1926fa9-1926fab 2158->2165 2166 1926fad 2158->2166 2160 1927003-1927006 2159->2160 2161 1926fc9-1926ffe 2159->2161 2163 192701a-192701d 2160->2163 2164 1927008-192700f 2160->2164 2161->2160 2169 192701f call 1927908 2163->2169 2170 192702d-192702f 2163->2170 2167 1927015 2164->2167 2168 19270eb-19270f1 2164->2168 2173 1926fb0-1926fbf 2165->2173 2166->2173 2167->2163 2175 1927025-1927028 2169->2175 2171 1927031 2170->2171 2172 1927036-1927039 2170->2172 2171->2172 2172->2156 2174 192703f-192704e 2172->2174 2173->2159 2178 1927050-1927053 2174->2178 2179 1927078-192708d 2174->2179 2175->2170 2181 192705b-1927076 2178->2181 2179->2168 2181->2178 2181->2179
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q$LR]q
                                      • API String ID: 0-3917262905
                                      • Opcode ID: aab5049184711cb31ccf78e779f9db6ad7e4d63a00b9be3167a4adc0961efdb6
                                      • Instruction ID: c398375042105dd113227babbfa900367ad609ded273fef2460e6f9cc8245f8d
                                      • Opcode Fuzzy Hash: aab5049184711cb31ccf78e779f9db6ad7e4d63a00b9be3167a4adc0961efdb6
                                      • Instruction Fuzzy Hash: 3551BF30A402159FDB19DFB8C450BAEB7B6FF85301F10846AE409EB395EB75AC46CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 068EE1B8 Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3550 68ee1b8-68ee1c3 3551 68ee1ed-68ee20c call 68ece5c 3550->3551 3552 68ee1c5-68ee1ec call 68ece50 3550->3552 3558 68ee20e-68ee211 3551->3558 3559 68ee212-68ee271 3551->3559 3566 68ee277-68ee304 GlobalMemoryStatusEx 3559->3566 3567 68ee273-68ee276 3559->3567 3571 68ee30d-68ee335 3566->3571 3572 68ee306-68ee30c 3566->3572 3572->3571
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3297436178.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_68e0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84cbf5da7b7e666ffdec62f80d812f48c0bf1e15b473f9efe66a41bf60c5e248
                                      • Instruction ID: cc7a1cd202c1eef874c690efd7254fd3c7757ab59da8a5ad65e4d8c38c860976
                                      • Opcode Fuzzy Hash: 84cbf5da7b7e666ffdec62f80d812f48c0bf1e15b473f9efe66a41bf60c5e248
                                      • Instruction Fuzzy Hash: F8411572D043968FCB04CFB9D8046EEBFF1AF8A210F14866AD508E7241DB389845CBD1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 068ECE5C Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 3575 68ece5c-68ee304 GlobalMemoryStatusEx 3579 68ee30d-68ee335 3575->3579 3580 68ee306-68ee30c 3575->3580 3580->3579
                                      APIs
                                      • GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,068EE20A), ref: 068EE2F7
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3297436178.00000000068E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068E0000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_68e0000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: c2a1c1de43045aeb21dc5daafcdad54dfd4b16c70e4bf0bc8f71b61a7aa2192a
                                      • Instruction ID: c61dbb64cb8aa37e983dde4f77b303b832b300f797a74262da715db74b2d6154
                                      • Opcode Fuzzy Hash: c2a1c1de43045aeb21dc5daafcdad54dfd4b16c70e4bf0bc8f71b61a7aa2192a
                                      • Instruction Fuzzy Hash: 701114B1C006599BCB10DF9AC548BAEFBF4EF49310F10816AE918B7240D378A954CFE5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192F3BD Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH]q
                                      • API String ID: 0-3168235125
                                      • Opcode ID: 12130f2ec412228161a9962671a995bbfeb2f66091bc588c3931a5f0cc9c1e13
                                      • Instruction ID: 75ad89fa27ba9936df4745613a7aa213da48cd223451b1b391ddd498466c9bb4
                                      • Opcode Fuzzy Hash: 12130f2ec412228161a9962671a995bbfeb2f66091bc588c3931a5f0cc9c1e13
                                      • Instruction Fuzzy Hash: E331FD307002118FDB199B38D664A6E3BF6AF89750F144468D00AEB389DE79DD06CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192F3D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH]q
                                      • API String ID: 0-3168235125
                                      • Opcode ID: d990364c5526057663baadfcae5b2a9cf2d335f61583036c0d13e6b901f4df4d
                                      • Instruction ID: c239533f263eed472cab5e6f2512894a1940db29d086436ee59d86c291248afa
                                      • Opcode Fuzzy Hash: d990364c5526057663baadfcae5b2a9cf2d335f61583036c0d13e6b901f4df4d
                                      • Instruction Fuzzy Hash: FF31CD307002118FDB199B38D564A6F3BFAAF89740F644538D00ADB399DE75DD06CBA5
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01926F78 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q
                                      • API String ID: 0-3081347316
                                      • Opcode ID: 12dc988cc0fb7a5534bcec279bc4bfef9de060ef97cc8ab1096b4fb25daa51e8
                                      • Instruction ID: 3c253bd2ffd0a8e4ce70ca3d4ca62d7f2d381743609001da36885b9c28cbc761
                                      • Opcode Fuzzy Hash: 12dc988cc0fb7a5534bcec279bc4bfef9de060ef97cc8ab1096b4fb25daa51e8
                                      • Instruction Fuzzy Hash: D7319034E102199FDF19CFA9C440B9EB7B6FF85311F50852AE80AF7244EB75A846CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01926BA0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR]q
                                      • API String ID: 0-3081347316
                                      • Opcode ID: 36f269d8510d6e7f3a66200f58beeb6bb31d214f8f0b07f5f0860e8bfad440f6
                                      • Instruction ID: 9d34e217765883a175d122e971431a714c384b5f03a2d07d2265df96394385c1
                                      • Opcode Fuzzy Hash: 36f269d8510d6e7f3a66200f58beeb6bb31d214f8f0b07f5f0860e8bfad440f6
                                      • Instruction Fuzzy Hash: AD2107317082519FC716EB7CD85065E7BF6EF86300B0548AEC049CB799DB399C45CBA2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01927908 Relevance: .6, Instructions: 556COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 46eba91694c0ceba1870f56340844cdc934615b2dc2eadfd21f426a9e141cca8
                                      • Instruction ID: 954386c960746dcf5ee747760ebb8cfd0327c81f58403709957c2211ea26e800
                                      • Opcode Fuzzy Hash: 46eba91694c0ceba1870f56340844cdc934615b2dc2eadfd21f426a9e141cca8
                                      • Instruction Fuzzy Hash: 98126E347402129FDB6A9B78E85062E37ABFB85301B544938D406CB369CFB9EC47CB95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924A8C Relevance: .3, Instructions: 263COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a2f793eb6b019da87b62a8767be7ca3ba2e064c206a712f7f0a5c68f65e68655
                                      • Instruction ID: 570dcf4edef4e3c251a73a328d782974a8a50b24df015a10e85fdb5ef9be9a86
                                      • Opcode Fuzzy Hash: a2f793eb6b019da87b62a8767be7ca3ba2e064c206a712f7f0a5c68f65e68655
                                      • Instruction Fuzzy Hash: ABB13A70E00229CFDF11CFACD9857EDBBF5AF88315F148529D819AB258EB749885CB81
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929364 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5ddce3d2831676042eabc8052eb438aba10b74e6c55ed6e3eab0c6682aa64c64
                                      • Instruction ID: 7297b792c3de9ed83066239b5aa2755b16e2f3942ea2a6dac9555d57ecab1f3d
                                      • Opcode Fuzzy Hash: 5ddce3d2831676042eabc8052eb438aba10b74e6c55ed6e3eab0c6682aa64c64
                                      • Instruction Fuzzy Hash: 81918E34A002258FDB15DF68D994AADBBF6FF88315F148429E90AE7359CB35EC42CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01923E74 Relevance: .2, Instructions: 234COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 915d0fd503eb18b1e708a735a30408d231cd43f7536f3fc84c4460390fac309f
                                      • Instruction ID: 6afe351318c34a391bd6f75ab785958b14d8afce0cb4c649c9ab0dcc2d253a09
                                      • Opcode Fuzzy Hash: 915d0fd503eb18b1e708a735a30408d231cd43f7536f3fc84c4460390fac309f
                                      • Instruction Fuzzy Hash: 79916D70E00219DFDF10CFA8D985BDDBBF5BF98304F248129E419A7258EB789985CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924804 Relevance: .2, Instructions: 183COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 459256754f6442c964ee691815da593ee02554925750a95d1c29a3d7a257cfb8
                                      • Instruction ID: 687ba51e3027b19a59e5723a2141e819f24f952b16a5210f2a8c5b5378ace778
                                      • Opcode Fuzzy Hash: 459256754f6442c964ee691815da593ee02554925750a95d1c29a3d7a257cfb8
                                      • Instruction Fuzzy Hash: 247169B0E00259CFDB14CFA9C88479EBBF5BF88714F148129E419A7258EB749885CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924810 Relevance: .2, Instructions: 180COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd48ca6260a08b4145e74b1b512e0bf9420460ac8541c74ff76f19c3e660d13e
                                      • Instruction ID: 5a1101f554da5fd3edb3318a5f6a0d25a8af90a5a9cc44442cee99ff94bfc197
                                      • Opcode Fuzzy Hash: dd48ca6260a08b4145e74b1b512e0bf9420460ac8541c74ff76f19c3e660d13e
                                      • Instruction Fuzzy Hash: E4718BB0E00259CFDF14CFA9C88079EBBF6BF88714F148129E419A7258EB749881CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01926CDD Relevance: .1, Instructions: 135COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a86fcde043e37c2d0d451ca9e64f3d3d67433faa9bfcb125915f926d4338cfeb
                                      • Instruction ID: 1ccd7d058d8727efb2b8a023ed30ce571d19254c74c2f65de1e955bd78c90dad
                                      • Opcode Fuzzy Hash: a86fcde043e37c2d0d451ca9e64f3d3d67433faa9bfcb125915f926d4338cfeb
                                      • Instruction Fuzzy Hash: 4F511370D002288FDB18CFA9C885B9DBBF5BF48310F148129E819BB795D774A885CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01926CE8 Relevance: .1, Instructions: 132COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7a78bb49ad0026f245e773bef41d3990ef889daea1724ce56fdb05c2b18b2ff
                                      • Instruction ID: ef2860bfcd73044e5f9d8a4c08dff9f6bd52a7f6edc7adccee186658780a0360
                                      • Opcode Fuzzy Hash: e7a78bb49ad0026f245e773bef41d3990ef889daea1724ce56fdb05c2b18b2ff
                                      • Instruction Fuzzy Hash: 41512370D002288FDB18CFA9C888B9DBBF5BF48314F148529E819BB795D774A884CF95
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921128 Relevance: .1, Instructions: 116COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d30760db39af435e1ab2b8cfe9e8fd5c3187d797d90ddb27231e0d27f1377bf3
                                      • Instruction ID: 0396f6c127a9f62a53e8ec7d0a1d2afd0dd8125c25b62162bdc8880c16543930
                                      • Opcode Fuzzy Hash: d30760db39af435e1ab2b8cfe9e8fd5c3187d797d90ddb27231e0d27f1377bf3
                                      • Instruction Fuzzy Hash: A551C931A426418FEB99DF78FA809543F65FB5630430C85A9D0415B23ADFE86E0ADF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921138 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40e7f58178d406eb9aadd2a4b9d5014ba74f6a72d0cd19a8ab35ddaed557b9d9
                                      • Instruction ID: c7224a60bcb4c20bb6c564bfeb162d89f767d7828723b56f26bd3ca1450037df
                                      • Opcode Fuzzy Hash: 40e7f58178d406eb9aadd2a4b9d5014ba74f6a72d0cd19a8ab35ddaed557b9d9
                                      • Instruction Fuzzy Hash: 3F51B831A026418FEB99DF78FA809543F65FB9570430C81A9D0455B23ADFF86E0ADF92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192F280 Relevance: .1, Instructions: 94COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b4a5f4ced2ed102ee5f141e46a35a68640acdb5a7230512c8c47c594a4c9c6a
                                      • Instruction ID: f1e382757695046907628d1700a330ed6faf0b945507f5c426cd40ac1d29a511
                                      • Opcode Fuzzy Hash: 8b4a5f4ced2ed102ee5f141e46a35a68640acdb5a7230512c8c47c594a4c9c6a
                                      • Instruction Fuzzy Hash: FA316D31E002158FCB19CF69D954A9EBBB6FF89300F148919E80AE7355DB74ED42CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019226DE Relevance: .1, Instructions: 92COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4c6867c873411e585ef8e2280b65c43dc06cd651643b9570d051d870e613911a
                                      • Instruction ID: 473299cdb5fa24ed06bb155bcc4b85c73c4a214c49b33a9f95db99a07297ee42
                                      • Opcode Fuzzy Hash: 4c6867c873411e585ef8e2280b65c43dc06cd651643b9570d051d870e613911a
                                      • Instruction Fuzzy Hash: 7E41DEB0D003499FDB14DFA9C484ADEBFF9FF48310F24842AE809AB254DB75A945CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192F290 Relevance: .1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1cd0583d5ff850c9db4b8d1ec1250e6aad4c8f72639aaf990d80cce734cd184
                                      • Instruction ID: 6f9f20fbe130c8e404d0e218eb1a8bd4284a88891a0946323bc17a4c5535e176
                                      • Opcode Fuzzy Hash: f1cd0583d5ff850c9db4b8d1ec1250e6aad4c8f72639aaf990d80cce734cd184
                                      • Instruction Fuzzy Hash: A9316031E002159BCB19CF69D45469EBBB6FF89300F108929E80AE7355DB74ED42CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019226E8 Relevance: .1, Instructions: 90COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5a49e074e54d282e0dd7315a8f92477e272043a0d85e6fefa56824566855ed1d
                                      • Instruction ID: 550eb3f221379f22fe4cac216263f2c22d15c38444b59f30a11b3d38db47bfe3
                                      • Opcode Fuzzy Hash: 5a49e074e54d282e0dd7315a8f92477e272043a0d85e6fefa56824566855ed1d
                                      • Instruction Fuzzy Hash: BE41EEB0D003489FDB14DFA9C484ADEBFF9FF48310F248429E809AB254DB75A945CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01925097 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 719af6d92bb2ddb751b6f3e0f96937b8ebe5d5c7bb1ea783a50c89b53b0e3938
                                      • Instruction ID: e4503eb58cedc74ce78cbdc54590fdfbb997624e8b49b8790ab0b0e54cd7dc8d
                                      • Opcode Fuzzy Hash: 719af6d92bb2ddb751b6f3e0f96937b8ebe5d5c7bb1ea783a50c89b53b0e3938
                                      • Instruction Fuzzy Hash: 7F318F30B01221CFEB15EB78C450AAD77B6FF88245F2100A8D409AB3A9DF79DC41CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019250A8 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fce619a342707435889c9b529c340c58c314a4e3c08b76e9878554a5cf5ba800
                                      • Instruction ID: 68a55924eaf71fb5c4e47a13749bf488166e97a3668d0c950755f391ecbc1616
                                      • Opcode Fuzzy Hash: fce619a342707435889c9b529c340c58c314a4e3c08b76e9878554a5cf5ba800
                                      • Instruction Fuzzy Hash: DA314F30B012258FEB15EB78C5546AE77B6FF88245F210478C409AB3A9DF79DC41CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192169F Relevance: .1, Instructions: 81COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1c70ecc244d16c44d650ab7e1c0b05290590f3cd87f7749169811d688a20adbc
                                      • Instruction ID: 479bb34a7305ee9d5207939108ebed95024dfa453d561927881e1a8711182cc0
                                      • Opcode Fuzzy Hash: 1c70ecc244d16c44d650ab7e1c0b05290590f3cd87f7749169811d688a20adbc
                                      • Instruction Fuzzy Hash: AD21A130A001118FEB66DF28E884B6D376DEB85309F188675D40AC726AE76CCD56CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192924F Relevance: .1, Instructions: 80COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd68e5a43f9cc8f020506b6e14825c308f10b7c0aa53e2c5c6cc5f1a923176e0
                                      • Instruction ID: 6cf85805ddca5f3c0651d05cd7a61eeaf8c222d27fb3ea7b606dabcb8529cba0
                                      • Opcode Fuzzy Hash: bd68e5a43f9cc8f020506b6e14825c308f10b7c0aa53e2c5c6cc5f1a923176e0
                                      • Instruction Fuzzy Hash: 3431A231E002269BDB15CFA8D99079EB7B6FF8A304F14C519E809EB345DB709C46CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929260 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10f285c58217a21b48513950e3cd2aadaf08ec7a210a77f875c74850e4ae5310
                                      • Instruction ID: 18c71e894e7c41bd6423f3bb2896ec543054fa84eb9dc54dfb68a814175873aa
                                      • Opcode Fuzzy Hash: 10f285c58217a21b48513950e3cd2aadaf08ec7a210a77f875c74850e4ae5310
                                      • Instruction Fuzzy Hash: A5217130E0022A9BDB05CFA9D45069EBBB6FF8A304F14C519E809EB345DB709C46CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929150 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9327356040e88e5b8486173c8b368d9ffc09b9eac140dc345da7c358805101e3
                                      • Instruction ID: 73912a8c4cc8465ed0404580b4b9ce7c7a33ca16123b1b7ccd7ad96734454693
                                      • Opcode Fuzzy Hash: 9327356040e88e5b8486173c8b368d9ffc09b9eac140dc345da7c358805101e3
                                      • Instruction Fuzzy Hash: EF218331E002259FCB19CF69D85469EB7B2BF89304F20852AE81AB7345DB709946CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0192148A Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9d30e0145a963843f25b1ca7d66fd9e98c3e24796f37f3270819ca6480cadc82
                                      • Instruction ID: a0655eb5e28c77b53cb288bab88ee1c52c7d7823b5c87016625f7345a727588d
                                      • Opcode Fuzzy Hash: 9d30e0145a963843f25b1ca7d66fd9e98c3e24796f37f3270819ca6480cadc82
                                      • Instruction Fuzzy Hash: 1B21A131A002258FCF22DFBCD440AAE7BB9EF84215F1404BAE80DE7349E735D8528B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921878 Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e40c74783e12d25bcdcb0a55d6e806e44c6c2498d7dcd98e92e047ce6a878895
                                      • Instruction ID: a5261e4c583ca66cb485ab040e6c8840c9ff1d073b7a9d468a508074b1d0eaa8
                                      • Opcode Fuzzy Hash: e40c74783e12d25bcdcb0a55d6e806e44c6c2498d7dcd98e92e047ce6a878895
                                      • Instruction Fuzzy Hash: F6217A30B00225CFEB28DB78C554BAE7BF5AF89241F100479C10AEB269DF759D51CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924F8A Relevance: .1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 741685819b95d9fc4182e14408b69e2b5096b8b81b1a4378c59d8070c3720df5
                                      • Instruction ID: 7d424ae87ad0b2e08fbec2c4a69e69095e5bc5dbd48cb6c7342fcc3e80d95bee
                                      • Opcode Fuzzy Hash: 741685819b95d9fc4182e14408b69e2b5096b8b81b1a4378c59d8070c3720df5
                                      • Instruction Fuzzy Hash: 14212830A40214CFEB54DF78C958AAE7BF1FF89205B1104A8E40AEB364DB759D01CB90
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0189D030 Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3284943808.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_189d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fbcf3ec9ff621a86d517775289fee7907f3735dcf0b444aefd06ac59156ecb9d
                                      • Instruction ID: bda60fa0dd74ef3fcc88b4959c2830e1fee85478359bda303f3c5632d29e52fb
                                      • Opcode Fuzzy Hash: fbcf3ec9ff621a86d517775289fee7907f3735dcf0b444aefd06ac59156ecb9d
                                      • Instruction Fuzzy Hash: 0A212271504204DFDF15DF98D9C0B26BFA5FB88318F28C66DD90A8B256C33AD506CA66
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921382 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 050645234997b545499bbd898cb39f759107c5c47987588a0770a4f5c23e3469
                                      • Instruction ID: 2cddf9584e2ae6800679ee2c59b16fbad9c92268795fc7a964080c4354e54ee4
                                      • Opcode Fuzzy Hash: 050645234997b545499bbd898cb39f759107c5c47987588a0770a4f5c23e3469
                                      • Instruction Fuzzy Hash: 9821D5706002128FEB365B7CD48472D3B69EB02317F540879D80EC739AD72ADC95C782
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929A30 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61d0a2afcc40bf3ab4741bbc4160ef289064c8b1b607f1d7b24042444d4e3321
                                      • Instruction ID: f35c9036344fb3ff068f6e2f99799ce1c540527090453874cfac29fb79523f44
                                      • Opcode Fuzzy Hash: 61d0a2afcc40bf3ab4741bbc4160ef289064c8b1b607f1d7b24042444d4e3321
                                      • Instruction Fuzzy Hash: 74218471B102258FEB14DF69C954BAE7BFABF88714F148069E509EB3A8DA719D00CB50
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929160 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: edb8da6d7b5c55e24d08bffa84d35efb61ddc0d65d49589e29f4bad0d99a66c3
                                      • Instruction ID: 7af339e6a3caef947d2e49a65a22c33f96a857f2983946812dd004d4938ec8dc
                                      • Opcode Fuzzy Hash: edb8da6d7b5c55e24d08bffa84d35efb61ddc0d65d49589e29f4bad0d99a66c3
                                      • Instruction Fuzzy Hash: 11218730E002299BDB19CFA9D454ADEF7B6BF89304F20851AEC19F7345DB709945CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921888 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c38333691e6d52d7d3df2107aeded8b7d4bbbefda19f0b814e46fa52434f072c
                                      • Instruction ID: 73a48b7a906f9122594de5cb547f9989b4fd38da7101e3301a333805ec202aff
                                      • Opcode Fuzzy Hash: c38333691e6d52d7d3df2107aeded8b7d4bbbefda19f0b814e46fa52434f072c
                                      • Instruction Fuzzy Hash: 35215C34B002258FEB14EB78D564BAE77F6AB89241F100479C50AEB368DF798D51CBA1
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019216B0 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ef6ed0569916f398615d3123b2c5fcb9d5bafb343eac4d45828509539a980c8f
                                      • Instruction ID: efbb045d7cb8dc62e51b85188359e6cb802584a6d5f6c5f7f61a31f8c2183fc2
                                      • Opcode Fuzzy Hash: ef6ed0569916f398615d3123b2c5fcb9d5bafb343eac4d45828509539a980c8f
                                      • Instruction Fuzzy Hash: 91216F346001118FEB65DF28F884B5D375DEB84309F148635D40AC726ADB6DDD46CB92
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01924F98 Relevance: .1, Instructions: 68COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b41bf93664cacab1f31d91ba7333a57d120ba6ade2ff9a8c6685194327e3c1ce
                                      • Instruction ID: f2a954bf8b97bbda2053259609ad20c37aa0b1bc6f37361efb12f9eb34b065eb
                                      • Opcode Fuzzy Hash: b41bf93664cacab1f31d91ba7333a57d120ba6ade2ff9a8c6685194327e3c1ce
                                      • Instruction Fuzzy Hash: 6D211930B40215CFEB54DB78C958AAE7BF5FB8D201B110468E40AEB3A8DB799D00CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01920848 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f630b3c1090083b946b78b57460c0cd2704906fa88e805c7d00bb50946454b3
                                      • Instruction ID: 7be84f8300e0f65c2ca57eb22a6c119de3445f14770175e0b1f5b14a7b9d776a
                                      • Opcode Fuzzy Hash: 4f630b3c1090083b946b78b57460c0cd2704906fa88e805c7d00bb50946454b3
                                      • Instruction Fuzzy Hash: E711E330B002244BEF65AA7CD44472F7699EB46211F184939F40ACF35ADAA6CC858FC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01920838 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6e318721d840421f25cfcc6bf96953d84a03bff94c1f7ae44b0aa60598ba997e
                                      • Instruction ID: e73e671147f7148d3f4a63333edeb8a2bd18036f4b6080b331d656d2f908fe47
                                      • Opcode Fuzzy Hash: 6e318721d840421f25cfcc6bf96953d84a03bff94c1f7ae44b0aa60598ba997e
                                      • Instruction Fuzzy Hash: C511E730B003104FEF665A78D44433F7B99EB42215F1C493AF40ACB25ADAA6CC458BD2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019217C2 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4d9fdedb1113aa7fd47b8fc37927db644f2cfe2a32b086e5c398620f25d8bbf3
                                      • Instruction ID: ff0272507e7c16cf71f43dbae07bff8e7c9aa8e3c55c4ad632493e2d7e5a6ba9
                                      • Opcode Fuzzy Hash: 4d9fdedb1113aa7fd47b8fc37927db644f2cfe2a32b086e5c398620f25d8bbf3
                                      • Instruction Fuzzy Hash: F511C275F002119FCB609FB8E84466FBBE5FB88651F104939D90AD3304DB789912CBC2
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 0189D02B Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3284943808.000000000189D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0189D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_189d000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction ID: ededfaf6699cb7d26a0eb8529dfa86478d5ea06d8dfeef58f5df12ccab59092f
                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                      • Instruction Fuzzy Hash: E911BB75504280CFDB12CF58D5C4B15FFA1FB88314F28C6AAD8498B656C33AD44ACB62
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921498 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 68d12db36e6d5b3e97844864a11b53350859603d6db1bdecbc230c396d043b20
                                      • Instruction ID: c4336354e4e3e7bc6c7f756ee4d78db2d12fc238f63f81483826ea19b642b0b1
                                      • Opcode Fuzzy Hash: 68d12db36e6d5b3e97844864a11b53350859603d6db1bdecbc230c396d043b20
                                      • Instruction Fuzzy Hash: AA014431E002259FCB25EFB9845059E7BF9EF48211F1804BAE90DE7309E635D9518B91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929889 Relevance: .0, Instructions: 50COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b0745df4c19f85fd0d713582b5eac974d8189575984be029e337561d5830e9c3
                                      • Instruction ID: 66bc280bd2af2d785d2de85d5a665913336050da93a874bbf7c905c9d53d96ec
                                      • Opcode Fuzzy Hash: b0745df4c19f85fd0d713582b5eac974d8189575984be029e337561d5830e9c3
                                      • Instruction Fuzzy Hash: 4A01C432A002058FDB18DFA8E98478ABBAAFF94311F54C175C80C5F29AD774ED06CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01929898 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7e8af2fb306f920f6cd6ced78ef2e795109e5cd76428f71d600722143428ad02
                                      • Instruction ID: ce482064bfea89c9a6e8060df9f709c3be0a3ce595bab4ab25c5aa7500c10f28
                                      • Opcode Fuzzy Hash: 7e8af2fb306f920f6cd6ced78ef2e795109e5cd76428f71d600722143428ad02
                                      • Instruction Fuzzy Hash: A9019630A002058BDB08EF59D98468ABBAAFF84311F54C174C90C5F29AD774ED05CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 019280F0 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3cc33e718b8d8878229caeeae5de4c920204f225e9aa02bcb75fe22553cd3d6a
                                      • Instruction ID: 4fef8300f2706431d473d4724fcc407d52cafe9e4b2f62b82986b310284d4134
                                      • Opcode Fuzzy Hash: 3cc33e718b8d8878229caeeae5de4c920204f225e9aa02bcb75fe22553cd3d6a
                                      • Instruction Fuzzy Hash: BF017C30D40209AFDB89EFB8F945A9D7FB5EF41204F0482B9C8059B261DA396E09CB41
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01921524 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1103c0e87b6ff4443fdb103a9aa9a071ccabc32be7e0fe4097609c55f1ec427c
                                      • Instruction ID: 297492754239bc188ecdf44eb146bcb1ab8fc17d6a492bba252ff387071c4e24
                                      • Opcode Fuzzy Hash: 1103c0e87b6ff4443fdb103a9aa9a071ccabc32be7e0fe4097609c55f1ec427c
                                      • Instruction Fuzzy Hash: 86F02433A04170CFDB228BA898909ACBFA5FEA9112B1C00F7D80EDB219D335D422CB51
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01927090 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cc0ab0412a1f2a2f689dd4f5364e00cb4f24355c4d97488ceb6b4cd0bf60a86f
                                      • Instruction ID: f4e158c4332eb37cbd2f0ad13f4b23372cb5c9d86943332ebf6e256cf90da1f1
                                      • Opcode Fuzzy Hash: cc0ab0412a1f2a2f689dd4f5364e00cb4f24355c4d97488ceb6b4cd0bf60a86f
                                      • Instruction Fuzzy Hash: C2F01939B00115CFC714DB74D558A6C73B2FF88216F5440A4E5069B3A4CB35AD02CF40
                                      Uniqueness

                                      Uniqueness Score: -1.00%

                                      Function 01928100 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 0000000C.00000002.3285388725.0000000001920000.00000040.00000800.00020000.00000000.sdmp, Offset: 01920000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_12_2_1920000_jgHHGmfF.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 13befbf0a5efcdb72d042fd4b5004734b52e0ba14e9068369fcd89829f76ee38
                                      • Instruction ID: 4dbf361bf9824f271dc66da6e1b06c051500c5ea0b3ad09de28335c2d02357c1
                                      • Opcode Fuzzy Hash: 13befbf0a5efcdb72d042fd4b5004734b52e0ba14e9068369fcd89829f76ee38
                                      • Instruction Fuzzy Hash: 25F04430940109DFDB89EFB4F940A9D7BBAEF40304F5482B8C4059B255DF796E09CB91
                                      Uniqueness

                                      Uniqueness Score: -1.00%