Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe

Overview

General Information

Sample name:SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
Analysis ID:1429018
MD5:906cb4d1d82674ca8e0c0614d34af552
SHA1:1c38bd8f3122bc9aaf7c2a8968c252ff2b264721
SHA256:6670de035561ab5f4cd82d89a4ab969b7d8eaf1da047782b37399d79eeb4762e
Tags:AgentTeslaexe
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe (PID: 3140 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe" MD5: 906CB4D1D82674CA8E0C0614D34AF552)
    • powershell.exe (PID: 6712 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7176 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7584 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7220 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • PUwpftrjIH.exe (PID: 7592 cmdline: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe MD5: 906CB4D1D82674CA8E0C0614D34AF552)
    • schtasks.exe (PID: 7728 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • PUwpftrjIH.exe (PID: 7780 cmdline: "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe" MD5: 906CB4D1D82674CA8E0C0614D34AF552)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.hoangtruongphat.com", "Username": "cus.overseas@hoangtruongphat.com", "Password": "hoangtruongphat818"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              7.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
              • 0x3426b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
              • 0x342fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
              • 0x34367:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
              • 0x343d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
              • 0x3446f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
              • 0x344ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
              0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3236f:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x323e1:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x3246b:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x324fd:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x32567:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x325d9:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3266f:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x326ff:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  Click to see the 11 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ParentProcessId: 3140, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ProcessId: 6712, ProcessName: powershell.exe
                  Sigma detected: Powershell Defender Exclusion
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ParentProcessId: 3140, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ProcessId: 6712, ProcessName: powershell.exe
                  Sigma detected: Suspicious Add Scheduled Task Parent
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe, ParentImage: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe, ParentProcessId: 7592, ParentProcessName: PUwpftrjIH.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp", ProcessId: 7728, ProcessName: schtasks.exe
                  Sigma detected: Suspicious Outbound SMTP Connections
                  Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 125.212.217.248, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, Initiated: true, ProcessId: 7420, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49733
                  Sigma detected: Suspicious Schtasks From Env Var Folder
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ParentProcessId: 3140, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", ProcessId: 7220, ProcessName: schtasks.exe
                  Sigma detected: Non Interactive PowerShell Process Spawned
                  Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ParentProcessId: 3140, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ProcessId: 6712, ProcessName: powershell.exe

                  Persistence and Installation Behavior

                  barindex
                  Sigma detected: Scheduled temp file as task from temp location
                  Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ParentProcessId: 3140, ParentProcessName: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp", ProcessId: 7220, ProcessName: schtasks.exe

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus / Scanner detection for submitted sample
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeAvira: detected
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeAvira: detection malicious, Label: HEUR/AGEN.1323731
                  Found malware configuration
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.hoangtruongphat.com", "Username": "cus.overseas@hoangtruongphat.com", "Password": "hoangtruongphat818"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeReversingLabs: Detection: 42%
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeVirustotal: Detection: 38%Perma Link
                  Multi AV Scanner detection for submitted file
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeReversingLabs: Detection: 42%
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeVirustotal: Detection: 38%Perma Link
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeJoe Sandbox ML: detected
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Yara detected Generic Downloader
                  Source: Yara matchFile source: 7.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPE
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 125.212.217.248:587
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: Joe Sandbox ViewIP Address: 125.212.217.248 125.212.217.248
                  Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                  Source: Joe Sandbox ViewASN Name: VIETEL-AS-APViettelGroupVN VIETEL-AS-APViettelGroupVN
                  Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: api.ipify.org
                  Source: unknownDNS query: name: ip-api.com
                  Source: global trafficTCP traffic: 192.168.2.4:49733 -> 125.212.217.248:587
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: unknownDNS traffic detected: queries for: api.ipify.org
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.0000000001256000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.0000000001256000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000168E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4182176227.0000000006B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://mail.hoangtruongphat.com
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.0000000001256000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012BE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000168E000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4182176227.0000000006B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1725787312.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 00000009.00000002.1763743018.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4167911158.0000000000436000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4182176227.0000000006B94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sectigo.com/CPS0
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                  Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                  Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49730 version: TLS 1.2
                  Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.4:49732 version: TLS 1.2

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Contains functionality to log keystrokes (.Net Source)
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, K6raBsUk6.cs.Net Code: HQNz1j4

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 7.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                  .NET source code contains very large array initializations
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.53d0000.4.raw.unpack, LoginForm.csLarge array initialization: : array initializer size 33603
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_012483E70_2_012483E7
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_012487180_2_01248718
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_01246FE00_2_01246FE0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_012473200_2_01247320
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_012484910_2_01248491
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_01246FD00_2_01246FD0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0124730E0_2_0124730E
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0124735A0_2_0124735A
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0124783B0_2_0124783B
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0840A3600_2_0840A360
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_084048480_2_08404848
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_084048390_2_08404839
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_08404C800_2_08404C80
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0840CE000_2_0840CE00
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_08406E800_2_08406E80
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_0840A35D0_2_0840A35D
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_084044100_2_08404410
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_084064CC0_2_084064CC
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 0_2_084064D00_2_084064D0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D4AC87_2_011D4AC8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D3EB07_2_011D3EB0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D41F87_2_011D41F8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06EDB5A87_2_06EDB5A8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED33C07_2_06ED33C0
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED00407_2_06ED0040
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06EDEA567_2_06EDEA56
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED68807_2_06ED6880
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED89B87_2_06ED89B8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED91037_2_06ED9103
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06EDAEC87_2_06EDAEC8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED5A907_2_06ED5A90
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_06ED00067_2_06ED0006
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F883F09_2_00F883F0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F887029_2_00F88702
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F86FE09_2_00F86FE0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F8738A9_2_00F8738A
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F884919_2_00F88491
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_00F86FD09_2_00F86FD0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F48399_2_083F4839
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F48489_2_083F4848
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083FC0A09_2_083FC0A0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F43F09_2_083F43F0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F4C809_2_083F4C80
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F64D09_2_083F64D0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F64C29_2_083F64C2
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 9_2_083F6E809_2_083F6E80
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_019C4AC812_2_019C4AC8
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_019C3EB012_2_019C3EB0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_019C41F812_2_019C41F8
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727B5A812_2_0727B5A8
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_072733C012_2_072733C0
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727004012_2_07270040
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727EA5612_2_0727EA56
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_072789B812_2_072789B8
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727688012_2_07276880
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727910312_2_07279103
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727AEC812_2_0727AEC8
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_07275A9012_2_07275A90
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_0727000612_2_07270006
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1732623801.00000000055B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameschtasks.exej% vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1736070739.0000000008780000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1724540848.000000000100E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1725787312.00000000030EF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1ad12be-2b70-45c4-8a59-88eaf27e05b9.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef1ad12be-2b70-45c4-8a59-88eaf27e05b9.exe4 vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1732156143.00000000053D0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSimpleLogin.dll8 vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4168596099.0000000000F78000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeBinary or memory string: OriginalFilenameyiQW.exe: vs SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  Source: 7.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: PUwpftrjIH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, c2bZQnG.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, Q1L0K.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, uo1UBaEHa.csCryptographic APIs: 'TransformFinalBlock'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, LnprZyFhkO4Ahy0mDa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lxuIxS626uPP3Z2gJP.csSecurity API names: _0020.AddAccessRule
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, LnprZyFhkO4Ahy0mDa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, LnprZyFhkO4Ahy0mDa.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@19/15@4/3
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMutant created: NULL
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7260:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile created: C:\Users\user\AppData\Local\Temp\tmp32DE.tmpJump to behavior
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeReversingLabs: Detection: 42%
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeVirustotal: Detection: 38%
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe:Zone.IdentifierJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp"
                  Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rasapi32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rasman.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rtutils.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: dhcpcsvc6.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: dhcpcsvc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: secur32.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: vaultcli.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                  Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: mscoree.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: windowscodecs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: edputil.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: wintypes.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: appresolver.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: bcp47langs.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: slc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: sppc.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                  Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: schannel.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: mskeyprotect.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ntasn1.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ncrypt.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: ncryptsslp.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: vaultcli.dll
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  .NET source code contains potential unpacker
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, --.cs.Net Code: _0002
                  Source: PUwpftrjIH.exe.0.dr, --.cs.Net Code: _0002
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lxuIxS626uPP3Z2gJP.cs.Net Code: F73MHC4klwAj1fhk0dL System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.53d0000.4.raw.unpack, .cs.Net Code: System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lxuIxS626uPP3Z2gJP.cs.Net Code: F73MHC4klwAj1fhk0dL System.Reflection.Assembly.Load(byte[])
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lxuIxS626uPP3Z2gJP.cs.Net Code: F73MHC4klwAj1fhk0dL System.Reflection.Assembly.Load(byte[])
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D0C3D push edi; ret 7_2_011D0CC2
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D0C95 push edi; retf 7_2_011D0C3A
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeCode function: 12_2_019C0B4F push edi; ret 12_2_019C0CC2
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeStatic PE information: section name: .text entropy: 7.980247279079844
                  Source: PUwpftrjIH.exe.0.drStatic PE information: section name: .text entropy: 7.980247279079844
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, qEXeMKEDHBjNO3g5kDx.csHigh entropy of concatenated method names: 'YFkbU9YQSL', 'jVgbBGXtmn', 'w3Nb2Croqm', 'kb8blFikTQ', 'kq0bNlJlAB', 'SBNbLE1Vg8', 'AGtbmjnN54', 'YDIbF6Stlu', 'iiGbeahAnm', 'oJaboyygQp'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, pgV2xQGNaC0MNwXbFe.csHigh entropy of concatenated method names: 'Dispose', 'pn2EYTVqGC', 'XASXvaqyDU', 'Id3xxwtBcW', 'JPEE4HcyhV', 'yA9Ez4QccT', 'ProcessDialogKey', 'TKyXD8a3hS', 'IudXEfQsOf', 'JjRXXfeMKf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, eQWaYJ17JN76s0bchq.csHigh entropy of concatenated method names: 'EoksUq2W1i', 'mQYsBspyD8', 'OCjs2Xb3qw', 't7BslRLkpb', 'E1XsNVsLN3', 'PBPsLCkcYU', 'mH1smjkAYy', 'IYLsFE8jvO', 'AAMsek9JZC', 'QJZso5e7aO'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, UeMKfk4aIVNMtlZgU6.csHigh entropy of concatenated method names: 'AlsbERdgeR', 'yi5bp8VXhk', 'zE2bZJM4nH', 'EuUbutBOo9', 'pifbGTUosf', 'gE3bdbNoDL', 'EaEbym7dma', 'lBc3OuhnIU', 'WM03IBXRuv', 'Yca3YM05vT'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, zZT5m8rdae6QEXhc5R.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LmBXYkVYum', 'k2FX4vfSJ1', 'QGhXzEvSDX', 'qHLpDEEwyg', 'HC6pECGg1i', 'yIqpX8wrgR', 'aaVppyb7uQ', 'oKTUW94rR0QPZ2hev3r'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, i8a3hSYcudfQsOfajR.csHigh entropy of concatenated method names: 'wnO3VcUigD', 'efE3v5T8kM', 'YIq3c5JwMT', 'tmi3AuomNf', 'u3W3n4u6hk', 'iEL3aP9IJD', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, a1DVSLV5IdGcQCBcgx.csHigh entropy of concatenated method names: 'yY0yhJbjAv', 'OViyGg2Egg', 'w6UydFL30p', 'c5Tys69OcP', 'lyqy6SIy1H', 'ic1dfqfRP4', 'h95dqQL2Dk', 'TMCdOCEXje', 'QTVdICLIXQ', 'frXdY9my95'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, xRBFU6EXqOgxY7JkcgO.csHigh entropy of concatenated method names: 'gZbkUpDfHM', 'CrOkBobYvF', 'zgXk2UW5YW', 'FLAmuDrBAlxDchSTiLv', 'clu0QXrwQrNAY54byYJ', 'VysPxrrdFFWpT3xHotS', 'CFNjZnrzFGHOA16OvIh'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, pI8pd5oMsyKa6kgbSG.csHigh entropy of concatenated method names: 'll7dNGNtu0', 'DvRdmDoGaw', 'PWcrc2x1lP', 'E3trADA6as', 'jnXra9iTHv', 'IDIriLJCY5', 'wUWr8uy2k5', 'DiWrjsQAGc', 'SNEr1DTQZI', 'n71rQTKm80'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, cg19N0ziFArwRohoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MiRbSh5wH0', 'xg5bgcLupt', 'iHZbtUcypp', 'Lg8bHLC5jh', 'BVXb3l89b5', 'keibbx1PGc', 'cxdbkGjsUn'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, LnprZyFhkO4Ahy0mDa.csHigh entropy of concatenated method names: 'nTWGnGfusL', 'B9jGKaFnHy', 'krjGMlOhya', 'lRTGJ0fgeU', 'LZ9GfyAXM2', 'cRlGqEiXYw', 'oneGOy7rUX', 'gBUGIPCnJ0', 'WxHGY3vj3O', 'iRSG4ygUwC'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, BVkZFxEpC5FKcTc1MU8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zrykncWeba', 'sUokK6tmtK', 'FmpkMFCYiH', 'jQgkJ9AgXg', 'qHWkf5wkYE', 'DgWkqc7RKF', 'fpBkONuBWX'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, jvG3cOnPXmmY9OtVIx.csHigh entropy of concatenated method names: 'q1EgQt2YPB', 'F92gTLyIRl', 'eKSgnXqhAT', 'EBOgKXZ0y8', 'GrvgvcHgu8', 'v43gcpiQvN', 'p9IgAXpHK9', 'RSRga2GvNF', 'APmgicZsRv', 'swkg8S5Qsd'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, vEHcyhIVBA94QccTJK.csHigh entropy of concatenated method names: 'Odc3uGqWIy', 'wcI3GKE1ii', 'a9P3rBMZg6', 'E1L3dixaCC', 'wWg3yaogyb', 'ryN3sSLAJc', 'lt2366h0CY', 'yol300oLob', 'rSw39UNnTr', 'KZv37YrwFf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, HWiQ3ieRoHS56tpk32.csHigh entropy of concatenated method names: 'K88rlASLhc', 'ynhrLRddHy', 'qXfrFw4oiE', 'LV2re3U4EB', 'jFCrgdZTdF', 'Ekxrt0jBkK', 'XFyrHiL8mD', 'Ct8r3upCEZ', 'iblrbGqV7P', 'qQCrkegg9R'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lID1QQZEygTBQZkoGh.csHigh entropy of concatenated method names: 'AwjEsnprZy', 'ekOE64Ahy0', 'KRoE9HS56t', 'ck3E72tI8p', 'sgbEgSGD1D', 'GSLEt5IdGc', 'cLSBg7yippqySc86U2', 'iRRr57heQfP3sjNdY2', 'EZ1FjYiSXKwh6My3c5', 'gd5EElv7GJ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, DKXLkcXaAY02BNmiss.csHigh entropy of concatenated method names: 'M782xFSeS', 'i8DlVFNTH', 'oGRLyPtlG', 'g2HmV54ek', 'oLCeny3Hn', 'xrqowkREW', 'HVGyGg3uDCHvtQdHI8', 'ES3q9JVL4M6OJ3sE0D', 'lnt36HTF8', 'JIwkkKndv'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, KOG1Ts8fBCdaQieJ0d.csHigh entropy of concatenated method names: 'G4XsuRVMt7', 'HglsrMpY8t', 'q8OsyVtNZM', 'p0ly4n3DSS', 'rUwyzteKr8', 'lSbsDMHZ8L', 'FiQsECJJAJ', 'Tt4sXVA3b4', 'RM5spTx6Ud', 'e4usZasGFQ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, lxuIxS626uPP3Z2gJP.csHigh entropy of concatenated method names: 'iI3phwQBH6', 'sM8puITtcA', 'iD7pGq8jK8', 't4Sprnpysy', 'uxFpdeZMJL', 'hUIpy0SpTy', 'xDcpsRlnAR', 'lx9p6wwWjq', 'zQkp0OxppQ', 't4Ap9JFwIF'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, bOdrHAW3rFim79dstj.csHigh entropy of concatenated method names: 'WWTSFfrBd1', 'x9QSeb9j7c', 'fHbSV90JWq', 'CsDSvibYZ6', 'mn2SAN9YT1', 'pT9SaqoB7P', 'XsTS88B0cn', 'I4kSjdGTyc', 'jYmSQvgfkR', 'g9OS5BCeJV'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.8780000.7.raw.unpack, jVPN2sqqRqN73tatjx.csHigh entropy of concatenated method names: 'Y5AHI9Zgd2', 'Nc9H4g58oD', 'vZp3DoKHwO', 'coD3EqM3PM', 'TEDH5qkHsh', 'IyhHTFag4G', 'XhjHWBj8vo', 'fYJHn0M4Gc', 'KLiHK4nyXN', 'WrWHMoTFnB'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, qEXeMKEDHBjNO3g5kDx.csHigh entropy of concatenated method names: 'YFkbU9YQSL', 'jVgbBGXtmn', 'w3Nb2Croqm', 'kb8blFikTQ', 'kq0bNlJlAB', 'SBNbLE1Vg8', 'AGtbmjnN54', 'YDIbF6Stlu', 'iiGbeahAnm', 'oJaboyygQp'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, pgV2xQGNaC0MNwXbFe.csHigh entropy of concatenated method names: 'Dispose', 'pn2EYTVqGC', 'XASXvaqyDU', 'Id3xxwtBcW', 'JPEE4HcyhV', 'yA9Ez4QccT', 'ProcessDialogKey', 'TKyXD8a3hS', 'IudXEfQsOf', 'JjRXXfeMKf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, eQWaYJ17JN76s0bchq.csHigh entropy of concatenated method names: 'EoksUq2W1i', 'mQYsBspyD8', 'OCjs2Xb3qw', 't7BslRLkpb', 'E1XsNVsLN3', 'PBPsLCkcYU', 'mH1smjkAYy', 'IYLsFE8jvO', 'AAMsek9JZC', 'QJZso5e7aO'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, UeMKfk4aIVNMtlZgU6.csHigh entropy of concatenated method names: 'AlsbERdgeR', 'yi5bp8VXhk', 'zE2bZJM4nH', 'EuUbutBOo9', 'pifbGTUosf', 'gE3bdbNoDL', 'EaEbym7dma', 'lBc3OuhnIU', 'WM03IBXRuv', 'Yca3YM05vT'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, zZT5m8rdae6QEXhc5R.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LmBXYkVYum', 'k2FX4vfSJ1', 'QGhXzEvSDX', 'qHLpDEEwyg', 'HC6pECGg1i', 'yIqpX8wrgR', 'aaVppyb7uQ', 'oKTUW94rR0QPZ2hev3r'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, i8a3hSYcudfQsOfajR.csHigh entropy of concatenated method names: 'wnO3VcUigD', 'efE3v5T8kM', 'YIq3c5JwMT', 'tmi3AuomNf', 'u3W3n4u6hk', 'iEL3aP9IJD', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, a1DVSLV5IdGcQCBcgx.csHigh entropy of concatenated method names: 'yY0yhJbjAv', 'OViyGg2Egg', 'w6UydFL30p', 'c5Tys69OcP', 'lyqy6SIy1H', 'ic1dfqfRP4', 'h95dqQL2Dk', 'TMCdOCEXje', 'QTVdICLIXQ', 'frXdY9my95'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, xRBFU6EXqOgxY7JkcgO.csHigh entropy of concatenated method names: 'gZbkUpDfHM', 'CrOkBobYvF', 'zgXk2UW5YW', 'FLAmuDrBAlxDchSTiLv', 'clu0QXrwQrNAY54byYJ', 'VysPxrrdFFWpT3xHotS', 'CFNjZnrzFGHOA16OvIh'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, pI8pd5oMsyKa6kgbSG.csHigh entropy of concatenated method names: 'll7dNGNtu0', 'DvRdmDoGaw', 'PWcrc2x1lP', 'E3trADA6as', 'jnXra9iTHv', 'IDIriLJCY5', 'wUWr8uy2k5', 'DiWrjsQAGc', 'SNEr1DTQZI', 'n71rQTKm80'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, cg19N0ziFArwRohoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MiRbSh5wH0', 'xg5bgcLupt', 'iHZbtUcypp', 'Lg8bHLC5jh', 'BVXb3l89b5', 'keibbx1PGc', 'cxdbkGjsUn'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, LnprZyFhkO4Ahy0mDa.csHigh entropy of concatenated method names: 'nTWGnGfusL', 'B9jGKaFnHy', 'krjGMlOhya', 'lRTGJ0fgeU', 'LZ9GfyAXM2', 'cRlGqEiXYw', 'oneGOy7rUX', 'gBUGIPCnJ0', 'WxHGY3vj3O', 'iRSG4ygUwC'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, BVkZFxEpC5FKcTc1MU8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zrykncWeba', 'sUokK6tmtK', 'FmpkMFCYiH', 'jQgkJ9AgXg', 'qHWkf5wkYE', 'DgWkqc7RKF', 'fpBkONuBWX'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, jvG3cOnPXmmY9OtVIx.csHigh entropy of concatenated method names: 'q1EgQt2YPB', 'F92gTLyIRl', 'eKSgnXqhAT', 'EBOgKXZ0y8', 'GrvgvcHgu8', 'v43gcpiQvN', 'p9IgAXpHK9', 'RSRga2GvNF', 'APmgicZsRv', 'swkg8S5Qsd'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, vEHcyhIVBA94QccTJK.csHigh entropy of concatenated method names: 'Odc3uGqWIy', 'wcI3GKE1ii', 'a9P3rBMZg6', 'E1L3dixaCC', 'wWg3yaogyb', 'ryN3sSLAJc', 'lt2366h0CY', 'yol300oLob', 'rSw39UNnTr', 'KZv37YrwFf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, HWiQ3ieRoHS56tpk32.csHigh entropy of concatenated method names: 'K88rlASLhc', 'ynhrLRddHy', 'qXfrFw4oiE', 'LV2re3U4EB', 'jFCrgdZTdF', 'Ekxrt0jBkK', 'XFyrHiL8mD', 'Ct8r3upCEZ', 'iblrbGqV7P', 'qQCrkegg9R'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lID1QQZEygTBQZkoGh.csHigh entropy of concatenated method names: 'AwjEsnprZy', 'ekOE64Ahy0', 'KRoE9HS56t', 'ck3E72tI8p', 'sgbEgSGD1D', 'GSLEt5IdGc', 'cLSBg7yippqySc86U2', 'iRRr57heQfP3sjNdY2', 'EZ1FjYiSXKwh6My3c5', 'gd5EElv7GJ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, DKXLkcXaAY02BNmiss.csHigh entropy of concatenated method names: 'M782xFSeS', 'i8DlVFNTH', 'oGRLyPtlG', 'g2HmV54ek', 'oLCeny3Hn', 'xrqowkREW', 'HVGyGg3uDCHvtQdHI8', 'ES3q9JVL4M6OJ3sE0D', 'lnt36HTF8', 'JIwkkKndv'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, KOG1Ts8fBCdaQieJ0d.csHigh entropy of concatenated method names: 'G4XsuRVMt7', 'HglsrMpY8t', 'q8OsyVtNZM', 'p0ly4n3DSS', 'rUwyzteKr8', 'lSbsDMHZ8L', 'FiQsECJJAJ', 'Tt4sXVA3b4', 'RM5spTx6Ud', 'e4usZasGFQ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, lxuIxS626uPP3Z2gJP.csHigh entropy of concatenated method names: 'iI3phwQBH6', 'sM8puITtcA', 'iD7pGq8jK8', 't4Sprnpysy', 'uxFpdeZMJL', 'hUIpy0SpTy', 'xDcpsRlnAR', 'lx9p6wwWjq', 'zQkp0OxppQ', 't4Ap9JFwIF'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, bOdrHAW3rFim79dstj.csHigh entropy of concatenated method names: 'WWTSFfrBd1', 'x9QSeb9j7c', 'fHbSV90JWq', 'CsDSvibYZ6', 'mn2SAN9YT1', 'pT9SaqoB7P', 'XsTS88B0cn', 'I4kSjdGTyc', 'jYmSQvgfkR', 'g9OS5BCeJV'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4bc7b20.0.raw.unpack, jVPN2sqqRqN73tatjx.csHigh entropy of concatenated method names: 'Y5AHI9Zgd2', 'Nc9H4g58oD', 'vZp3DoKHwO', 'coD3EqM3PM', 'TEDH5qkHsh', 'IyhHTFag4G', 'XhjHWBj8vo', 'fYJHn0M4Gc', 'KLiHK4nyXN', 'WrWHMoTFnB'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, qEXeMKEDHBjNO3g5kDx.csHigh entropy of concatenated method names: 'YFkbU9YQSL', 'jVgbBGXtmn', 'w3Nb2Croqm', 'kb8blFikTQ', 'kq0bNlJlAB', 'SBNbLE1Vg8', 'AGtbmjnN54', 'YDIbF6Stlu', 'iiGbeahAnm', 'oJaboyygQp'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, pgV2xQGNaC0MNwXbFe.csHigh entropy of concatenated method names: 'Dispose', 'pn2EYTVqGC', 'XASXvaqyDU', 'Id3xxwtBcW', 'JPEE4HcyhV', 'yA9Ez4QccT', 'ProcessDialogKey', 'TKyXD8a3hS', 'IudXEfQsOf', 'JjRXXfeMKf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, eQWaYJ17JN76s0bchq.csHigh entropy of concatenated method names: 'EoksUq2W1i', 'mQYsBspyD8', 'OCjs2Xb3qw', 't7BslRLkpb', 'E1XsNVsLN3', 'PBPsLCkcYU', 'mH1smjkAYy', 'IYLsFE8jvO', 'AAMsek9JZC', 'QJZso5e7aO'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, UeMKfk4aIVNMtlZgU6.csHigh entropy of concatenated method names: 'AlsbERdgeR', 'yi5bp8VXhk', 'zE2bZJM4nH', 'EuUbutBOo9', 'pifbGTUosf', 'gE3bdbNoDL', 'EaEbym7dma', 'lBc3OuhnIU', 'WM03IBXRuv', 'Yca3YM05vT'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, zZT5m8rdae6QEXhc5R.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'LmBXYkVYum', 'k2FX4vfSJ1', 'QGhXzEvSDX', 'qHLpDEEwyg', 'HC6pECGg1i', 'yIqpX8wrgR', 'aaVppyb7uQ', 'oKTUW94rR0QPZ2hev3r'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, i8a3hSYcudfQsOfajR.csHigh entropy of concatenated method names: 'wnO3VcUigD', 'efE3v5T8kM', 'YIq3c5JwMT', 'tmi3AuomNf', 'u3W3n4u6hk', 'iEL3aP9IJD', 'Next', 'Next', 'Next', 'NextBytes'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, a1DVSLV5IdGcQCBcgx.csHigh entropy of concatenated method names: 'yY0yhJbjAv', 'OViyGg2Egg', 'w6UydFL30p', 'c5Tys69OcP', 'lyqy6SIy1H', 'ic1dfqfRP4', 'h95dqQL2Dk', 'TMCdOCEXje', 'QTVdICLIXQ', 'frXdY9my95'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, xRBFU6EXqOgxY7JkcgO.csHigh entropy of concatenated method names: 'gZbkUpDfHM', 'CrOkBobYvF', 'zgXk2UW5YW', 'FLAmuDrBAlxDchSTiLv', 'clu0QXrwQrNAY54byYJ', 'VysPxrrdFFWpT3xHotS', 'CFNjZnrzFGHOA16OvIh'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, pI8pd5oMsyKa6kgbSG.csHigh entropy of concatenated method names: 'll7dNGNtu0', 'DvRdmDoGaw', 'PWcrc2x1lP', 'E3trADA6as', 'jnXra9iTHv', 'IDIriLJCY5', 'wUWr8uy2k5', 'DiWrjsQAGc', 'SNEr1DTQZI', 'n71rQTKm80'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, cg19N0ziFArwRohoKf.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MiRbSh5wH0', 'xg5bgcLupt', 'iHZbtUcypp', 'Lg8bHLC5jh', 'BVXb3l89b5', 'keibbx1PGc', 'cxdbkGjsUn'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, LnprZyFhkO4Ahy0mDa.csHigh entropy of concatenated method names: 'nTWGnGfusL', 'B9jGKaFnHy', 'krjGMlOhya', 'lRTGJ0fgeU', 'LZ9GfyAXM2', 'cRlGqEiXYw', 'oneGOy7rUX', 'gBUGIPCnJ0', 'WxHGY3vj3O', 'iRSG4ygUwC'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, BVkZFxEpC5FKcTc1MU8.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'zrykncWeba', 'sUokK6tmtK', 'FmpkMFCYiH', 'jQgkJ9AgXg', 'qHWkf5wkYE', 'DgWkqc7RKF', 'fpBkONuBWX'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, jvG3cOnPXmmY9OtVIx.csHigh entropy of concatenated method names: 'q1EgQt2YPB', 'F92gTLyIRl', 'eKSgnXqhAT', 'EBOgKXZ0y8', 'GrvgvcHgu8', 'v43gcpiQvN', 'p9IgAXpHK9', 'RSRga2GvNF', 'APmgicZsRv', 'swkg8S5Qsd'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, vEHcyhIVBA94QccTJK.csHigh entropy of concatenated method names: 'Odc3uGqWIy', 'wcI3GKE1ii', 'a9P3rBMZg6', 'E1L3dixaCC', 'wWg3yaogyb', 'ryN3sSLAJc', 'lt2366h0CY', 'yol300oLob', 'rSw39UNnTr', 'KZv37YrwFf'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, HWiQ3ieRoHS56tpk32.csHigh entropy of concatenated method names: 'K88rlASLhc', 'ynhrLRddHy', 'qXfrFw4oiE', 'LV2re3U4EB', 'jFCrgdZTdF', 'Ekxrt0jBkK', 'XFyrHiL8mD', 'Ct8r3upCEZ', 'iblrbGqV7P', 'qQCrkegg9R'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lID1QQZEygTBQZkoGh.csHigh entropy of concatenated method names: 'AwjEsnprZy', 'ekOE64Ahy0', 'KRoE9HS56t', 'ck3E72tI8p', 'sgbEgSGD1D', 'GSLEt5IdGc', 'cLSBg7yippqySc86U2', 'iRRr57heQfP3sjNdY2', 'EZ1FjYiSXKwh6My3c5', 'gd5EElv7GJ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, DKXLkcXaAY02BNmiss.csHigh entropy of concatenated method names: 'M782xFSeS', 'i8DlVFNTH', 'oGRLyPtlG', 'g2HmV54ek', 'oLCeny3Hn', 'xrqowkREW', 'HVGyGg3uDCHvtQdHI8', 'ES3q9JVL4M6OJ3sE0D', 'lnt36HTF8', 'JIwkkKndv'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, KOG1Ts8fBCdaQieJ0d.csHigh entropy of concatenated method names: 'G4XsuRVMt7', 'HglsrMpY8t', 'q8OsyVtNZM', 'p0ly4n3DSS', 'rUwyzteKr8', 'lSbsDMHZ8L', 'FiQsECJJAJ', 'Tt4sXVA3b4', 'RM5spTx6Ud', 'e4usZasGFQ'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, lxuIxS626uPP3Z2gJP.csHigh entropy of concatenated method names: 'iI3phwQBH6', 'sM8puITtcA', 'iD7pGq8jK8', 't4Sprnpysy', 'uxFpdeZMJL', 'hUIpy0SpTy', 'xDcpsRlnAR', 'lx9p6wwWjq', 'zQkp0OxppQ', 't4Ap9JFwIF'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, bOdrHAW3rFim79dstj.csHigh entropy of concatenated method names: 'WWTSFfrBd1', 'x9QSeb9j7c', 'fHbSV90JWq', 'CsDSvibYZ6', 'mn2SAN9YT1', 'pT9SaqoB7P', 'XsTS88B0cn', 'I4kSjdGTyc', 'jYmSQvgfkR', 'g9OS5BCeJV'
                  Source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.4c5d140.3.raw.unpack, jVPN2sqqRqN73tatjx.csHigh entropy of concatenated method names: 'Y5AHI9Zgd2', 'Nc9H4g58oD', 'vZp3DoKHwO', 'coD3EqM3PM', 'TEDH5qkHsh', 'IyhHTFag4G', 'XhjHWBj8vo', 'fYJHn0M4Gc', 'KLiHK4nyXN', 'WrWHMoTFnB'
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeJump to dropped file

                  Boot Survival

                  barindex
                  Uses schtasks.exe or at.exe to add and modify task schedules
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp"

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Loading BitLocker PowerShell Module
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Yara detected AntiVM3
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 3140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PUwpftrjIH.exe PID: 7592, type: MEMORYSTR
                  Check if machine is in data center or colocation facility
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                  Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 2E40000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 5F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 6F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 7060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 8060000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 8820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 9820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: A820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: B820000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 11D0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 2F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: 4F30000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: F80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 2940000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 4940000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 5B80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 6B80000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 6CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 7CB0000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 8400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: B400000 memory reserve | memory write watchJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 18D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 32A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory allocated: 18D0000 memory reserve | memory write watch
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599828Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599717Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599606Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599495Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599387Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599228Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 598981Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599890
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599780
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599669
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599560
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599444
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599328
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6414Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1149Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7124Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1148Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWindow / User API: threadDelayed 3552Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWindow / User API: threadDelayed 6211Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWindow / User API: threadDelayed 2049
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWindow / User API: threadDelayed 7801
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 4940Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 6414 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7492Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7268Thread sleep count: 1149 > 30Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7372Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7488Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7384Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep count: 31 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -28592453314249787s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -600000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599828s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7560Thread sleep count: 3552 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7560Thread sleep count: 6211 > 30Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599717s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599606s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599495s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599387s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599228s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -599094s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -598981s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -100000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99875s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99765s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99656s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99547s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99437s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99328s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99219s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99109s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -99000s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98890s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98781s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98669s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98562s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98453s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98344s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98234s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98125s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -98015s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97906s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97797s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97687s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97575s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97468s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97359s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97250s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97140s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -97031s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96922s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96812s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96703s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96593s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96484s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96375s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96265s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96153s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -96047s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95937s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95826s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95719s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95609s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95500s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95390s >= -30000sJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe TID: 7556Thread sleep time: -95281s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7688Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep count: 34 > 30
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -31359464925306218s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7872Thread sleep count: 2049 > 30
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7872Thread sleep count: 7801 > 30
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599780s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599669s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599560s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599444s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -599328s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -100000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99890s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99781s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99672s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99562s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99444s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99328s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99219s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99109s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -99000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98886s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98738s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98609s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98498s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98390s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98281s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98172s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -98062s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97953s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97844s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97733s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97625s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97515s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97406s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97297s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97187s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -97078s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96969s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96859s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96749s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96640s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96521s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96391s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96266s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96141s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -96031s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95922s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95812s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95703s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95594s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95484s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95375s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95265s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe TID: 7868Thread sleep time: -95156s >= -30000s
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 600000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599828Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599717Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599606Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599495Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599387Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599228Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 599094Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 598981Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 100000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99875Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99765Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99656Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99547Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99437Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99328Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99219Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99109Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 99000Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98890Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98781Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98669Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98562Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98453Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98344Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98234Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98125Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 98015Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97906Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97797Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97687Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97575Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97468Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97359Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97250Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97140Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 97031Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96922Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96812Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96703Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96593Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96484Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96375Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96265Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96153Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 96047Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95937Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95826Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95719Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95609Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95500Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95390Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeThread delayed: delay time: 95281Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 922337203685477
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599890
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599780
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599669
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599560
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599444
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 599328
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 100000
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99890
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99781
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99672
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99562
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99444
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99328
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99219
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99109
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 99000
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98886
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98738
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98609
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98498
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98390
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98281
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98172
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 98062
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97953
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97844
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97733
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97625
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97515
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97406
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97297
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97187
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 97078
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96969
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96859
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96749
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96640
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96521
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96391
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96266
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96141
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 96031
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95922
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95812
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95703
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95594
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95484
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95375
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95265
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeThread delayed: delay time: 95156
                  Source: PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1724540848.0000000001042000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\xt
                  Source: PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                  Source: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll>
                  Source: PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000168E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeCode function: 7_2_011D7EC8 CheckRemoteDebuggerPresent,7_2_011D7EC8
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess queried: DebugPort
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory allocated: page read and write | page guardJump to behavior

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Adds a directory exclusion to Windows Defender
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"Jump to behavior
                  Injects a PE file into a foreign processes
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeMemory written: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeMemory written: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe base: 400000 value starts with: 4D5AJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp"Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeProcess created: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"Jump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Stealing of Sensitive Information

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.4173335726.0000000003305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 3140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 7420, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PUwpftrjIH.exe PID: 7780, type: MEMORYSTR
                  Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                  Tries to harvest and steal ftp login credentials
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\FTP Navigator\Ftplist.txt
                  Tries to steal Mail credentials (via file / registry access)
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                  Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                  Source: C:\Users\user\AppData\Roaming\PUwpftrjIH.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.4173335726.0000000003305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 3140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 7420, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PUwpftrjIH.exe PID: 7780, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected AgentTesla
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e84d70.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.3e49550.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 0000000C.00000002.4173335726.0000000003305000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 3140, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe PID: 7420, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: PUwpftrjIH.exe PID: 7780, type: MEMORYSTR

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		11
                  Disable or Modify Tools                  		2
                  OS Credential Dumping                  		1
                  File and Directory Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network MediumAbuse Accessibility Features
                  CredentialsDomainsDefault Accounts1
                  Scheduled Task/Job                  		1
                  Scheduled Task/Job                  		111
                  Process Injection                  		1
                  Deobfuscate/Decode Files or Information                  		1
                  Input Capture                  		24
                  System Information Discovery                  		Remote Desktop Protocol2
                  Data from Local System                  		11
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                  Scheduled Task/Job                  		2
                  Obfuscated Files or Information                  		1
                  Credentials in Registry                  		1
                  Query Registry                  		SMB/Windows Admin Shares1
                  Email Collection                  		1
                  Non-Standard Port                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                  Software Packing                  		NTDS521
                  Security Software Discovery                  		Distributed Component Object Model1
                  Input Capture                  		2
                  Non-Application Layer Protocol                  		Traffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                  DLL Side-Loading                  		LSA Secrets1
                  Process Discovery                  		SSHKeylogging23
                  Application Layer Protocol                  		Scheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  Masquerading                  		Cached Domain Credentials151
                  Virtualization/Sandbox Evasion                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items151
                  Virtualization/Sandbox Evasion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                  Process Injection                  		Proc Filesystem1
                  System Network Configuration Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429018 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 20/04/2024 Architecture: WINDOWS Score: 100 42 mail.hoangtruongphat.com 2->42 44 ip-api.com 2->44 46 api.ipify.org 2->46 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Antivirus / Scanner detection for submitted sample 2->58 60 11 other signatures 2->60 8 SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe 7 2->8         started        12 PUwpftrjIH.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\...\PUwpftrjIH.exe, PE32 8->38 dropped 40 C:\Users\user\AppData\Local\...\tmp32DE.tmp, XML 8->40 dropped 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->64 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 74 3 other signatures 8->74 14 SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        68 Antivirus detection for dropped file 12->68 70 Multi AV Scanner detection for dropped file 12->70 72 Machine Learning detection for dropped file 12->72 24 PUwpftrjIH.exe 12->24         started        26 schtasks.exe 12->26         started        signatures6 process7 dnsIp8 48 mail.hoangtruongphat.com 125.212.217.248, 49733, 49735, 587 VIETEL-AS-APViettelGroupVN Viet Nam 14->48 50 ip-api.com 208.95.112.1, 49731, 49734, 80 TUT-ASUS United States 14->50 52 api.ipify.org 104.26.13.205, 443, 49730, 49732 CLOUDFLARENETUS United States 14->52 76 Loading BitLocker PowerShell Module 18->76 28 WmiPrvSE.exe 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        78 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->78 80 Tries to steal Mail credentials (via file / registry access) 24->80 82 Tries to harvest and steal ftp login credentials 24->82 84 Tries to harvest and steal browser information (history, passwords, etc) 24->84 36 conhost.exe 26->36         started        signatures9 process10

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe42%ReversingLabs
                  SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe38%VirustotalBrowse
                  SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe100%AviraHEUR/AGEN.1323731
                  SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\PUwpftrjIH.exe100%AviraHEUR/AGEN.1323731
                  C:\Users\user\AppData\Roaming\PUwpftrjIH.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\PUwpftrjIH.exe42%ReversingLabs
                  C:\Users\user\AppData\Roaming\PUwpftrjIH.exe38%VirustotalBrowse

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  SourceDetectionScannerLabelLink
                  mail.hoangtruongphat.com1%VirustotalBrowse

                  URLs

                  SourceDetectionScannerLabelLink
                  https://sectigo.com/CPS00%URL Reputationsafe
                  https://sectigo.com/CPS00%URL Reputationsafe
                  http://mail.hoangtruongphat.com1%VirustotalBrowse

                  Domains and IPs

                  Contacted Domains

                  NameIPActiveMaliciousAntivirus DetectionReputation
                  mail.hoangtruongphat.com
                  		125.212.217.248
                  		truetrueunknown
                  api.ipify.org
                  		104.26.13.205
                  		truefalse
                    		high
                    ip-api.com
                    		208.95.112.1
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      https://api.ipify.org/false
                        		high
                        http://ip-api.com/line/?fields=hostingfalse
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://api.ipify.orgSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4167963900.0000000000435000.00000040.00000400.00020000.00000000.sdmpfalse
                            		high
                            https://sectigo.com/CPS0SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4183914195.0000000006916000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4171077285.00000000012F1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4169095549.000000000165D000.00000004.00000020.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4182176227.0000000006B94000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://account.dyn.com/SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4167911158.0000000000436000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000000.00000002.1725787312.00000000030EF000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F31000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 00000009.00000002.1763743018.0000000002BEF000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://ip-api.comSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002F81000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.00000000032F1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://mail.hoangtruongphat.comSecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe, 00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, PUwpftrjIH.exe, 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    125.212.217.248
                                    		mail.hoangtruongphat.comViet Nam
                                    		7552VIETEL-AS-APViettelGroupVNtrue
                                    208.95.112.1
                                    		ip-api.comUnited States
                                    		53334TUT-ASUSfalse
                                    104.26.13.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:40.0.0 Tourmaline
                                    Analysis ID:1429018
                                    Start date and time:2024-04-20 03:22:08 +02:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 11m 50s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:18
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Sample name:SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@19/15@4/3
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 154
                                    • Number of non-executed functions: 24
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    02:23:06Task SchedulerRun new task: PUwpftrjIH path: C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                    03:23:03API Interceptor9470592x Sleep call for process: SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe modified
                                    03:23:04API Interceptor34x Sleep call for process: powershell.exe modified
                                    03:23:07API Interceptor7494420x Sleep call for process: PUwpftrjIH.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    125.212.217.248SecuriteInfo.com.Win32.PWSX-gen.18442.28659.exeGet hashmaliciousAgentTeslaBrowse
                                      SecuriteInfo.com.Heur.9508.19196.exeGet hashmaliciousAgentTeslaBrowse
                                        SecuriteInfo.com.Win32.TrojanX-gen.16521.31249.exeGet hashmaliciousAgentTeslaBrowse
                                          SecuriteInfo.com.Win32.PWSX-gen.8396.18973.exeGet hashmaliciousAgentTeslaBrowse
                                            SOA.exeGet hashmaliciousAgentTeslaBrowse
                                              SecuriteInfo.com.Win32.PWSX-gen.18603.7502.exeGet hashmaliciousAgentTeslaBrowse
                                                SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exeGet hashmaliciousAgentTeslaBrowse
                                                  SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exeGet hashmaliciousAgentTeslaBrowse
                                                    PNSCKHAIRPURSPARES ENQ 0782023.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                      SecuriteInfo.com.Win32.PWSX-gen.23268.16982.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        208.95.112.1SecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • ip-api.com/json/?fields=11827
                                                        xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                        • ip-api.com/json/
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • ip-api.com/json/?fields=11827
                                                        rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        tems.exeGet hashmaliciousAgentTeslaBrowse
                                                        • ip-api.com/line/?fields=hosting
                                                        104.26.13.205SecuriteInfo.com.Trojan.DownLoaderNET.960.9931.28151.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                        • api.ipify.org/
                                                        Sky-Beta-Setup.exeGet hashmaliciousStealitBrowse
                                                        • api.ipify.org/?format=json
                                                        ArenaWarSetup.exeGet hashmaliciousStealitBrowse
                                                        • api.ipify.org/?format=json
                                                        Sky-Beta Setup 1.0.0.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/?format=json
                                                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        E4sbo4F6Sz.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        SecuriteInfo.com.Win64.RATX-gen.31127.4101.exeGet hashmaliciousPureLog Stealer, Targeted RansomwareBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        mail.hoangtruongphat.comSecuriteInfo.com.Win32.PWSX-gen.18442.28659.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Heur.9508.19196.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.TrojanX-gen.16521.31249.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.PWSX-gen.8396.18973.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SOA.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.PWSX-gen.18603.7502.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.CrypterX-gen.28316.31463.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.CrypterX-gen.2006.1539.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        PNSCKHAIRPURSPARES ENQ 0782023.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 125.212.217.248
                                                        SecuriteInfo.com.Win32.PWSX-gen.23268.16982.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 125.212.217.248
                                                        ip-api.comSecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                        • 208.95.112.1
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        tems.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        api.ipify.orgIMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 172.67.74.152
                                                        eOU2MVDmTd.exeGet hashmaliciousCredGrabber, Meduza Stealer, PureLog Stealer, zgRATBrowse
                                                        • 172.67.74.152
                                                        Receipt_032114005.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        eO2bqORIJb.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        avp.msiGet hashmaliciousUnknownBrowse
                                                        • 104.26.12.205
                                                        https://cvn7.sa.com/invoice.html?app=Get hashmaliciousHTMLPhisherBrowse
                                                        • 172.67.74.152
                                                        TiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                        • 104.26.13.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        VIETEL-AS-APViettelGroupVNczEunnbk7b.elfGet hashmaliciousMiraiBrowse
                                                        • 27.77.90.67
                                                        9IseFevRH6.elfGet hashmaliciousMiraiBrowse
                                                        • 115.73.156.26
                                                        UuD1zt2QpK.elfGet hashmaliciousMiraiBrowse
                                                        • 27.64.175.201
                                                        16rBksY5gH.elfGet hashmaliciousMiraiBrowse
                                                        • 171.224.189.149
                                                        xexngqLbiY.elfGet hashmaliciousGafgyt, MiraiBrowse
                                                        • 27.68.234.32
                                                        SecuriteInfo.com.Win32.PWSX-gen.18442.28659.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 125.212.217.248
                                                        zfehGxWbb4.elfGet hashmaliciousMiraiBrowse
                                                        • 27.65.117.218
                                                        tL98mBWW8p.elfGet hashmaliciousMiraiBrowse
                                                        • 115.74.145.217
                                                        szBCKC8yTb.elfGet hashmaliciousMiraiBrowse
                                                        • 27.68.111.143
                                                        CLOUDFLARENETUS0OqTUkeaoD.exeGet hashmaliciousRedLineBrowse
                                                        • 104.20.3.235
                                                        https://bj8lt4fm8evwyl.pages.dev/smart89/Get hashmaliciousUnknownBrowse
                                                        • 172.66.47.24
                                                        https://jainpokliultachor.pages.dev/Get hashmaliciousUnknownBrowse
                                                        • 104.22.24.131
                                                        https://pusha1qsn.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 104.21.53.38
                                                        https://19apmacc8.z13.web.core.windows.net/Get hashmaliciousUnknownBrowse
                                                        • 104.22.24.131
                                                        https://loo54.z11.web.core.windows.net/werrx01USAHTML/?bcda=1-844-621-0495Get hashmaliciousTechSupportScamBrowse
                                                        • 172.67.208.186
                                                        https://support1-4ec.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                        • 172.66.44.177
                                                        https://support-bxv.pages.dev/Get hashmaliciousTechSupportScamBrowse
                                                        • 172.66.44.120
                                                        https://mitchells-place.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                                                        • 104.17.25.14
                                                        https://tronfwo8b.z13.web.core.windows.net/Get hashmaliciousTechSupportScamBrowse
                                                        • 104.21.53.38
                                                        TUT-ASUSSecuriteInfo.com.Win32.SuspectCrc.28876.20318.xlsxGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        xnNcI6OenKJs.exeGet hashmaliciousQuasarBrowse
                                                        • 208.95.112.1
                                                        T1SEuO2fxi.exeGet hashmaliciousXehook StealerBrowse
                                                        • 208.95.112.1
                                                        rMayNewPurchase.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        rRECEIPTTRANSFE.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        charesworh.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        FAR.N_2430-240009934.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        FAR.N#U00b02430-24000993.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1
                                                        tems.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 208.95.112.1

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0e0OqTUkeaoD.exeGet hashmaliciousRedLineBrowse
                                                        • 104.26.13.205
                                                        IMG_210112052.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        https://keenetownhall-my.sharepoint.com/:b:/g/personal/amanda_keenetownhall_org/ESKbqbSIMj5ElsbdsfaEg7oBgkFm5H_JqS97uaySzVhJDQ?e=KMMz4yGet hashmaliciousHTMLPhisherBrowse
                                                        • 104.26.13.205
                                                        https://www.canva.com/design/DAGC4eUhMw0/cKr_ImwjL8JW0nUMNMi5QA/view?utm_content=DAGC4eUhMw0&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205
                                                        z1E-catalogSamples.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        rTDN001-180424_PDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 104.26.13.205
                                                        PO-095325.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        Copy of Poseidon Marine 4th monthly Stores Apr 2024 R3 .xls.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        • 104.26.13.205
                                                        W4tW72sfAD.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                        • 104.26.13.205
                                                        http://www.sushi-idea.comGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PUwpftrjIH.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Reputation:high, very likely benign file
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:modified
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.379401388151058
                                                        Encrypted:false
                                                        SSDEEP:48:fWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZmUyus:fLHxvIIwLgZ2KRHWLOuggs
                                                        MD5:1F07DBFC960DDEA7295F1A6FD48057B1
                                                        SHA1:05F3052BCC168B834CEA8EA48E050020C5CAD8F5
                                                        SHA-256:72F8629C56744FE3E1E3C1B705EF6355E59E5C96B4924427EE430C9F9EF46809
                                                        SHA-512:D94DF9A81FAF494891837FA73FECEF1D8226E18978A2EEA534409724409E13C6DACAB32E00C494FB2A140573E1C152EE407A0E070515B3802A06649690B1C491
                                                        Malicious:false
                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1vearkbo.2wo.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2d33oyta.of4.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5bol5bhh.5mf.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_k3wtoiv3.ezk.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kl2izffn.tea.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psj3hk1b.s0t.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rp0pvnzb.zgh.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wvha4chu.ai3.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmp32DE.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1576
                                                        Entropy (8bit):5.109217564624203
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaqa+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTDayv
                                                        MD5:CF85B406A6E2DD4F18E2DD3FBFC17454
                                                        SHA1:4CC7D4EDB035CAF070AE189A7F2E2F8CD0FE6B62
                                                        SHA-256:91839659787A880511D54F57D3AA50E3BE5EB06144CBD7A763FE32BA63DF2756
                                                        SHA-512:56768A9B97A87F5A4E454F610D94FDB7B436A761421276EC933B53F5ED4C6039FFF36C030AD0635D1C8E2535887DB619FCEFB11E13B69440D784E2C58D19C3FE
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                        C:\Users\user\AppData\Local\Temp\tmp4201.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1576
                                                        Entropy (8bit):5.109217564624203
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaqa+xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTDayv
                                                        MD5:CF85B406A6E2DD4F18E2DD3FBFC17454
                                                        SHA1:4CC7D4EDB035CAF070AE189A7F2E2F8CD0FE6B62
                                                        SHA-256:91839659787A880511D54F57D3AA50E3BE5EB06144CBD7A763FE32BA63DF2756
                                                        SHA-512:56768A9B97A87F5A4E454F610D94FDB7B436A761421276EC933B53F5ED4C6039FFF36C030AD0635D1C8E2535887DB619FCEFB11E13B69440D784E2C58D19C3FE
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                                        C:\Users\user\AppData\Roaming\PUwpftrjIH.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):803328
                                                        Entropy (8bit):7.976306047773217
                                                        Encrypted:false
                                                        SSDEEP:24576:xXYwIG7RaOvoOnAHRtZbsy1vBF1rG3AbHO7G:zIG7sOvoOnkFwoBLrG3AbHo
                                                        MD5:906CB4D1D82674CA8E0C0614D34AF552
                                                        SHA1:1C38BD8F3122BC9AAF7C2A8968C252FF2B264721
                                                        SHA-256:6670DE035561AB5F4CD82D89A4AB969B7D8EAF1DA047782B37399D79EEB4762E
                                                        SHA-512:6795637D769A1C0EF52A7E616B7F9F2310EC88889B8220A2D0268BED6A7B04EC0B5391355222B7AB0072C07E12EDD2ADCDCF8EEECD4A4029F5142FA3DFFE7BC6
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Avira, Detection: 100%
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 42%
                                                        • Antivirus: Virustotal, Detection: 38%, Browse
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9."f.................8...........V... ...`....@.. ....................................@.................................@V..W....`............................................................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B................|V......H........*...+......7....p..............................................z.(......}.....(....o....}....*..0...........{............3.....(.....*..................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.|.{....Xa}......}.....{....oI...:q....(....+..(........}.........(......*................n..}.....{....,..{....o@...*..{....*.s..

                                                        C:\Users\user\AppData\Roaming\PUwpftrjIH.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:false
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.976306047773217
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        • DOS Executable Generic (2002/1) 0.01%
                                                        File name:SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        File size:803'328 bytes
                                                        MD5:906cb4d1d82674ca8e0c0614d34af552
                                                        SHA1:1c38bd8f3122bc9aaf7c2a8968c252ff2b264721
                                                        SHA256:6670de035561ab5f4cd82d89a4ab969b7d8eaf1da047782b37399d79eeb4762e
                                                        SHA512:6795637d769a1c0ef52a7e616b7f9f2310ec88889b8220a2d0268bed6a7b04ec0b5391355222b7ab0072c07e12edd2adcdcf8eeecd4a4029f5142fa3dffe7bc6
                                                        SSDEEP:24576:xXYwIG7RaOvoOnAHRtZbsy1vBF1rG3AbHO7G:zIG7sOvoOnkFwoBLrG3AbHo
                                                        TLSH:5505238C3B29EC77C92E09F05A06B61453F41292F455F1EA8CDA72E266C0FE98501F9F
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9."f.................8...........V... ...`....@.. ....................................@................................

                                                        File Icon

                                                        Icon Hash:90cececece8e8eb0

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4c569a
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x6622F139 [Fri Apr 19 22:33:29 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc56400x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc60000x5e4.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc80000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xc36a00xc38000ed456ec836a77bd494af58f7b5f9ad0False0.9754460717710998data7.980247279079844IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc60000x5e40x60086745acbdbf4dd047051aae284ea8c67False0.44140625data4.222471943798449IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xc80000xc0x2006b0c7e10a0739222057c558105548cf1False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_VERSION0xc60a00x390data0.42105263157894735
                                                        RT_MANIFEST0xc64300x1b4XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (433), with no line terminators0.5642201834862385

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 20, 2024 03:23:05.754776001 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:05.754832029 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:05.754930973 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:05.770539045 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:05.770576954 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.000082016 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.000174046 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.005079031 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.005093098 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.005584955 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.054938078 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.100326061 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.148152113 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.320728064 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.320872068 CEST44349730104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:06.321033955 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.326069117 CEST49730443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:06.439945936 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:06.557310104 CEST8049731208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:06.559519053 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:06.559519053 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:06.678459883 CEST8049731208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:06.726528883 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:07.411034107 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:07.528862000 CEST8049731208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:07.529081106 CEST4973180192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:08.737323046 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:08.737404108 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:08.737546921 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:08.743247032 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:08.743320942 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:08.791380882 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:08.967103004 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:08.967303038 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:08.968637943 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:08.968688011 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:08.969191074 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:09.019658089 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:09.060127974 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:09.136534929 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:09.136821985 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:09.273438931 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:09.273578882 CEST44349732104.26.13.205192.168.2.4
                                                        Apr 20, 2024 03:23:09.273674965 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:09.276868105 CEST49732443192.168.2.4104.26.13.205
                                                        Apr 20, 2024 03:23:09.280591011 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:09.396502972 CEST8049734208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:09.396634102 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:09.396787882 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:09.514276028 CEST8049734208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:09.601515055 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:09.649790049 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:09.651097059 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:09.989636898 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:09.989929914 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.040205956 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:10.040782928 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.156312943 CEST8049734208.95.112.1192.168.2.4
                                                        Apr 20, 2024 03:23:10.156465054 CEST4973480192.168.2.4208.95.112.1
                                                        Apr 20, 2024 03:23:10.327007055 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.327727079 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.376564026 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.376686096 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.672806025 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.672868013 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.672909975 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.672945023 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.673070908 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.673072100 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.675714970 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.703309059 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:10.812997103 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:10.813297987 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.038873911 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.042176008 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.148725986 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.152409077 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.377228975 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.378456116 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.491254091 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.491903067 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.715867996 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.716183901 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.836982012 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.837030888 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.837068081 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.837105989 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.837250948 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.837250948 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:11.839930058 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:11.841680050 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:12.090665102 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:12.177859068 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:12.183003902 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:12.522118092 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:12.522633076 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:12.859149933 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:12.859663010 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:13.234565020 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:18.052812099 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:18.101494074 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:18.225703001 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:18.560641050 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:18.560806990 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:18.601397991 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:18.748140097 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.122492075 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.164119005 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.196451902 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.210788965 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.230185986 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.234311104 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.566103935 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.566153049 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.567043066 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.567043066 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.567043066 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.567137003 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.572669029 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.572814941 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.573015928 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.902066946 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.902182102 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.902215004 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.902251005 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.925328970 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.947670937 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.976619959 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:19.991643906 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:19.992214918 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:20.327641964 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.327699900 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.328552008 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:20.328552008 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:20.328552008 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:20.328552961 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:23:20.664006948 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.664042950 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.664061069 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.664077044 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.684187889 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:23:20.726494074 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:24:47.429822922 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:24:47.764729023 CEST58749733125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:24:47.765175104 CEST49733587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:24:50.070703983 CEST49735587192.168.2.4125.212.217.248
                                                        Apr 20, 2024 03:24:50.406224012 CEST58749735125.212.217.248192.168.2.4
                                                        Apr 20, 2024 03:24:50.406686068 CEST49735587192.168.2.4125.212.217.248

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Apr 20, 2024 03:23:05.641803026 CEST6246453192.168.2.41.1.1.1
                                                        Apr 20, 2024 03:23:05.746778011 CEST53624641.1.1.1192.168.2.4
                                                        Apr 20, 2024 03:23:06.333129883 CEST5067453192.168.2.41.1.1.1
                                                        Apr 20, 2024 03:23:06.438723087 CEST53506741.1.1.1192.168.2.4
                                                        Apr 20, 2024 03:23:07.411870003 CEST6521153192.168.2.41.1.1.1
                                                        Apr 20, 2024 03:23:08.414100885 CEST6521153192.168.2.41.1.1.1
                                                        Apr 20, 2024 03:23:08.790410042 CEST53652111.1.1.1192.168.2.4
                                                        Apr 20, 2024 03:23:08.790455103 CEST53652111.1.1.1192.168.2.4

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Apr 20, 2024 03:23:05.641803026 CEST192.168.2.41.1.1.10xcc9eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:06.333129883 CEST192.168.2.41.1.1.10x6aa4Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:07.411870003 CEST192.168.2.41.1.1.10xe3bStandard query (0)mail.hoangtruongphat.comA (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:08.414100885 CEST192.168.2.41.1.1.10xe3bStandard query (0)mail.hoangtruongphat.comA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Apr 20, 2024 03:23:05.746778011 CEST1.1.1.1192.168.2.40xcc9eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:05.746778011 CEST1.1.1.1192.168.2.40xcc9eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:05.746778011 CEST1.1.1.1192.168.2.40xcc9eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:06.438723087 CEST1.1.1.1192.168.2.40x6aa4No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:08.790410042 CEST1.1.1.1192.168.2.40xe3bNo error (0)mail.hoangtruongphat.com125.212.217.248A (IP address)IN (0x0001)false
                                                        Apr 20, 2024 03:23:08.790455103 CEST1.1.1.1192.168.2.40xe3bNo error (0)mail.hoangtruongphat.com125.212.217.248A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org
                                                        • ip-api.com

                                                        HTTP Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449731208.95.112.1807420C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 20, 2024 03:23:06.559519053 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Apr 20, 2024 03:23:06.678459883 CEST174INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 01:23:06 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 5
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 60
                                                        X-Rl: 44
                                                        Data Raw: 74 72 75 65 0a
                                                        Data Ascii: true


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449734208.95.112.1807780C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        TimestampBytes transferredDirectionData
                                                        Apr 20, 2024 03:23:09.396787882 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                        Host: ip-api.com
                                                        Connection: Keep-Alive
                                                        Apr 20, 2024 03:23:09.514276028 CEST174INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 01:23:09 GMT
                                                        Content-Type: text/plain; charset=utf-8
                                                        Content-Length: 5
                                                        Access-Control-Allow-Origin: *
                                                        X-Ttl: 57
                                                        X-Rl: 43
                                                        Data Raw: 74 72 75 65 0a
                                                        Data Ascii: true


                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.449730104.26.13.2054437420C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-20 01:23:06 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-04-20 01:23:06 UTC211INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 01:23:06 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 877153bbac6b12ed-ATL
                                                        2024-04-20 01:23:06 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                        Data Ascii: 81.181.57.52


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.449732104.26.13.2054437780C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-04-20 01:23:09 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-04-20 01:23:09 UTC211INHTTP/1.1 200 OK
                                                        Date: Sat, 20 Apr 2024 01:23:09 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 877153ce48c044df-ATL
                                                        2024-04-20 01:23:09 UTC12INData Raw: 38 31 2e 31 38 31 2e 35 37 2e 35 32
                                                        Data Ascii: 81.181.57.52


                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Apr 20, 2024 03:23:09.649790049 CEST58749733125.212.217.248192.168.2.4220-e.vinahost.vn ESMTP Exim 4.96.2 #2 Sat, 20 Apr 2024 08:22:48 +0700
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Apr 20, 2024 03:23:09.651097059 CEST49733587192.168.2.4125.212.217.248EHLO 724536
                                                        Apr 20, 2024 03:23:09.989636898 CEST58749733125.212.217.248192.168.2.4250-e.vinahost.vn Hello 724536 [81.181.57.52]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPECONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Apr 20, 2024 03:23:09.989929914 CEST49733587192.168.2.4125.212.217.248STARTTLS
                                                        Apr 20, 2024 03:23:10.327007055 CEST58749733125.212.217.248192.168.2.4220 TLS go ahead
                                                        Apr 20, 2024 03:23:10.812997103 CEST58749735125.212.217.248192.168.2.4220-e.vinahost.vn ESMTP Exim 4.96.2 #2 Sat, 20 Apr 2024 08:22:49 +0700
                                                        220-We do not authorize the use of this system to transport unsolicited,
                                                        220 and/or bulk e-mail.
                                                        Apr 20, 2024 03:23:10.813297987 CEST49735587192.168.2.4125.212.217.248EHLO 724536
                                                        Apr 20, 2024 03:23:11.148725986 CEST58749735125.212.217.248192.168.2.4250-e.vinahost.vn Hello 724536 [81.181.57.52]
                                                        250-SIZE 52428800
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-PIPECONNECT
                                                        250-AUTH PLAIN LOGIN
                                                        250-STARTTLS
                                                        250 HELP
                                                        Apr 20, 2024 03:23:11.152409077 CEST49735587192.168.2.4125.212.217.248STARTTLS
                                                        Apr 20, 2024 03:23:11.491254091 CEST58749735125.212.217.248192.168.2.4220 TLS go ahead

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:23:02
                                                        Start date:20/04/2024
                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                                                        Imagebase:0x7ff7699e0000
                                                        File size:803'328 bytes
                                                        MD5 hash:906CB4D1D82674CA8E0C0614D34AF552
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1727481234.0000000003E49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:1
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                                                        Imagebase:0xe90000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:2
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"
                                                        Imagebase:0xe90000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp32DE.tmp"
                                                        Imagebase:0x860000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:03:23:03
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:03:23:04
                                                        Start date:20/04/2024
                                                        Path:C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.25825.12964.exe"
                                                        Imagebase:0xb20000
                                                        File size:803'328 bytes
                                                        MD5 hash:906CB4D1D82674CA8E0C0614D34AF552
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4174148068.0000000002FBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4174148068.0000000002FC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.4174148068.0000000002F94000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        General

                                                        Target ID:8
                                                        Start time:03:23:06
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff693ab0000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:false

                                                        General

                                                        Target ID:9
                                                        Start time:03:23:06
                                                        Start date:20/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        Imagebase:0x590000
                                                        File size:803'328 bytes
                                                        MD5 hash:906CB4D1D82674CA8E0C0614D34AF552
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Avira
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 42%, ReversingLabs
                                                        • Detection: 38%, Virustotal, Browse
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:03:23:07
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\PUwpftrjIH" /XML "C:\Users\user\AppData\Local\Temp\tmp4201.tmp"
                                                        Imagebase:0x860000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:03:23:07
                                                        Start date:20/04/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff7699e0000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:03:23:07
                                                        Start date:20/04/2024
                                                        Path:C:\Users\user\AppData\Roaming\PUwpftrjIH.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\AppData\Roaming\PUwpftrjIH.exe"
                                                        Imagebase:0xea0000
                                                        File size:803'328 bytes
                                                        MD5 hash:906CB4D1D82674CA8E0C0614D34AF552
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4173335726.000000000332C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4173335726.0000000003305000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.4173335726.0000000003305000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:14.5%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:203
                                                          Total number of Limit Nodes:11
                                                          execution_graph 23157 840b1e0 23158 840b36b 23157->23158 23160 840b206 23157->23160 23160->23158 23161 8405c50 23160->23161 23162 840b868 PostMessageW 23161->23162 23163 840b8d4 23162->23163 23163->23160 23164 124f600 23165 124f646 GetCurrentProcess 23164->23165 23167 124f691 23165->23167 23168 124f698 GetCurrentThread 23165->23168 23167->23168 23169 124f6d5 GetCurrentProcess 23168->23169 23170 124f6ce 23168->23170 23171 124f70b 23169->23171 23170->23169 23172 124f733 GetCurrentThreadId 23171->23172 23173 124f764 23172->23173 23419 124fc50 DuplicateHandle 23420 124fce6 23419->23420 23174 1244668 23175 1244672 23174->23175 23179 1244758 23174->23179 23184 1243e1c 23175->23184 23177 124468d 23180 124475d 23179->23180 23188 1244868 23180->23188 23192 1244858 23180->23192 23187 1243e27 23184->23187 23186 1246fc1 23186->23177 23200 1245c2c 23187->23200 23190 124488f 23188->23190 23189 124496c 23189->23189 23190->23189 23196 124449c 23190->23196 23194 124488f 23192->23194 23193 124496c 23193->23193 23194->23193 23195 124449c CreateActCtxA 23194->23195 23195->23193 23197 12458f8 CreateActCtxA 23196->23197 23199 12459bb 23197->23199 23201 1245c37 23200->23201 23204 1245e54 23201->23204 23203 124982d 23203->23186 23205 1245e5f 23204->23205 23208 1248b00 23205->23208 23207 1249902 23207->23203 23209 1248b0b 23208->23209 23212 1248b30 23209->23212 23211 1249a05 23211->23207 23213 1248b3b 23212->23213 23214 124ab8b 23213->23214 23216 124d239 23213->23216 23214->23211 23220 124d260 23216->23220 23224 124d270 23216->23224 23217 124d24e 23217->23214 23221 124d270 23220->23221 23227 124d357 23221->23227 23222 124d27f 23222->23217 23226 124d357 2 API calls 23224->23226 23225 124d27f 23225->23217 23226->23225 23228 124d379 23227->23228 23229 124d39c 23227->23229 23228->23229 23235 124d5f0 23228->23235 23239 124d600 23228->23239 23229->23222 23230 124d394 23230->23229 23231 124d5a0 GetModuleHandleW 23230->23231 23232 124d5cd 23231->23232 23232->23222 23237 124d600 23235->23237 23236 124d639 23236->23230 23237->23236 23243 124c6f0 23237->23243 23240 124d614 23239->23240 23241 124d639 23240->23241 23242 124c6f0 LoadLibraryExW 23240->23242 23241->23230 23242->23241 23244 124d7e0 LoadLibraryExW 23243->23244 23246 124d859 23244->23246 23246->23236 23247 8407a6f 23248 8407a1c 23247->23248 23249 8407bcc 23248->23249 23252 840a050 23248->23252 23266 840a010 23248->23266 23253 840a06a 23252->23253 23255 840a08e 23253->23255 23280 840a83e 23253->23280 23286 840a4bc 23253->23286 23295 840a717 23253->23295 23299 840a4f4 23253->23299 23310 840a693 23253->23310 23314 840a550 23253->23314 23327 840a46d 23253->23327 23331 840a808 23253->23331 23340 840a567 23253->23340 23352 840a600 23253->23352 23356 840abdf 23253->23356 23255->23249 23267 840a06a 23266->23267 23268 840a08e 23267->23268 23269 840a600 2 API calls 23267->23269 23270 840a567 4 API calls 23267->23270 23271 840a808 4 API calls 23267->23271 23272 840a46d 2 API calls 23267->23272 23273 840a550 4 API calls 23267->23273 23274 840a693 2 API calls 23267->23274 23275 840a4f4 4 API calls 23267->23275 23276 840a717 2 API calls 23267->23276 23277 840a4bc 4 API calls 23267->23277 23278 840a83e 2 API calls 23267->23278 23279 840abdf 2 API calls 23267->23279 23268->23249 23269->23268 23270->23268 23271->23268 23272->23268 23273->23268 23274->23268 23275->23268 23276->23268 23277->23268 23278->23268 23279->23268 23282 840a843 23280->23282 23281 840ab38 23281->23255 23282->23281 23361 8406cf0 23282->23361 23365 8406cf8 23282->23365 23283 840ac4e 23287 840a4ce 23286->23287 23289 840a4c7 23286->23289 23369 840b0c8 23287->23369 23374 840b0b8 23287->23374 23288 840a924 23288->23255 23289->23286 23290 840ac84 23289->23290 23379 8407375 23289->23379 23383 8407378 23289->23383 23290->23255 23395 84072b2 23295->23395 23399 84072b8 23295->23399 23296 840a735 23296->23255 23304 8407375 WriteProcessMemory 23299->23304 23305 8407378 WriteProcessMemory 23299->23305 23300 840a4bc 23301 840a4ce 23300->23301 23303 840abbd 23300->23303 23306 8407375 WriteProcessMemory 23300->23306 23307 8407378 WriteProcessMemory 23300->23307 23308 840b0c8 2 API calls 23301->23308 23309 840b0b8 2 API calls 23301->23309 23302 840a924 23302->23255 23303->23255 23304->23300 23305->23300 23306->23300 23307->23300 23308->23302 23309->23302 23312 8406da0 Wow64SetThreadContext 23310->23312 23313 8406da8 Wow64SetThreadContext 23310->23313 23311 840a5f1 23312->23311 23313->23311 23315 840a561 23314->23315 23321 8407375 WriteProcessMemory 23315->23321 23322 8407378 WriteProcessMemory 23315->23322 23316 840aad3 23317 840a4bc 23317->23316 23318 840a4ce 23317->23318 23320 840ac84 23317->23320 23323 8407375 WriteProcessMemory 23317->23323 23324 8407378 WriteProcessMemory 23317->23324 23325 840b0c8 2 API calls 23318->23325 23326 840b0b8 2 API calls 23318->23326 23319 840a924 23319->23255 23320->23255 23321->23317 23322->23317 23323->23317 23324->23317 23325->23319 23326->23319 23403 8407600 23327->23403 23407 84075f4 23327->23407 23332 840a4bc 23331->23332 23332->23331 23333 840ac84 23332->23333 23334 840a4ce 23332->23334 23338 8407375 WriteProcessMemory 23332->23338 23339 8407378 WriteProcessMemory 23332->23339 23333->23255 23336 840b0c8 2 API calls 23334->23336 23337 840b0b8 2 API calls 23334->23337 23335 840a924 23335->23255 23336->23335 23337->23335 23338->23332 23339->23332 23341 840a4f8 23340->23341 23344 840a4bc 23341->23344 23348 8407375 WriteProcessMemory 23341->23348 23349 8407378 WriteProcessMemory 23341->23349 23342 840a4ce 23350 840b0c8 2 API calls 23342->23350 23351 840b0b8 2 API calls 23342->23351 23343 840a924 23343->23255 23344->23342 23345 840abbd 23344->23345 23346 8407375 WriteProcessMemory 23344->23346 23347 8407378 WriteProcessMemory 23344->23347 23345->23255 23346->23344 23347->23344 23348->23344 23349->23344 23350->23343 23351->23343 23411 8407460 23352->23411 23415 8407468 23352->23415 23353 840a541 23357 840abe5 23356->23357 23359 8406cf0 ResumeThread 23357->23359 23360 8406cf8 ResumeThread 23357->23360 23358 840ac4e 23359->23358 23360->23358 23362 8406d38 ResumeThread 23361->23362 23364 8406d69 23362->23364 23364->23283 23366 8406d38 ResumeThread 23365->23366 23368 8406d69 23366->23368 23368->23283 23370 840b0dd 23369->23370 23387 8406da0 23370->23387 23391 8406da8 23370->23391 23371 840b0f3 23371->23288 23375 840b0dd 23374->23375 23377 8406da0 Wow64SetThreadContext 23375->23377 23378 8406da8 Wow64SetThreadContext 23375->23378 23376 840b0f3 23376->23288 23377->23376 23378->23376 23380 84073c0 WriteProcessMemory 23379->23380 23382 8407417 23380->23382 23382->23289 23384 84073c0 WriteProcessMemory 23383->23384 23386 8407417 23384->23386 23386->23289 23388 8406ded Wow64SetThreadContext 23387->23388 23390 8406e35 23388->23390 23390->23371 23392 8406ded Wow64SetThreadContext 23391->23392 23394 8406e35 23392->23394 23394->23371 23396 84072f8 VirtualAllocEx 23395->23396 23398 8407335 23396->23398 23398->23296 23400 84072f8 VirtualAllocEx 23399->23400 23402 8407335 23400->23402 23402->23296 23404 8407689 CreateProcessA 23403->23404 23406 840784b 23404->23406 23408 8407689 CreateProcessA 23407->23408 23410 840784b 23408->23410 23412 84074b3 ReadProcessMemory 23411->23412 23414 84074f7 23412->23414 23414->23353 23416 84074b3 ReadProcessMemory 23415->23416 23418 84074f7 23416->23418 23418->23353

                                                          Executed Functions

                                                          Function 01247320 Relevance: 4.6, Strings: 3, Instructions: 856COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 338 1247320-1247384 340 1247944-124795f 338->340 341 124738a-124751e 338->341 343 1247961-1247987 340->343 344 12479d8-1247a1f 340->344 455 1247520-124755a 341->455 456 124755c-124755e 341->456 349 124798d-1247998 343->349 350 1247f9a-1247fa1 343->350 355 1247a21-1247a27 344->355 356 1247a2c-1247a34 344->356 349->350 353 124799e-12479b6 349->353 359 1247fa3-1247fb5 350->359 360 1247f7e-1247f89 350->360 353->350 357 12479bc-12479d7 call 12401d8 353->357 361 1247ac2-1247b09 355->361 362 1247a36-1247a58 356->362 363 1247a5a 356->363 370 1247fc0-1247fc7 359->370 365 1247f8f-1247f99 360->365 374 1247b86-1247bff 361->374 375 1247b0b-1247b37 361->375 366 1247a61-1247a63 362->366 363->366 372 1247a65-1247a67 366->372 373 1247a69-1247a7f 366->373 376 1247fe1-1247ff6 370->376 377 1247fc9-1247fd1 370->377 372->361 373->361 382 1247a81-1247a84 373->382 374->350 385 1247c05-1247c2e 374->385 375->350 387 1247b3d-1247b44 375->387 377->376 379 1247fd3-1247fe0 377->379 386 1247a8a-1247a92 382->386 385->350 389 1247c34-1247c41 385->389 386->350 390 1247a98-1247ac0 386->390 387->350 391 1247b4a-1247b56 387->391 389->350 392 1247c47-1247c63 389->392 390->361 390->386 391->350 393 1247b5c-1247b68 391->393 395 1247cd4-1247cfe 392->395 396 1247c65-1247c6b 392->396 393->350 397 1247b6e-1247b7e 393->397 400 1247d56-1247d68 395->400 401 1247d00-1247d04 395->401 398 1247c6d-1247c93 396->398 399 1247c99-1247cd2 396->399 397->374 398->399 399->395 399->396 404 1247d71-1247d75 400->404 405 1247d6a-1247d6f 400->405 401->400 403 1247d06 401->403 409 1247d0b-1247d19 403->409 404->350 408 1247d7b-1247d83 404->408 406 1247dd7-1247dde 405->406 411 1247e46-1247e66 406->411 412 1247de0-1247dee 406->412 408->350 410 1247d89-1247d96 408->410 409->350 413 1247d1f-1247d34 409->413 410->350 415 1247d9c-1247da9 410->415 429 1247e69-1247e92 411->429 412->411 416 1247df0-1247e08 412->416 413->350 417 1247d3a-1247d47 413->417 415->350 418 1247daf-1247dcc 415->418 425 1247e34-1247e44 call 12401d8 416->425 426 1247e0a 416->426 417->350 420 1247d4d-1247d54 417->420 418->406 420->400 420->409 425->429 430 1247e0d-1247e0f 426->430 432 1247e98-1247f18 429->432 433 1247f1b-1247f2e 429->433 430->350 434 1247e15-1247e23 430->434 432->433 433->365 436 1247f30-1247f6b 433->436 434->350 435 1247e29-1247e32 434->435 435->425 435->430 436->365 448 1247f6d-1247f7d 436->448 448->360 455->456 457 1247564-124756e 456->457 458 1247560-1247562 456->458 459 1247570-1247588 457->459 458->459 462 124758e-1247596 459->462 463 124758a-124758c 459->463 464 1247598-124759d 462->464 463->464 467 12475b0-12475d9 464->467 468 124759f-12475aa 464->468 471 1247613-1247622 467->471 472 12475db-12475e7 467->472 468->467 473 1247624 471->473 474 124762b-12476ab 471->474 472->471 475 12475e9-12475fa 472->475 473->474 485 12476ed-12476fb 474->485 486 12476ad-12476eb 474->486 478 1247600-124760d 475->478 479 12475fc-12475fe 475->479 478->471 479->471 489 1247706-1247749 485->489 486->489 505 124774c call 12483e7 489->505 506 124774c call 1248491 489->506 493 1247752-12477e0 498 12477e2-124780c 493->498 499 124780e-124782a 493->499 498->499 501 124782c 499->501 502 1247838 499->502 501->502 502->340 505->493 506->493
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR^q$LR^q$\s^q
                                                          • API String ID: 0-56077355
                                                          • Opcode ID: a182972ac68d945eb3dcd8f302fc70107f9c04178b3affa78d5e384f43ffdaac
                                                          • Instruction ID: 89d6be3088eb0a2aeaab9cfb3141c309ec3067fda8c201636d1416f77deec389
                                                          • Opcode Fuzzy Hash: a182972ac68d945eb3dcd8f302fc70107f9c04178b3affa78d5e384f43ffdaac
                                                          • Instruction Fuzzy Hash: 89728C75E1022A8FCB15CFA9D884AAEB7F2FF88300F15C569E415EB255D734A942CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124730E Relevance: 2.9, Strings: 2, Instructions: 382COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 529 124730e-1247311 530 1247313-1247315 529->530 531 12472ee-12472f0 529->531 532 1247317-1247319 530->532 533 12472f2 530->533 531->533 536 12472f6-12472fc 532->536 537 124731b-1247384 532->537 534 12472f4-12472f5 533->534 535 124727f-12472a6 533->535 534->536 547 12472c3-12472c5 535->547 548 12472a8-12472c1 535->548 540 1247944-124795f 537->540 541 124738a-124751e 537->541 543 1247961-1247987 540->543 544 12479d8-1247a1f 540->544 660 1247520-124755a 541->660 661 124755c-124755e 541->661 554 124798d-1247998 543->554 555 1247f9a-1247fa1 543->555 560 1247a21-1247a27 544->560 561 1247a2c-1247a34 544->561 710 12472ca call 1247320 547->710 711 12472ca call 124730e 547->711 712 12472ca call 124735a 547->712 713 12472ca call 124783b 547->713 552 12472e8 548->552 552->531 553 12472d0-12472e6 553->552 554->555 558 124799e-12479b6 554->558 564 1247fa3-1247fb5 555->564 565 1247f7e-1247f89 555->565 558->555 562 12479bc-12479d7 call 12401d8 558->562 566 1247ac2-1247b09 560->566 567 1247a36-1247a58 561->567 568 1247a5a 561->568 575 1247fc0-1247fc7 564->575 570 1247f8f-1247f99 565->570 579 1247b86-1247bff 566->579 580 1247b0b-1247b37 566->580 571 1247a61-1247a63 567->571 568->571 577 1247a65-1247a67 571->577 578 1247a69-1247a7f 571->578 581 1247fe1-1247ff6 575->581 582 1247fc9-1247fd1 575->582 577->566 578->566 587 1247a81-1247a84 578->587 579->555 590 1247c05-1247c2e 579->590 580->555 592 1247b3d-1247b44 580->592 582->581 584 1247fd3-1247fe0 582->584 591 1247a8a-1247a92 587->591 590->555 594 1247c34-1247c41 590->594 591->555 595 1247a98-1247ac0 591->595 592->555 596 1247b4a-1247b56 592->596 594->555 597 1247c47-1247c63 594->597 595->566 595->591 596->555 598 1247b5c-1247b68 596->598 600 1247cd4-1247cfe 597->600 601 1247c65-1247c6b 597->601 598->555 602 1247b6e-1247b7e 598->602 605 1247d56-1247d68 600->605 606 1247d00-1247d04 600->606 603 1247c6d-1247c93 601->603 604 1247c99-1247cd2 601->604 602->579 603->604 604->600 604->601 609 1247d71-1247d75 605->609 610 1247d6a-1247d6f 605->610 606->605 608 1247d06 606->608 614 1247d0b-1247d19 608->614 609->555 613 1247d7b-1247d83 609->613 611 1247dd7-1247dde 610->611 616 1247e46-1247e66 611->616 617 1247de0-1247dee 611->617 613->555 615 1247d89-1247d96 613->615 614->555 618 1247d1f-1247d34 614->618 615->555 620 1247d9c-1247da9 615->620 634 1247e69-1247e92 616->634 617->616 621 1247df0-1247e08 617->621 618->555 622 1247d3a-1247d47 618->622 620->555 623 1247daf-1247dcc 620->623 630 1247e34-1247e44 call 12401d8 621->630 631 1247e0a 621->631 622->555 625 1247d4d-1247d54 622->625 623->611 625->605 625->614 630->634 635 1247e0d-1247e0f 631->635 637 1247e98-1247f18 634->637 638 1247f1b-1247f2e 634->638 635->555 639 1247e15-1247e23 635->639 637->638 638->570 641 1247f30-1247f6b 638->641 639->555 640 1247e29-1247e32 639->640 640->630 640->635 641->570 653 1247f6d-1247f7d 641->653 653->565 660->661 662 1247564-124756e 661->662 663 1247560-1247562 661->663 664 1247570-1247588 662->664 663->664 667 124758e-1247596 664->667 668 124758a-124758c 664->668 669 1247598-124759d 667->669 668->669 672 12475b0-12475d9 669->672 673 124759f-12475aa 669->673 676 1247613-1247622 672->676 677 12475db-12475e7 672->677 673->672 678 1247624 676->678 679 124762b-12476ab 676->679 677->676 680 12475e9-12475fa 677->680 678->679 690 12476ed-12476fb 679->690 691 12476ad-12476eb 679->691 683 1247600-124760d 680->683 684 12475fc-12475fe 680->684 683->676 684->676 694 1247706-1247749 690->694 691->694 714 124774c call 12483e7 694->714 715 124774c call 1248491 694->715 698 1247752-12477e0 703 12477e2-124780c 698->703 704 124780e-124782a 698->704 703->704 706 124782c 704->706 707 1247838 704->707 706->707 707->540 710->553 711->553 712->553 713->553 714->698 715->698
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR^q$\s^q
                                                          • API String ID: 0-2586804783
                                                          • Opcode ID: c4090da698ce7149956864b9aa90208d0d2a229e3b6b132fc7e690f7c1379416
                                                          • Instruction ID: e30d813b1b942e5f245e1d90aabee97b580715c707e164cfb1a62a5195d247fd
                                                          • Opcode Fuzzy Hash: c4090da698ce7149956864b9aa90208d0d2a229e3b6b132fc7e690f7c1379416
                                                          • Instruction Fuzzy Hash: 72E19D35E1022A8FDB14CF7AD8446AEB7F2BF88304F158669E415EB354DB349902CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124735A Relevance: 2.8, Strings: 2, Instructions: 337COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 716 124735a-1247370 718 1247372-124737c 716->718 719 124737d-1247384 716->719 718->719 720 1247944-124795f 719->720 721 124738a-124751e 719->721 723 1247961-1247987 720->723 724 12479d8-1247a1f 720->724 835 1247520-124755a 721->835 836 124755c-124755e 721->836 729 124798d-1247998 723->729 730 1247f9a-1247fa1 723->730 735 1247a21-1247a27 724->735 736 1247a2c-1247a34 724->736 729->730 733 124799e-12479b6 729->733 739 1247fa3-1247fb5 730->739 740 1247f7e-1247f89 730->740 733->730 737 12479bc-12479d7 call 12401d8 733->737 741 1247ac2-1247b09 735->741 742 1247a36-1247a58 736->742 743 1247a5a 736->743 750 1247fc0-1247fc7 739->750 745 1247f8f-1247f99 740->745 754 1247b86-1247bff 741->754 755 1247b0b-1247b37 741->755 746 1247a61-1247a63 742->746 743->746 752 1247a65-1247a67 746->752 753 1247a69-1247a7f 746->753 756 1247fe1-1247ff6 750->756 757 1247fc9-1247fd1 750->757 752->741 753->741 762 1247a81-1247a84 753->762 754->730 765 1247c05-1247c2e 754->765 755->730 767 1247b3d-1247b44 755->767 757->756 759 1247fd3-1247fe0 757->759 766 1247a8a-1247a92 762->766 765->730 769 1247c34-1247c41 765->769 766->730 770 1247a98-1247ac0 766->770 767->730 771 1247b4a-1247b56 767->771 769->730 772 1247c47-1247c63 769->772 770->741 770->766 771->730 773 1247b5c-1247b68 771->773 775 1247cd4-1247cfe 772->775 776 1247c65-1247c6b 772->776 773->730 777 1247b6e-1247b7e 773->777 780 1247d56-1247d68 775->780 781 1247d00-1247d04 775->781 778 1247c6d-1247c93 776->778 779 1247c99-1247cd2 776->779 777->754 778->779 779->775 779->776 784 1247d71-1247d75 780->784 785 1247d6a-1247d6f 780->785 781->780 783 1247d06 781->783 789 1247d0b-1247d19 783->789 784->730 788 1247d7b-1247d83 784->788 786 1247dd7-1247dde 785->786 791 1247e46-1247e66 786->791 792 1247de0-1247dee 786->792 788->730 790 1247d89-1247d96 788->790 789->730 793 1247d1f-1247d34 789->793 790->730 795 1247d9c-1247da9 790->795 809 1247e69-1247e92 791->809 792->791 796 1247df0-1247e08 792->796 793->730 797 1247d3a-1247d47 793->797 795->730 798 1247daf-1247dcc 795->798 805 1247e34-1247e44 call 12401d8 796->805 806 1247e0a 796->806 797->730 800 1247d4d-1247d54 797->800 798->786 800->780 800->789 805->809 810 1247e0d-1247e0f 806->810 812 1247e98-1247f18 809->812 813 1247f1b-1247f2e 809->813 810->730 814 1247e15-1247e23 810->814 812->813 813->745 816 1247f30-1247f6b 813->816 814->730 815 1247e29-1247e32 814->815 815->805 815->810 816->745 828 1247f6d-1247f7d 816->828 828->740 835->836 837 1247564-124756e 836->837 838 1247560-1247562 836->838 839 1247570-1247588 837->839 838->839 842 124758e-1247596 839->842 843 124758a-124758c 839->843 844 1247598-124759d 842->844 843->844 847 12475b0-12475d9 844->847 848 124759f-12475aa 844->848 851 1247613-1247622 847->851 852 12475db-12475e7 847->852 848->847 853 1247624 851->853 854 124762b-12476ab 851->854 852->851 855 12475e9-12475fa 852->855 853->854 865 12476ed-12476fb 854->865 866 12476ad-12476eb 854->866 858 1247600-124760d 855->858 859 12475fc-12475fe 855->859 858->851 859->851 869 1247706-1247749 865->869 866->869 885 124774c call 12483e7 869->885 886 124774c call 1248491 869->886 873 1247752-12477e0 878 12477e2-124780c 873->878 879 124780e-124782a 873->879 878->879 881 124782c 879->881 882 1247838 879->882 881->882 882->720 885->873 886->873
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR^q$\s^q
                                                          • API String ID: 0-2586804783
                                                          • Opcode ID: 41045c9182fcca183879fe8aefd563538c80800df91a1e2b4e4c6cd94d9227d5
                                                          • Instruction ID: 0c801227df963a274040fa4c08530ec83900ac458681d2338fd4e560e7a62672
                                                          • Opcode Fuzzy Hash: 41045c9182fcca183879fe8aefd563538c80800df91a1e2b4e4c6cd94d9227d5
                                                          • Instruction Fuzzy Hash: B6D18B35E1022A8FDB14DF7AD8446AEB7B2BFC8304F158669D409EB354DB34A902CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01246FE0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \s^q
                                                          • API String ID: 0-4111632511
                                                          • Opcode ID: 615ba083b1029babb860eb0ac7d179a90d54e38088c2f29b6cac2dcf613776d8
                                                          • Instruction ID: ec24011d7024c4561af8bf389879e76f2e682e999045cd3e0e87bc7746af29ac
                                                          • Opcode Fuzzy Hash: 615ba083b1029babb860eb0ac7d179a90d54e38088c2f29b6cac2dcf613776d8
                                                          • Instruction Fuzzy Hash: FE812A78D5010E9FDF54DFAAD884ABEBBB2FF88310F10A655D412EB290DB319941CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01248718 Relevance: 1.4, Strings: 1, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID: 0-3916222277
                                                          • Opcode ID: 2caf876bb9ffdf9e041307003a5743b68297265183902e8f351b6ae9f65e0b92
                                                          • Instruction ID: e4ac7398294cd95502546c3296b0a47c33e5caa0bc5ebb0ad40dde7aa49e446f
                                                          • Opcode Fuzzy Hash: 2caf876bb9ffdf9e041307003a5743b68297265183902e8f351b6ae9f65e0b92
                                                          • Instruction Fuzzy Hash: F051D031F1011A8FCB18CBBDD88556EBBE2FBC8615B24857AE605DB359DB30EC418B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01246FD0 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: \s^q
                                                          • API String ID: 0-4111632511
                                                          • Opcode ID: 33a62de2b5c83ce1fa7a5ec540d6ac05547b88c4a29b82198b907c51ff608d04
                                                          • Instruction ID: 4ac0549ff5de670726691c7b5061d0548f77ab15db4521f83e1d197a6b497da6
                                                          • Opcode Fuzzy Hash: 33a62de2b5c83ce1fa7a5ec540d6ac05547b88c4a29b82198b907c51ff608d04
                                                          • Instruction Fuzzy Hash: C4513978D5020E9FDF04DFAAD8846AEBBB2FF88310F10A665D411EB354DB359A41CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012483E7 Relevance: .2, Instructions: 240COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c61dcdd3508b355fc6e3e52a002440162c415c438ff5617190ac12c0a7407504
                                                          • Instruction ID: 006b090d0d66cd33ee46f2dacdc861b6ff27692a11c99d68d7a72d74344585c2
                                                          • Opcode Fuzzy Hash: c61dcdd3508b355fc6e3e52a002440162c415c438ff5617190ac12c0a7407504
                                                          • Instruction Fuzzy Hash: A0819132F205268FD754DB69D884A5EB7E3AFC8711F1A8168E50ADB366DE34DC018B80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 01248491 Relevance: .2, Instructions: 188COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2947f0fd3b01023d544b6bd81985c7f4c0f1d8f8c7b5104e354e1530b93b8193
                                                          • Instruction ID: 37512ade553c8194497881ba33518e28f2b2d1871247be5c058d15d13f08e170
                                                          • Opcode Fuzzy Hash: 2947f0fd3b01023d544b6bd81985c7f4c0f1d8f8c7b5104e354e1530b93b8193
                                                          • Instruction Fuzzy Hash: 88614032F205268FD754DB69C844A5EB7E3AFC8715F1AC164E409DB36ADE74EC018B90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0840A360 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3407f6ea436f6ffa309ea849847fd4bce089c6eb9f071ce6a0b05908b9d2963f
                                                          • Instruction ID: 6dcd7fc69fd6bb33272ac65f4b7882915af597235b7fa9ecb66f279cc35a49ec
                                                          • Opcode Fuzzy Hash: 3407f6ea436f6ffa309ea849847fd4bce089c6eb9f071ce6a0b05908b9d2963f
                                                          • Instruction Fuzzy Hash: 0C41F871D057298BDB68CF6AC8407EAFBB6BFC9301F14D1BAD40DA6254EB700A858F40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124F5F0 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 294 124f5f0-124f68f GetCurrentProcess 298 124f691-124f697 294->298 299 124f698-124f6cc GetCurrentThread 294->299 298->299 300 124f6d5-124f709 GetCurrentProcess 299->300 301 124f6ce-124f6d4 299->301 302 124f712-124f72d call 124fbd8 300->302 303 124f70b-124f711 300->303 301->300 307 124f733-124f762 GetCurrentThreadId 302->307 303->302 308 124f764-124f76a 307->308 309 124f76b-124f7cd 307->309 308->309
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 0124F67E
                                                          • GetCurrentThread.KERNEL32 ref: 0124F6BB
                                                          • GetCurrentProcess.KERNEL32 ref: 0124F6F8
                                                          • GetCurrentThreadId.KERNEL32 ref: 0124F751
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: d8a994ed4494374aa5cac7803690c4d304ee6ca74870d64cbc31a972d4d0cf85
                                                          • Instruction ID: 0c452aae7d6da2cedbb27ec5ae1254fda7c20438d7ff91765d135160dc835764
                                                          • Opcode Fuzzy Hash: d8a994ed4494374aa5cac7803690c4d304ee6ca74870d64cbc31a972d4d0cf85
                                                          • Instruction Fuzzy Hash: 355134B090024A8FDB18DFAAD648B9EBBF1EF88314F20C459E559A7360D7349984CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124F600 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 316 124f600-124f68f GetCurrentProcess 320 124f691-124f697 316->320 321 124f698-124f6cc GetCurrentThread 316->321 320->321 322 124f6d5-124f709 GetCurrentProcess 321->322 323 124f6ce-124f6d4 321->323 324 124f712-124f72d call 124fbd8 322->324 325 124f70b-124f711 322->325 323->322 329 124f733-124f762 GetCurrentThreadId 324->329 325->324 330 124f764-124f76a 329->330 331 124f76b-124f7cd 329->331 330->331
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 0124F67E
                                                          • GetCurrentThread.KERNEL32 ref: 0124F6BB
                                                          • GetCurrentProcess.KERNEL32 ref: 0124F6F8
                                                          • GetCurrentThreadId.KERNEL32 ref: 0124F751
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID:
                                                          • API String ID: 2063062207-0
                                                          • Opcode ID: d74d4f311831fc269b91eda2e68b25c555a075516468102f6c03f1d457a4ffd8
                                                          • Instruction ID: 0d4858e96d8d0b8c515336cb08638e97f174791aad94b4a04172ffe945e82d27
                                                          • Opcode Fuzzy Hash: d74d4f311831fc269b91eda2e68b25c555a075516468102f6c03f1d457a4ffd8
                                                          • Instruction Fuzzy Hash: AA5125B090024A8FDB18DFAAD648BDEBBF1EF88314F20C459E559A7360DB349944CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 084075F4 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1032 84075f4-8407695 1034 8407697-84076a1 1032->1034 1035 84076ce-84076ee 1032->1035 1034->1035 1036 84076a3-84076a5 1034->1036 1040 84076f0-84076fa 1035->1040 1041 8407727-8407756 1035->1041 1038 84076a7-84076b1 1036->1038 1039 84076c8-84076cb 1036->1039 1042 84076b3 1038->1042 1043 84076b5-84076c4 1038->1043 1039->1035 1040->1041 1045 84076fc-84076fe 1040->1045 1049 8407758-8407762 1041->1049 1050 840778f-8407849 CreateProcessA 1041->1050 1042->1043 1043->1043 1044 84076c6 1043->1044 1044->1039 1046 8407700-840770a 1045->1046 1047 8407721-8407724 1045->1047 1051 840770c 1046->1051 1052 840770e-840771d 1046->1052 1047->1041 1049->1050 1053 8407764-8407766 1049->1053 1063 8407852-84078d8 1050->1063 1064 840784b-8407851 1050->1064 1051->1052 1052->1052 1054 840771f 1052->1054 1055 8407768-8407772 1053->1055 1056 8407789-840778c 1053->1056 1054->1047 1058 8407774 1055->1058 1059 8407776-8407785 1055->1059 1056->1050 1058->1059 1059->1059 1060 8407787 1059->1060 1060->1056 1074 84078e8-84078ec 1063->1074 1075 84078da-84078de 1063->1075 1064->1063 1077 84078fc-8407900 1074->1077 1078 84078ee-84078f2 1074->1078 1075->1074 1076 84078e0 1075->1076 1076->1074 1080 8407910-8407914 1077->1080 1081 8407902-8407906 1077->1081 1078->1077 1079 84078f4 1078->1079 1079->1077 1083 8407926-840792d 1080->1083 1084 8407916-840791c 1080->1084 1081->1080 1082 8407908 1081->1082 1082->1080 1085 8407944 1083->1085 1086 840792f-840793e 1083->1086 1084->1083 1088 8407945 1085->1088 1086->1085 1088->1088
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08407836
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: d14cdc8b8fc4dfbb469628e50dbdbe37afd947b5f3322e116c631f60c2a3df74
                                                          • Instruction ID: a974c3a8c105d65ccf8a1e0702b5b17368c6418bae0b962708a18f71ff53804a
                                                          • Opcode Fuzzy Hash: d14cdc8b8fc4dfbb469628e50dbdbe37afd947b5f3322e116c631f60c2a3df74
                                                          • Instruction Fuzzy Hash: 42A19E71D10219CFDB10CFACC9407EEBBB2BF44314F1485AAE849A7290DB75A985CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08407600 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1089 8407600-8407695 1091 8407697-84076a1 1089->1091 1092 84076ce-84076ee 1089->1092 1091->1092 1093 84076a3-84076a5 1091->1093 1097 84076f0-84076fa 1092->1097 1098 8407727-8407756 1092->1098 1095 84076a7-84076b1 1093->1095 1096 84076c8-84076cb 1093->1096 1099 84076b3 1095->1099 1100 84076b5-84076c4 1095->1100 1096->1092 1097->1098 1102 84076fc-84076fe 1097->1102 1106 8407758-8407762 1098->1106 1107 840778f-8407849 CreateProcessA 1098->1107 1099->1100 1100->1100 1101 84076c6 1100->1101 1101->1096 1103 8407700-840770a 1102->1103 1104 8407721-8407724 1102->1104 1108 840770c 1103->1108 1109 840770e-840771d 1103->1109 1104->1098 1106->1107 1110 8407764-8407766 1106->1110 1120 8407852-84078d8 1107->1120 1121 840784b-8407851 1107->1121 1108->1109 1109->1109 1111 840771f 1109->1111 1112 8407768-8407772 1110->1112 1113 8407789-840778c 1110->1113 1111->1104 1115 8407774 1112->1115 1116 8407776-8407785 1112->1116 1113->1107 1115->1116 1116->1116 1117 8407787 1116->1117 1117->1113 1131 84078e8-84078ec 1120->1131 1132 84078da-84078de 1120->1132 1121->1120 1134 84078fc-8407900 1131->1134 1135 84078ee-84078f2 1131->1135 1132->1131 1133 84078e0 1132->1133 1133->1131 1137 8407910-8407914 1134->1137 1138 8407902-8407906 1134->1138 1135->1134 1136 84078f4 1135->1136 1136->1134 1140 8407926-840792d 1137->1140 1141 8407916-840791c 1137->1141 1138->1137 1139 8407908 1138->1139 1139->1137 1142 8407944 1140->1142 1143 840792f-840793e 1140->1143 1141->1140 1145 8407945 1142->1145 1143->1142 1145->1145
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 08407836
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: d09bfd705c5a423136a4f71127ce1ea059337ab5e6dd3056c0fcc474f6a9f9c2
                                                          • Instruction ID: 0d3a3f9d87114e48b2c06cc9bddb09a8879691ea56efa0fb5b6878b24083b610
                                                          • Opcode Fuzzy Hash: d09bfd705c5a423136a4f71127ce1ea059337ab5e6dd3056c0fcc474f6a9f9c2
                                                          • Instruction Fuzzy Hash: 45918F71D00219CFDB14CF6CC840BEEBBB2BF44314F1485AAD809A7290DB75A985CF92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124D357 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1155 124d357-124d377 1156 124d3a3-124d3a7 1155->1156 1157 124d379-124d386 call 124c68c 1155->1157 1159 124d3a9-124d3b3 1156->1159 1160 124d3bb-124d3fc 1156->1160 1164 124d39c 1157->1164 1165 124d388 1157->1165 1159->1160 1166 124d3fe-124d406 1160->1166 1167 124d409-124d417 1160->1167 1164->1156 1212 124d38e call 124d5f0 1165->1212 1213 124d38e call 124d600 1165->1213 1166->1167 1168 124d419-124d41e 1167->1168 1169 124d43b-124d43d 1167->1169 1171 124d420-124d427 call 124c698 1168->1171 1172 124d429 1168->1172 1174 124d440-124d447 1169->1174 1170 124d394-124d396 1170->1164 1173 124d4d8-124d598 1170->1173 1178 124d42b-124d439 1171->1178 1172->1178 1205 124d5a0-124d5cb GetModuleHandleW 1173->1205 1206 124d59a-124d59d 1173->1206 1175 124d454-124d45b 1174->1175 1176 124d449-124d451 1174->1176 1179 124d45d-124d465 1175->1179 1180 124d468-124d471 call 124c6a8 1175->1180 1176->1175 1178->1174 1179->1180 1186 124d473-124d47b 1180->1186 1187 124d47e-124d483 1180->1187 1186->1187 1188 124d485-124d48c 1187->1188 1189 124d4a1-124d4a5 1187->1189 1188->1189 1191 124d48e-124d49e call 124c6b8 call 124c6c8 1188->1191 1210 124d4a8 call 124d900 1189->1210 1211 124d4a8 call 124d8d0 1189->1211 1191->1189 1192 124d4ab-124d4ae 1195 124d4b0-124d4ce 1192->1195 1196 124d4d1-124d4d7 1192->1196 1195->1196 1207 124d5d4-124d5e8 1205->1207 1208 124d5cd-124d5d3 1205->1208 1206->1205 1208->1207 1210->1192 1211->1192 1212->1170 1213->1170
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0124D5BE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 2ca88c19dfd6489134d11f383694aa08f61a323f08d26b9b96a42349718a13ce
                                                          • Instruction ID: 79eb249c4daaa30d672600a4a96994c174f54584eddf14b275e996141d158c8d
                                                          • Opcode Fuzzy Hash: 2ca88c19dfd6489134d11f383694aa08f61a323f08d26b9b96a42349718a13ce
                                                          • Instruction Fuzzy Hash: BF813270A10B4A8FD728DF69D0447AABBF1FF88300F008A2DD18A97A50D734E949CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124449C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 012459A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: b525e37a92b8c5f29b76c0676d7d4bdafb16df3c33e10c0eca6045132c605298
                                                          • Instruction ID: 9735705728ec362b340b75503a4b9976b2b39561975e63cc69034ead6aa2b21f
                                                          • Opcode Fuzzy Hash: b525e37a92b8c5f29b76c0676d7d4bdafb16df3c33e10c0eca6045132c605298
                                                          • Instruction Fuzzy Hash: E04112B0C1071DCBDB28CFA9C944B8EBBB5FF88304F20806AE448AB251DB756945CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 012458ED Relevance: 1.6, APIs: 1, Instructions: 94COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 012459A9
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID:
                                                          • API String ID: 2289755597-0
                                                          • Opcode ID: a1a5c9a4b574c389f3a6188c6f140d6a149cd493f7f5f8c535b542f84eb77a76
                                                          • Instruction ID: 7fab060f31a881eefda2a1a1eb2fce6fed1e3b0111d500756a610143d7f1133f
                                                          • Opcode Fuzzy Hash: a1a5c9a4b574c389f3a6188c6f140d6a149cd493f7f5f8c535b542f84eb77a76
                                                          • Instruction Fuzzy Hash: A84112B0C10719CFDB28DFA9C9847CDBBB5BF49304F24806AD448AB261DB75694ACF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08407375 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08407408
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: c688af5cfd4d4e5a23157bc2b3fd59147e040c140f62a57b59210d6d451e8260
                                                          • Instruction ID: 39d4b3c62f39a9fd934a3a29f95d3d3fbe65806c5d51377d74e4703737b82727
                                                          • Opcode Fuzzy Hash: c688af5cfd4d4e5a23157bc2b3fd59147e040c140f62a57b59210d6d451e8260
                                                          • Instruction Fuzzy Hash: 2F2146B1900219CFDB10CFA9C981BEEBBF1FF48310F10842AE958A7250C778A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08407378 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 08407408
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: f906d2ceea324048f8cb1f964882d73564dba568ab47a9d7e030b9dbf7ba7b28
                                                          • Instruction ID: 5a8a82ac34957918a169d0186c5ad44ea365a9294003f6287cd67b3b638cc2fe
                                                          • Opcode Fuzzy Hash: f906d2ceea324048f8cb1f964882d73564dba568ab47a9d7e030b9dbf7ba7b28
                                                          • Instruction Fuzzy Hash: 9F2144B19003199FCB10CFA9C981BDEBBF5FF48310F10842AE958A7250C778A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124FC48 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124FCD7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 7a9b750cafb9c9cf10ebc8eca424fd9b9c69af39ed7c355a96302532b831f3ca
                                                          • Instruction ID: af09a663ab5c4b1b5725b57299853dfcb3071f1fe9bd40091e9f072582f95e8a
                                                          • Opcode Fuzzy Hash: 7a9b750cafb9c9cf10ebc8eca424fd9b9c69af39ed7c355a96302532b831f3ca
                                                          • Instruction Fuzzy Hash: 2221FFB59002489FDB10CFAAD984AEEFFF4FB48320F14805AE958A7210C378A944CF64
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08407460 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 084074E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 6daa861f83bb70388985a45b47b4ec3efbde15d8c9598e7e3bc2da3c801a81a9
                                                          • Instruction ID: c32dc4def60080b1ea7ade605759416fbb00c6354aeac6be4cba7b2e6b317246
                                                          • Opcode Fuzzy Hash: 6daa861f83bb70388985a45b47b4ec3efbde15d8c9598e7e3bc2da3c801a81a9
                                                          • Instruction Fuzzy Hash: 462134B19002199FCB10CFA9C981BEEBBF5FF48320F10842AE558A7250C738A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08406DA0 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08406E26
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: c33ac1bf0d67f188e5fbe6ab23e2060f8fb1096b9997946649a47cf4db6dbef8
                                                          • Instruction ID: 3d93cb74c5bca3481d1756d60f423835fc782ab5b13cac56eee2d6bf78786574
                                                          • Opcode Fuzzy Hash: c33ac1bf0d67f188e5fbe6ab23e2060f8fb1096b9997946649a47cf4db6dbef8
                                                          • Instruction Fuzzy Hash: AA2154B2D003098FDB10CFA9C5857EEBBF4AF48324F14842AD459A7281D7789984CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08407468 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 084074E8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: f05602e4670d713f990a11f6ccf9563dd5a282539b20c243111bd7d23017d431
                                                          • Instruction ID: 36fb7c26c090e2a754bfa6e3a1e0916d63a38ceae5360383f6666a75cbee4153
                                                          • Opcode Fuzzy Hash: f05602e4670d713f990a11f6ccf9563dd5a282539b20c243111bd7d23017d431
                                                          • Instruction Fuzzy Hash: 442128B19002599FCB10DFAAC941AEEFBF5FF48320F10842AE559A7250C779A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08406DA8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08406E26
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 0c4bb6739540c5ed3834fd86032cfe334f2f4a321c323650c22dc841832821a9
                                                          • Instruction ID: 3385dbdd42e0aafe8660bb24609c1560c5774c8c26912a1b15ca42b3c879370d
                                                          • Opcode Fuzzy Hash: 0c4bb6739540c5ed3834fd86032cfe334f2f4a321c323650c22dc841832821a9
                                                          • Instruction Fuzzy Hash: 662107B1D003098FDB10DFAAC5857EFBBF4AF48324F54842AD459A7241C778A984CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124FC50 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0124FCD7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID:
                                                          • API String ID: 3793708945-0
                                                          • Opcode ID: 38c1817ba43fa7f6fb881f0f0965ffb82a4c6b410443f8020b52b79f2e860847
                                                          • Instruction ID: f275bfb2b90341db0946b6afe3377eaa85732b84af3c9a9927d1d93dd6e68a30
                                                          • Opcode Fuzzy Hash: 38c1817ba43fa7f6fb881f0f0965ffb82a4c6b410443f8020b52b79f2e860847
                                                          • Instruction Fuzzy Hash: 8421E4B5900208DFDB10CFAAD584ADEBFF8FB48310F14841AE954A3310D374A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124C6F0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0124D639,00000800,00000000,00000000), ref: 0124D84A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: bc99da6063c67c1eb788d464aa36f4c3272c486cb0fd651903fa8b478f3d0dea
                                                          • Instruction ID: 4c715cb2e8c8db515834cdaeaa6b9a8d2c865aa79efc7d708ec22849ff73052a
                                                          • Opcode Fuzzy Hash: bc99da6063c67c1eb788d464aa36f4c3272c486cb0fd651903fa8b478f3d0dea
                                                          • Instruction Fuzzy Hash: B41112B6D002098FDB14CF9AD544AEEFBF8EB98320F10842EE519A7210C375A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124D7D8 Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0124D639,00000800,00000000,00000000), ref: 0124D84A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 22f6fca88f392574ee547e1bcc8079766629fcf213380d6352b84a063b8751b0
                                                          • Instruction ID: 73230ba665b405f47bc9ec6c39f8c5fc0d9579fb16ffa45a4feb90b9f69671f7
                                                          • Opcode Fuzzy Hash: 22f6fca88f392574ee547e1bcc8079766629fcf213380d6352b84a063b8751b0
                                                          • Instruction Fuzzy Hash: 3E1114B6D00309CFDB14CF9AC444ADEFBF4EB48310F10842AD919A7210C375A945CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 084072B2 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08407326
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: fd791f3ac1bdf29058fd57db4f96c7c6fd3b07a9d9c4228af1cac69a486ba0a6
                                                          • Instruction ID: 0a52fa875b923828de4583fa1f7a08bcb00d8896707de46b68d1f7d428cdfafb
                                                          • Opcode Fuzzy Hash: fd791f3ac1bdf29058fd57db4f96c7c6fd3b07a9d9c4228af1cac69a486ba0a6
                                                          • Instruction Fuzzy Hash: D31167B6800209DFDB10DFA9C9457DEBFF5AF48320F10881AD559A7250C735A544CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 084072B8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 08407326
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: c8e99bf366bb1ddbf54b678491861ae73e3af47416de5430adbe2865cc25765c
                                                          • Instruction ID: 8d80937318ed32f6e4ccb0b01499d74af61be0bff8a6e7f4838dd592094a8791
                                                          • Opcode Fuzzy Hash: c8e99bf366bb1ddbf54b678491861ae73e3af47416de5430adbe2865cc25765c
                                                          • Instruction Fuzzy Hash: 661167B18002488FCB10DFAAC844BDFBFF5EF88320F10882AE559A7250C775A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08406CF0 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 70cd42f00e9c224a1c60d7c5a26f6464a026a2f9c82e93efa34a473f8b220a41
                                                          • Instruction ID: 22bc54ffe044182566c780dddf33083cf2b80df36593ba076ae775d962d602d4
                                                          • Opcode Fuzzy Hash: 70cd42f00e9c224a1c60d7c5a26f6464a026a2f9c82e93efa34a473f8b220a41
                                                          • Instruction Fuzzy Hash: 671116B19002498FCB10DFAAC4457EEFFF5AF88324F24842ED459A7650C779A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08406CF8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: c9140e6b02c155558ba061c677caea5513306d5a6a55d98b4140c9e661216335
                                                          • Instruction ID: af540a4e934e5cf4b694ec5d5a20c17a188e3c00daa5aec9c025b11096d59f65
                                                          • Opcode Fuzzy Hash: c9140e6b02c155558ba061c677caea5513306d5a6a55d98b4140c9e661216335
                                                          • Instruction Fuzzy Hash: 0A1125B19003488BCB20DFAAC4457DFFBF5AF88324F20842AD459A7250CB79A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124D558 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNEL32(00000000), ref: 0124D5BE
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID:
                                                          • API String ID: 4139908857-0
                                                          • Opcode ID: 5788cd7b2c383b270ef9de2c8415213e6ed555a2ac0d8e514fe9d433a6a7d8a7
                                                          • Instruction ID: e8ff528a6c732d4feac2f95fa2c686388a5e652fff9d7082078b51051741f7ad
                                                          • Opcode Fuzzy Hash: 5788cd7b2c383b270ef9de2c8415213e6ed555a2ac0d8e514fe9d433a6a7d8a7
                                                          • Instruction Fuzzy Hash: 77111DB6D002498FDB14CF9AD444ADEFBF8AF88324F10842AD969A7210D779A545CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08405C50 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0840B8C5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: 0c352633dc392115c74b3dde8ba8ce34f40f3f4b0ca46b0ecfdbaeb67499fb88
                                                          • Instruction ID: afcab94f9d5f4ec651ba3467a5d4a804cdc5d1963db48beac0dafa2f4b1f6a81
                                                          • Opcode Fuzzy Hash: 0c352633dc392115c74b3dde8ba8ce34f40f3f4b0ca46b0ecfdbaeb67499fb88
                                                          • Instruction Fuzzy Hash: 9411E0B5800349DFCB10DF9AC545BDEBBF8EB48320F10882AE558A7250C375A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0840B861 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 0840B8C5
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: ccdaf24227279bf6d7e9b48b69ef117f35a0f0feb0ee116c2dc736add1a293f2
                                                          • Instruction ID: 397f580fc74da4e7aadf84048216ebdcf76d2b5e0d72c704edc83fed248dc727
                                                          • Opcode Fuzzy Hash: ccdaf24227279bf6d7e9b48b69ef117f35a0f0feb0ee116c2dc736add1a293f2
                                                          • Instruction Fuzzy Hash: D31103B5800348DFDB10CF99C544BDEBFF4EB48324F10881AD558A7650C379A944CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124D881 Relevance: 1.5, APIs: 1, Instructions: 38libraryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,0124D639,00000800,00000000,00000000), ref: 0124D84A
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID:
                                                          • API String ID: 1029625771-0
                                                          • Opcode ID: 79984f7e599a07a4928e7ec3ee538f738bc5ae653b8f3a26de51c17a0a5a056a
                                                          • Instruction ID: 93bd2b17d777d1dd842eb172ea0f1c711d29d108eda21c8e9d6d5fcd73b7ee6b
                                                          • Opcode Fuzzy Hash: 79984f7e599a07a4928e7ec3ee538f738bc5ae653b8f3a26de51c17a0a5a056a
                                                          • Instruction Fuzzy Hash: 3CF02472A043198FEB21ABADE80839AFFE4EF51330F098067D248C7511C3759445CB94
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FED3D8 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724465430.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_fed000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d904d41ab7e610e3da836fdf2ba708042cb5b937efe64cb293a6a0482cc3be32
                                                          • Instruction ID: 27f67e96142c4c69bc11344ec91b1ff4eefab121bf9a0ab062b0049b760e5ed5
                                                          • Opcode Fuzzy Hash: d904d41ab7e610e3da836fdf2ba708042cb5b937efe64cb293a6a0482cc3be32
                                                          • Instruction Fuzzy Hash: 1C213A72500284DFDB05DF15D9C0B16BFA5FBA4324F20C169E9094F696C336E856E7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FED4C4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724465430.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_fed000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0e358ac387e75dbb9bf8866010856a965804d988e2a15fc61333f7d45aeb3a1f
                                                          • Instruction ID: e2473c8f89f34434c8c292681036679757530be2dbf145f68ff8281790781e0e
                                                          • Opcode Fuzzy Hash: 0e358ac387e75dbb9bf8866010856a965804d988e2a15fc61333f7d45aeb3a1f
                                                          • Instruction Fuzzy Hash: FF213A72500380DFCB05DF15D9C0B27BF65FB94328F24C569D8050B656C336D856EBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FFD01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724524578.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ffd000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fd72e194000fa4b80cfd8128870a14d4b29c04accae777a3a15c96de5635366
                                                          • Instruction ID: 6fddc77922e949ade80bed1754d5838bece268faba0dce90cf2ddfa714cae256
                                                          • Opcode Fuzzy Hash: 1fd72e194000fa4b80cfd8128870a14d4b29c04accae777a3a15c96de5635366
                                                          • Instruction Fuzzy Hash: 1021F571504208DFDB14DF14D5C4B26BB66EF84324F20C569DA0A4B26ACB36D847DA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FFD1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724524578.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ffd000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 61260ee5314a45d20b057aea577df59b665e05741a998dcce7f08c02259a2f9b
                                                          • Instruction ID: 67691cc555c161443edaf5c05244208eecb24cd242e729b9ff88ae197ca5aa30
                                                          • Opcode Fuzzy Hash: 61260ee5314a45d20b057aea577df59b665e05741a998dcce7f08c02259a2f9b
                                                          • Instruction Fuzzy Hash: 5C212971904208DFDB05DF14D9C4B36BBA6FF84324F20C5ADDA094B365C376D846EAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FFD005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724524578.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ffd000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 388eada42449f495c007ef1562765e96119f2efcd20e9744b49bf936848f22b3
                                                          • Instruction ID: d95e090fa9a9e33531fea7b30983ac1132523e3f1c7e4f1969ad35fea03bf77c
                                                          • Opcode Fuzzy Hash: 388eada42449f495c007ef1562765e96119f2efcd20e9744b49bf936848f22b3
                                                          • Instruction Fuzzy Hash: 3F2180755093848FCB02CF24D994715BF72EF46314F28C5EAD9498F2A7C33A980ACB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FED4BF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724465430.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_fed000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction ID: 9d39b9f1b1a01011854dccb0241571bee459f8e5f8713bdc4dad889f88ebee70
                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction Fuzzy Hash: 1E11D376904380CFCB16CF14D9C4B16BF71FB94328F28C6AAD8490B656C336D85ADBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FED3D3 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724465430.0000000000FED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_fed000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction ID: 880bf0545490772ae1320b2a3cdcc54aaff276f89d2faa86ca91406e8fb00432
                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction Fuzzy Hash: AF112676804280CFCB06CF00D5C4B16BF71FBA4324F24C2A9DC090B656C33AE85ADBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00FFD1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724524578.0000000000FFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FFD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_ffd000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction ID: aa965570758619cc7f461afdae87aa84b2db44009359daffd319ac0a323c6889
                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction Fuzzy Hash: 9F11BE75904244DFCB06CF10C5C4B25BB62FF84324F24C6AAD9494B266C33AD80ADB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0840CE00 Relevance: .3, Instructions: 347COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ccf0fab027fd180e231cabf45c0cf19f86ddb47b0f1f08f78d168cee4b04aba0
                                                          • Instruction ID: 7a9f5875baec1d51929cc406e6ae4c10def7b453e4e768d2e979e32e2083ce6c
                                                          • Opcode Fuzzy Hash: ccf0fab027fd180e231cabf45c0cf19f86ddb47b0f1f08f78d168cee4b04aba0
                                                          • Instruction Fuzzy Hash: 21C1A931B016009FD729EB79C89076BBBFAAF89A02F14457ED14A8B3D0DB35D906CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08404848 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ec9638c3fe7ab8f08b3ff79adde56f12f24e5a02681ea3a70a8f416e06d87d28
                                                          • Instruction ID: 6368e5490b2294bef9fbabf3eb21dbc5a8ff23cbdbc3fe5da0bc5084407ada24
                                                          • Opcode Fuzzy Hash: ec9638c3fe7ab8f08b3ff79adde56f12f24e5a02681ea3a70a8f416e06d87d28
                                                          • Instruction Fuzzy Hash: BCE11C74E002598FCB14DFA9D5809AEFBB2FF88305F24C26AD514AB355D730A942CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08404410 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4d6e22a4f4dc15dccfccca39e7cb8cac2ad07e4aa222c47c387a301320b2eaf6
                                                          • Instruction ID: 49d687da7bf5b0e31ce1558f84756f275294d296db3ebbf7b9ad66e3ec9de3cd
                                                          • Opcode Fuzzy Hash: 4d6e22a4f4dc15dccfccca39e7cb8cac2ad07e4aa222c47c387a301320b2eaf6
                                                          • Instruction Fuzzy Hash: B3E1FC74E001598FCB14DF99D5809AEFBB2FF89305F24C26AE514AB356D730A942CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 084064D0 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8c5e1bca3def586a7e5167814f9668d224fdde00bed91c6729376c8a46c4a4e1
                                                          • Instruction ID: 4bfc7af90f6059583f283339a85b1ae4a1bb510da902f8d91ab96e023c9ce30e
                                                          • Opcode Fuzzy Hash: 8c5e1bca3def586a7e5167814f9668d224fdde00bed91c6729376c8a46c4a4e1
                                                          • Instruction Fuzzy Hash: A0E11DB4E012598FCB14DFA9D5809AEFBB2FF89305F24C16AE415A7356D730A942CF60
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08404C80 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c724371be664a47c45b2678ea84d831b5774e4181a9f019bc6a4aef6c5b8c7c8
                                                          • Instruction ID: fda83b9ebb6b806d7e91c3007811263fdb10c36e2640724ed1af78e07100bf83
                                                          • Opcode Fuzzy Hash: c724371be664a47c45b2678ea84d831b5774e4181a9f019bc6a4aef6c5b8c7c8
                                                          • Instruction Fuzzy Hash: DDE12C74E002198FCB14DFA9D5809AEFBB2FF89305F24C26AD514AB355D730A942CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08406E80 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1a9934efdf3c008e1b39a5f5a5a2bb92e3b0b9f94d8d5e618114e7f6a6b7a110
                                                          • Instruction ID: 5c460e3e20ea9e4fb3bf376b891d5a99f7f4bdc20d743d6812eaea0ecb980c6d
                                                          • Opcode Fuzzy Hash: 1a9934efdf3c008e1b39a5f5a5a2bb92e3b0b9f94d8d5e618114e7f6a6b7a110
                                                          • Instruction Fuzzy Hash: 9BE10E74E002598FCB14DF99D5809AEFBF2BF89305F24C269E414AB356D731A942CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 08404839 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: adca4abf5dc4e39149e101cae559bba2944eb09e394210d2a9753128c780b4e4
                                                          • Instruction ID: ecfa88559f01b050d8f75cc875a7e641c5b047f2a84e85e7411a6bf1783ebca3
                                                          • Opcode Fuzzy Hash: adca4abf5dc4e39149e101cae559bba2944eb09e394210d2a9753128c780b4e4
                                                          • Instruction Fuzzy Hash: 44511C74E042598FCB14CFA9D5805AEFBF2BF89305F24C1AAD418AB356D7309942CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 084064CC Relevance: .1, Instructions: 127COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fe83e2e9495ec0c3f1463c4437e27a19c09634dccb75fe9c45018c6bb4a6bf6b
                                                          • Instruction ID: cf2bbd3986c765a837a5acf61c6e3f0974fcaec698ff93e2fc87295f7406869e
                                                          • Opcode Fuzzy Hash: fe83e2e9495ec0c3f1463c4437e27a19c09634dccb75fe9c45018c6bb4a6bf6b
                                                          • Instruction Fuzzy Hash: EB512CB4E012198FDB14DFA9D5805AEFBF2BF89305F24C16AD419A7356D7309942CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0124783B Relevance: .1, Instructions: 125COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1724949768.0000000001240000.00000040.00000800.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_1240000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e88b292c2b6db1aac344e03b3d2ca49e7a2f91f9c79a46f8c6eff8e94c730121
                                                          • Instruction ID: 79cb2cfd7138a32c30b0ade4497ef157e747b9a4839f906a01b7f8a83692c4af
                                                          • Opcode Fuzzy Hash: e88b292c2b6db1aac344e03b3d2ca49e7a2f91f9c79a46f8c6eff8e94c730121
                                                          • Instruction Fuzzy Hash: 5641F478E5510E8FDF14CFA9E8819AEB7F2BF48300B15E229E016EB255DB31A845CB40
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0840A35D Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1735757073.0000000008400000.00000040.00000800.00020000.00000000.sdmp, Offset: 08400000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_8400000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69d8a956a7e151be8835f1d59db2cc0de6c822726e3284d173fe9b7077e3e4dc
                                                          • Instruction ID: 7dfe1b0d1e9f78ad0017b8836cc46fcdb14663a610ba03729af46d44d01917d8
                                                          • Opcode Fuzzy Hash: 69d8a956a7e151be8835f1d59db2cc0de6c822726e3284d173fe9b7077e3e4dc
                                                          • Instruction Fuzzy Hash: 25219BB1D056288BEB68CF6B99047DEFAF7AFC9301F04D1BAC40DA6255DB7406868F41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:11.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:100%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 24821 11d7ec8 24822 11d7f0c CheckRemoteDebuggerPresent 24821->24822 24823 11d7f4e 24822->24823

                                                          Executed Functions

                                                          Function 06ED6880 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 6ed6880-6ed68a1 1 6ed68a3-6ed68a6 0->1 2 6ed68cc-6ed68cf 1->2 3 6ed68a8-6ed68c7 1->3 4 6ed68d5-6ed68f4 2->4 5 6ed7070-6ed7072 2->5 3->2 13 6ed690d-6ed6917 4->13 14 6ed68f6-6ed68f9 4->14 6 6ed7079-6ed707c 5->6 7 6ed7074 5->7 6->1 10 6ed7082-6ed708b 6->10 7->6 18 6ed691d-6ed692c 13->18 14->13 15 6ed68fb-6ed690b 14->15 15->18 126 6ed692e call 6ed7099 18->126 127 6ed692e call 6ed70a0 18->127 19 6ed6933-6ed6938 20 6ed693a-6ed6940 19->20 21 6ed6945-6ed6c22 19->21 20->10 42 6ed6c28-6ed6cd7 21->42 43 6ed7062-6ed706f 21->43 52 6ed6cd9-6ed6cfe 42->52 53 6ed6d00 42->53 54 6ed6d09-6ed6d1c 52->54 53->54 57 6ed7049-6ed7055 54->57 58 6ed6d22-6ed6d44 54->58 57->42 59 6ed705b 57->59 58->57 61 6ed6d4a-6ed6d54 58->61 59->43 61->57 62 6ed6d5a-6ed6d65 61->62 62->57 63 6ed6d6b-6ed6e41 62->63 75 6ed6e4f-6ed6e7f 63->75 76 6ed6e43-6ed6e45 63->76 80 6ed6e8d-6ed6e99 75->80 81 6ed6e81-6ed6e83 75->81 76->75 82 6ed6ef9-6ed6efd 80->82 83 6ed6e9b-6ed6e9f 80->83 81->80 84 6ed703a-6ed7043 82->84 85 6ed6f03-6ed6f3f 82->85 83->82 86 6ed6ea1-6ed6ecb 83->86 84->57 84->63 96 6ed6f4d-6ed6f5b 85->96 97 6ed6f41-6ed6f43 85->97 93 6ed6ecd-6ed6ecf 86->93 94 6ed6ed9-6ed6ef6 86->94 93->94 94->82 100 6ed6f5d-6ed6f68 96->100 101 6ed6f72-6ed6f7d 96->101 97->96 100->101 106 6ed6f6a 100->106 104 6ed6f7f-6ed6f85 101->104 105 6ed6f95-6ed6fa6 101->105 107 6ed6f89-6ed6f8b 104->107 108 6ed6f87 104->108 110 6ed6fbe-6ed6fca 105->110 111 6ed6fa8-6ed6fae 105->111 106->101 107->105 108->105 115 6ed6fcc-6ed6fd2 110->115 116 6ed6fe2-6ed7033 110->116 112 6ed6fb0 111->112 113 6ed6fb2-6ed6fb4 111->113 112->110 113->110 117 6ed6fd4 115->117 118 6ed6fd6-6ed6fd8 115->118 116->84 117->116 118->116 126->19 127->19
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: 60dd1e03d4cbfec9b18b88747c5aa3ec6ba1cbc0abc140009f1850112525c79a
                                                          • Instruction ID: ddb1f3cb1115bfd218e99b8d067b2591210b7c49440fdee8b4a38d6e62d54a66
                                                          • Opcode Fuzzy Hash: 60dd1e03d4cbfec9b18b88747c5aa3ec6ba1cbc0abc140009f1850112525c79a
                                                          • Instruction Fuzzy Hash: D4321F31E1071A8FCB14EF75D85459DF7B6FFC9304F2096AAD409AB254EB30A986CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDB5A8 Relevance: 3.0, Strings: 2, Instructions: 477COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 671 6edb5a8-6edb5c6 672 6edb5c8-6edb5cb 671->672 673 6edb5cd-6edb5db 672->673 674 6edb5e2-6edb5e5 672->674 682 6edb5dd 673->682 683 6edb64e-6edb664 673->683 675 6edb5e7-6edb601 674->675 676 6edb606-6edb609 674->676 675->676 677 6edb62c-6edb62f 676->677 678 6edb60b-6edb627 676->678 680 6edb63c-6edb63e 677->680 681 6edb631-6edb63b 677->681 678->677 686 6edb645-6edb648 680->686 687 6edb640 680->687 682->674 691 6edb87f-6edb882 683->691 692 6edb66a-6edb673 683->692 686->672 686->683 687->686 693 6edb885-6edb888 691->693 694 6edb679-6edb696 692->694 695 6edb88a-6edb895 692->695 696 6edb889 693->696 702 6edb86c-6edb879 694->702 703 6edb69c-6edb6c4 694->703 695->693 699 6edb897-6edb899 695->699 699->696 701 6edb89b-6edb8bf 699->701 704 6edb8c1-6edb8c4 701->704 702->691 702->692 703->702 721 6edb6ca-6edb6d3 703->721 705 6edb8ca-6edb8d6 704->705 706 6edb971-6edb974 704->706 712 6edb8e1-6edb8e3 705->712 707 6edb997-6edb99a 706->707 708 6edb976-6edb992 706->708 710 6edbbcf-6edbbd1 707->710 711 6edb9a0-6edb9af 707->711 708->707 715 6edbbd8-6edbbdb 710->715 716 6edbbd3 710->716 729 6edb9ce-6edba12 711->729 730 6edb9b1-6edb9cc 711->730 717 6edb8fb-6edb8ff 712->717 718 6edb8e5-6edb8eb 712->718 715->704 723 6edbbe1-6edbbea 715->723 716->715 719 6edb90d 717->719 720 6edb901-6edb90b 717->720 724 6edb8ed 718->724 725 6edb8ef-6edb8f1 718->725 726 6edb912-6edb914 719->726 720->726 721->695 728 6edb6d9-6edb6f5 721->728 724->717 725->717 731 6edb92b-6edb964 726->731 732 6edb916-6edb919 726->732 739 6edb6fb-6edb725 728->739 740 6edb85a-6edb866 728->740 736 6edba18-6edba29 729->736 737 6edbba3-6edbbb8 729->737 730->729 731->711 757 6edb966-6edb970 731->757 732->723 746 6edba2f-6edba4c 736->746 747 6edbb8e-6edbb9d 736->747 737->710 754 6edb72b-6edb753 739->754 755 6edb850-6edb855 739->755 740->702 740->721 746->747 758 6edba52-6edbb48 call 6ed99c8 746->758 747->736 747->737 754->755 763 6edb759-6edb787 754->763 755->740 807 6edbb4a-6edbb54 758->807 808 6edbb56 758->808 763->755 769 6edb78d-6edb796 763->769 769->755 771 6edb79c-6edb7ce 769->771 778 6edb7d9-6edb7f5 771->778 779 6edb7d0-6edb7d4 771->779 778->740 781 6edb7f7-6edb84e call 6ed99c8 778->781 779->755 780 6edb7d6 779->780 780->778 781->740 809 6edbb5b-6edbb5d 807->809 808->809 809->747 810 6edbb5f-6edbb64 809->810 811 6edbb66-6edbb70 810->811 812 6edbb72 810->812 813 6edbb77-6edbb79 811->813 812->813 813->747 814 6edbb7b-6edbb87 813->814 814->747
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q
                                                          • API String ID: 0-355816377
                                                          • Opcode ID: fab599464f315847fe7ca9bccb132a0a4af3bfbf2356ee78f287bf43bf99b44b
                                                          • Instruction ID: 0288df2067f4448e91b6ad7829ee430898ce42efa1e563ff69fb2fa5e0456b77
                                                          • Opcode Fuzzy Hash: fab599464f315847fe7ca9bccb132a0a4af3bfbf2356ee78f287bf43bf99b44b
                                                          • Instruction Fuzzy Hash: 1F029074B0030A8FDB54DF64D590AAEB7E2EF84314F158569E41ADB399EB31DC42CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED0040 Relevance: 2.8, Instructions: 2762COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e16835296422721b82c32fe7b81fefbecb02ade9ee35e8363ba64c5a1b337341
                                                          • Instruction ID: 01a802b2aadb3d1de6863631b42a94088384d1de8c1470b74bed25cc03b0ee9d
                                                          • Opcode Fuzzy Hash: e16835296422721b82c32fe7b81fefbecb02ade9ee35e8363ba64c5a1b337341
                                                          • Instruction Fuzzy Hash: 4D53E431D10B1A8ECB51EB68C8845A9F7B1FF99300F15D79AE45877221EB70AAC5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED33C0 Relevance: 2.2, Instructions: 2246COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 15edee8f738b8086ae163226b2f84615c5178ca906705697b89833863b156894
                                                          • Instruction ID: 7dbb9a38f1886ab9f1337bbc688f93cc3aca3a58343c767222064a78aa012d1f
                                                          • Opcode Fuzzy Hash: 15edee8f738b8086ae163226b2f84615c5178ca906705697b89833863b156894
                                                          • Instruction Fuzzy Hash: 8C330B31D107198EDB11EF68C88069DF7B1FF99300F15D69AE458AB261EB70AAC5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED89B8 Relevance: 1.9, Strings: 1, Instructions: 607COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1741 6ed89b8-6ed89d5 1742 6ed89d7-6ed89da 1741->1742 1743 6ed89dc-6ed89df 1742->1743 1744 6ed89e4-6ed89e7 1742->1744 1743->1744 1745 6ed89f9-6ed89fc 1744->1745 1746 6ed89e9-6ed89f2 1744->1746 1749 6ed8a0f-6ed8a12 1745->1749 1750 6ed89fe-6ed8a04 1745->1750 1747 6ed8a4c-6ed8a52 1746->1747 1748 6ed89f4 1746->1748 1751 6ed8a58-6ed8a60 1747->1751 1752 6ed8b94-6ed8bc3 1747->1752 1748->1745 1755 6ed8a38-6ed8a3b 1749->1755 1756 6ed8a14-6ed8a33 1749->1756 1753 6ed8a0a 1750->1753 1754 6ed8b34-6ed8b37 1750->1754 1751->1752 1757 6ed8a66-6ed8a73 1751->1757 1779 6ed8bcd-6ed8bd0 1752->1779 1753->1749 1760 6ed8b3c-6ed8b3f 1754->1760 1758 6ed8a3d-6ed8a46 1755->1758 1759 6ed8a47-6ed8a4a 1755->1759 1756->1755 1757->1752 1762 6ed8a79-6ed8a7d 1757->1762 1759->1747 1765 6ed8a82-6ed8a85 1759->1765 1760->1746 1761 6ed8b45-6ed8b48 1760->1761 1766 6ed8b4a-6ed8b4e 1761->1766 1767 6ed8b55-6ed8b58 1761->1767 1762->1765 1768 6ed8a94-6ed8a97 1765->1768 1769 6ed8a87-6ed8a8d 1765->1769 1770 6ed8b87-6ed8b93 1766->1770 1771 6ed8b50 1766->1771 1772 6ed8b5a-6ed8b70 1767->1772 1773 6ed8b75-6ed8b77 1767->1773 1777 6ed8a99-6ed8aab 1768->1777 1778 6ed8ab0-6ed8ab3 1768->1778 1774 6ed8a8f 1769->1774 1775 6ed8af5-6ed8aff 1769->1775 1771->1767 1772->1773 1782 6ed8b7e-6ed8b81 1773->1782 1783 6ed8b79 1773->1783 1774->1768 1791 6ed8b06-6ed8b08 1775->1791 1777->1778 1784 6ed8abc-6ed8abf 1778->1784 1785 6ed8ab5-6ed8ab7 1778->1785 1780 6ed8be4-6ed8be7 1779->1780 1781 6ed8bd2-6ed8bd9 1779->1781 1788 6ed8be9-6ed8bf0 1780->1788 1789 6ed8bf1-6ed8bf4 1780->1789 1786 6ed8bdf 1781->1786 1787 6ed8cb6-6ed8cbd 1781->1787 1782->1742 1782->1770 1783->1782 1793 6ed8ac1-6ed8acd 1784->1793 1794 6ed8ad2-6ed8ad5 1784->1794 1785->1784 1786->1780 1797 6ed8c16-6ed8c19 1789->1797 1798 6ed8bf6-6ed8bfa 1789->1798 1799 6ed8b0d-6ed8b10 1791->1799 1793->1794 1795 6ed8ad7-6ed8ade 1794->1795 1796 6ed8ae3-6ed8ae6 1794->1796 1795->1796 1800 6ed8ae8-6ed8aed 1796->1800 1801 6ed8af0-6ed8af3 1796->1801 1804 6ed8c3b-6ed8c3e 1797->1804 1805 6ed8c1b-6ed8c1f 1797->1805 1802 6ed8cbe-6ed8cfc 1798->1802 1803 6ed8c00-6ed8c08 1798->1803 1799->1769 1806 6ed8b16-6ed8b19 1799->1806 1800->1801 1801->1775 1801->1799 1820 6ed8cfe-6ed8d01 1802->1820 1803->1802 1808 6ed8c0e-6ed8c11 1803->1808 1812 6ed8c58-6ed8c5b 1804->1812 1813 6ed8c40-6ed8c44 1804->1813 1805->1802 1809 6ed8c25-6ed8c2d 1805->1809 1810 6ed8b2f-6ed8b32 1806->1810 1811 6ed8b1b-6ed8b2a 1806->1811 1808->1797 1809->1802 1817 6ed8c33-6ed8c36 1809->1817 1810->1754 1810->1760 1811->1810 1814 6ed8c5d-6ed8c61 1812->1814 1815 6ed8c75-6ed8c78 1812->1815 1813->1802 1818 6ed8c46-6ed8c4e 1813->1818 1814->1802 1819 6ed8c63-6ed8c6b 1814->1819 1821 6ed8c89-6ed8c8c 1815->1821 1822 6ed8c7a-6ed8c84 1815->1822 1817->1804 1818->1802 1824 6ed8c50-6ed8c53 1818->1824 1819->1802 1825 6ed8c6d-6ed8c70 1819->1825 1826 6ed8d48-6ed8edc 1820->1826 1827 6ed8d03-6ed8d06 1820->1827 1828 6ed8c8e-6ed8c9f 1821->1828 1829 6ed8ca4-6ed8ca6 1821->1829 1822->1821 1824->1812 1825->1815 1890 6ed9015-6ed9028 1826->1890 1891 6ed8ee2-6ed8ee9 1826->1891 1830 6ed8d08-6ed8d19 1827->1830 1831 6ed8d24-6ed8d27 1827->1831 1828->1829 1833 6ed8cad-6ed8cb0 1829->1833 1834 6ed8ca8 1829->1834 1842 6ed8d1f 1830->1842 1843 6ed906e-6ed9075 1830->1843 1836 6ed8d3f-6ed8d42 1831->1836 1837 6ed8d29-6ed8d3c 1831->1837 1833->1779 1833->1787 1834->1833 1836->1826 1840 6ed902b-6ed902e 1836->1840 1844 6ed9048-6ed904b 1840->1844 1845 6ed9030-6ed9041 1840->1845 1842->1831 1849 6ed907a-6ed907d 1843->1849 1847 6ed904d-6ed905e 1844->1847 1848 6ed9069-6ed906c 1844->1848 1845->1843 1857 6ed9043 1845->1857 1847->1830 1858 6ed9064 1847->1858 1848->1843 1848->1849 1851 6ed907f-6ed9090 1849->1851 1852 6ed909b-6ed909e 1849->1852 1851->1837 1862 6ed9096 1851->1862 1855 6ed90a8-6ed90ab 1852->1855 1856 6ed90a0-6ed90a5 1852->1856 1855->1826 1861 6ed90b1-6ed90b4 1855->1861 1856->1855 1857->1844 1858->1848 1863 6ed90b6-6ed90bd 1861->1863 1864 6ed90c2-6ed90c5 1861->1864 1862->1852 1863->1864 1865 6ed90df-6ed90e1 1864->1865 1866 6ed90c7-6ed90d8 1864->1866 1868 6ed90e8-6ed90eb 1865->1868 1869 6ed90e3 1865->1869 1866->1843 1873 6ed90da 1866->1873 1868->1820 1871 6ed90f1-6ed90fa 1868->1871 1869->1868 1873->1865 1892 6ed8f9d-6ed8fa4 1891->1892 1893 6ed8eef-6ed8f22 1891->1893 1892->1890 1894 6ed8fa6-6ed8fd9 1892->1894 1903 6ed8f24 1893->1903 1904 6ed8f27-6ed8f68 1893->1904 1906 6ed8fde-6ed900b 1894->1906 1907 6ed8fdb 1894->1907 1903->1904 1915 6ed8f6a-6ed8f7b 1904->1915 1916 6ed8f80-6ed8f87 1904->1916 1906->1871 1906->1890 1907->1906 1915->1871 1918 6ed8f8f-6ed8f91 1916->1918 1918->1871
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 806eadf7f22c5087c0eca6fcae37b582e37a47675a973d5bd14dbdd766cf1d1b
                                                          • Instruction ID: 743827b926226ce8c0a66c05c18bc3a3d46bb032d0ec9c54f2ece9c14102dbbf
                                                          • Opcode Fuzzy Hash: 806eadf7f22c5087c0eca6fcae37b582e37a47675a973d5bd14dbdd766cf1d1b
                                                          • Instruction Fuzzy Hash: 5C22D031E002059FDB64DBA4C8906AEBBB2FF85318F24856AD419AB385DB31DC46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011D7EC8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1925 11d7ec8-11d7f4c CheckRemoteDebuggerPresent 1927 11d7f4e-11d7f54 1925->1927 1928 11d7f55-11d7f90 1925->1928 1927->1928
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011D7F3F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4170399979.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_11d0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: 2c02e19dfe714370e8540ca10c34ceba0cd27750c0cbc29e2e0882b2edb818e0
                                                          • Instruction ID: 8803c8a0a1076542e858a2c3e3d8c7be0c7cd843a53f52bf27ff61949008a0bd
                                                          • Opcode Fuzzy Hash: 2c02e19dfe714370e8540ca10c34ceba0cd27750c0cbc29e2e0882b2edb818e0
                                                          • Instruction Fuzzy Hash: 172125B18002598FCB14CFAAD484BEEBBF4EF49324F14846AE459A7250D778A944CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED0006 Relevance: 1.3, Instructions: 1337COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5ee748d250875406cd06861704d6d543f68f354d7db1e54a6778b117c62494cc
                                                          • Instruction ID: 918b7fe1ee01032db5d8c92c793e9845472e1ea2859c12f7dd631c9e4f9839c7
                                                          • Opcode Fuzzy Hash: 5ee748d250875406cd06861704d6d543f68f354d7db1e54a6778b117c62494cc
                                                          • Instruction Fuzzy Hash: 01E20931D10B1A8EDB50EF68C880599F7B1FF99300F15D69AE458B7221EB70AAD5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED5A90 Relevance: 1.1, Instructions: 1056COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cce89aa43a96d94858f3c21d54638f48c28fe92f2e131d818275321a22425491
                                                          • Instruction ID: 31e8c34506fe610e5ffdc494ad8633607bb082f0f4e2cc5aa14d114cfd27b766
                                                          • Opcode Fuzzy Hash: cce89aa43a96d94858f3c21d54638f48c28fe92f2e131d818275321a22425491
                                                          • Instruction Fuzzy Hash: E1A21534A003088FDBA4DB68C584A9DB7F2FB45318F5494A9E449EB365DB35EC86CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDEA56 Relevance: .6, Instructions: 571COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0feaca68527a53cdeea8e7d883712f3fa1c4ced5f68a817a1bbf00fe0992b5d
                                                          • Instruction ID: c92d150d95d59f63612a7797620df0c399b1fb4cdbb7bf3b89bf12e1fdcb2505
                                                          • Opcode Fuzzy Hash: c0feaca68527a53cdeea8e7d883712f3fa1c4ced5f68a817a1bbf00fe0992b5d
                                                          • Instruction Fuzzy Hash: 84229230F003098FDF64DB68D5847AEB7B6FB85318F209826E419EB395DA35DC868B51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDEE70 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 128 6edee70-6edee92 129 6edee94-6edee97 128->129 130 6edee99-6edee9c 129->130 131 6edeea1-6edeea4 129->131 130->131 132 6edeeae-6edeeb1 131->132 133 6edeea6-6edeea9 131->133 134 6edef15-6edef18 132->134 135 6edeeb3-6edef10 call 6ed99c8 132->135 133->132 136 6edef3f-6edef42 134->136 137 6edef1a-6edef1e 134->137 135->134 141 6edf0cf-6edf0d8 136->141 142 6edef48-6edef4b 136->142 138 6edf21d-6edf256 137->138 139 6edef24-6edef34 137->139 157 6edf258-6edf25b 138->157 155 6edef3a 139->155 156 6edf016-6edf01a 139->156 144 6edf0de 141->144 145 6edf1b9-6edf1c2 141->145 146 6edef4d-6edef69 142->146 147 6edef6e-6edef71 142->147 151 6edf0e3-6edf0e6 144->151 145->138 152 6edf1c4-6edf1c8 145->152 146->147 153 6edef7e-6edef81 147->153 154 6edef73-6edef79 147->154 158 6edf108-6edf10b 151->158 159 6edf0e8-6edf103 151->159 160 6edf1cd-6edf1d0 152->160 162 6edef97-6edef9a 153->162 163 6edef83-6edef8c 153->163 154->153 155->136 156->138 172 6edf020-6edf030 156->172 167 6edf4c7-6edf4ca 157->167 168 6edf261-6edf289 157->168 158->163 171 6edf111-6edf114 158->171 159->158 169 6edf1dd-6edf1e0 160->169 170 6edf1d2-6edf1d8 160->170 164 6edef9c-6edefa5 162->164 165 6edefaa-6edefad 162->165 173 6edf186-6edf18f 163->173 174 6edef92 163->174 164->165 177 6edefaf-6edefc4 165->177 178 6edefeb-6edefee 165->178 179 6edf4ed-6edf4ef 167->179 180 6edf4cc-6edf4e8 167->180 235 6edf28b-6edf28e 168->235 236 6edf293-6edf2d7 168->236 182 6edf1ea-6edf1ed 169->182 183 6edf1e2-6edf1e7 169->183 170->169 184 6edf126-6edf129 171->184 185 6edf116-6edf121 171->185 172->133 197 6edf036 172->197 173->138 176 6edf195-6edf19c 173->176 174->162 189 6edf1a1-6edf1a4 176->189 177->138 217 6edefca-6edefe6 177->217 191 6edeffe-6edf001 178->191 192 6edeff0-6edeff9 178->192 193 6edf4f6-6edf4f9 179->193 194 6edf4f1 179->194 180->179 182->133 195 6edf1f3-6edf1f6 182->195 183->182 184->133 187 6edf12f-6edf132 184->187 185->184 198 6edf134-6edf13d 187->198 199 6edf142-6edf145 187->199 200 6edf1b4-6edf1b7 189->200 201 6edf1a6-6edf1aa 189->201 204 6edf011-6edf014 191->204 205 6edf003-6edf00c 191->205 192->191 193->157 207 6edf4ff-6edf508 193->207 194->193 208 6edf1f8-6edf1fd 195->208 209 6edf200-6edf202 195->209 212 6edf03b-6edf03e 197->212 198->199 213 6edf16c-6edf16f 199->213 214 6edf147-6edf14b 199->214 200->145 200->160 201->138 216 6edf1ac-6edf1af 201->216 204->156 204->212 205->204 208->209 210 6edf209-6edf20c 209->210 211 6edf204 209->211 210->129 219 6edf212-6edf21c 210->219 211->210 220 6edf079-6edf07c 212->220 221 6edf040-6edf055 212->221 223 6edf181-6edf184 213->223 224 6edf171 213->224 214->138 222 6edf151-6edf161 214->222 216->200 217->178 220->133 226 6edf082-6edf085 220->226 221->138 237 6edf05b-6edf074 221->237 222->137 238 6edf167 222->238 223->173 223->189 234 6edf179-6edf17c 224->234 232 6edf09c-6edf09f 226->232 233 6edf087-6edf08b 226->233 240 6edf0a1-6edf0a5 232->240 241 6edf0b0-6edf0b3 232->241 233->138 239 6edf091-6edf097 233->239 234->223 235->207 251 6edf2dd-6edf2e6 236->251 252 6edf4bc-6edf4c6 236->252 237->220 238->213 239->232 240->205 243 6edf0ab 240->243 245 6edf0ca-6edf0cd 241->245 246 6edf0b5-6edf0b9 241->246 243->241 245->141 245->151 246->138 248 6edf0bf-6edf0c5 246->248 248->245 253 6edf2ec-6edf358 call 6ed99c8 251->253 254 6edf4b2-6edf4b7 251->254 262 6edf35e-6edf363 253->262 263 6edf452-6edf467 253->263 254->252 264 6edf37f 262->264 265 6edf365-6edf36b 262->265 263->254 269 6edf381-6edf387 264->269 267 6edf36d-6edf36f 265->267 268 6edf371-6edf373 265->268 270 6edf37d 267->270 268->270 271 6edf39c-6edf3a9 269->271 272 6edf389-6edf38f 269->272 270->269 279 6edf3ab-6edf3b1 271->279 280 6edf3c1-6edf3ce 271->280 273 6edf43d-6edf44c 272->273 274 6edf395 272->274 273->262 273->263 274->271 275 6edf404-6edf411 274->275 276 6edf3d0-6edf3dd 274->276 285 6edf429-6edf436 275->285 286 6edf413-6edf419 275->286 288 6edf3df-6edf3e5 276->288 289 6edf3f5-6edf402 276->289 282 6edf3b5-6edf3b7 279->282 283 6edf3b3 279->283 280->273 282->280 283->280 285->273 290 6edf41d-6edf41f 286->290 291 6edf41b 286->291 292 6edf3e9-6edf3eb 288->292 293 6edf3e7 288->293 289->273 290->285 291->285 292->289 293->289
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: 2ff824e051535686628de55454f2846bf00cfe6e19806e0737916922fc0cb203
                                                          • Instruction ID: afbf8312847389fef98309d2cc892ebe40304cd48dba416f9958fe17185de207
                                                          • Opcode Fuzzy Hash: 2ff824e051535686628de55454f2846bf00cfe6e19806e0737916922fc0cb203
                                                          • Instruction Fuzzy Hash: 41026F30E003098FDB64DF68D5846ADB7B2FB85318F24992AD416DB355DB31DC86CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDC978 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 296 6edc978-6edc99d 297 6edc99f-6edc9a2 296->297 298 6edc9a8-6edc9bd 297->298 299 6edd260-6edd263 297->299 306 6edc9bf-6edc9c5 298->306 307 6edc9d5-6edc9eb 298->307 300 6edd289-6edd28b 299->300 301 6edd265-6edd284 299->301 302 6edd28d 300->302 303 6edd292-6edd295 300->303 301->300 302->303 303->297 305 6edd29b-6edd2a5 303->305 309 6edc9c9-6edc9cb 306->309 310 6edc9c7 306->310 313 6edc9f6-6edc9f8 307->313 309->307 310->307 314 6edc9fa-6edca00 313->314 315 6edca10-6edca81 313->315 316 6edca04-6edca06 314->316 317 6edca02 314->317 326 6edcaad-6edcac9 315->326 327 6edca83-6edcaa6 315->327 316->315 317->315 332 6edcacb-6edcaee 326->332 333 6edcaf5-6edcb10 326->333 327->326 332->333 338 6edcb3b-6edcb56 333->338 339 6edcb12-6edcb34 333->339 344 6edcb58-6edcb74 338->344 345 6edcb7b-6edcb89 338->345 339->338 344->345 346 6edcb99-6edcc13 345->346 347 6edcb8b-6edcb94 345->347 353 6edcc15-6edcc33 346->353 354 6edcc60-6edcc75 346->354 347->305 358 6edcc4f-6edcc5e 353->358 359 6edcc35-6edcc44 353->359 354->299 358->353 358->354 359->358
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: f19f2000b8433e68cc28e833cc104cb3e58b823cec1ae2a0e63a3057b5be95ff
                                                          • Instruction ID: 5123783b1e0e228dbaa061800d8f14e826e808f783e8dea20fdf5e9d93514739
                                                          • Opcode Fuzzy Hash: f19f2000b8433e68cc28e833cc104cb3e58b823cec1ae2a0e63a3057b5be95ff
                                                          • Instruction Fuzzy Hash: 5B916030B0020A9FDB54EF65D9507AEB3F6AFC8644F20846AD409EB348EE30DC46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED7F80 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 625 6ed7f80-6ed7fa4 626 6ed7fa6-6ed7fa9 625->626 627 6ed7faf-6ed80a7 626->627 628 6ed8688-6ed868b 626->628 648 6ed80ad-6ed80fa call 6ed8828 627->648 649 6ed812a-6ed8131 627->649 629 6ed868d-6ed86a7 628->629 630 6ed86ac-6ed86ae 628->630 629->630 632 6ed86b5-6ed86b8 630->632 633 6ed86b0 630->633 632->626 635 6ed86be-6ed86cb 632->635 633->632 662 6ed8100-6ed811c 648->662 650 6ed81b5-6ed81be 649->650 651 6ed8137-6ed81a7 649->651 650->635 668 6ed81a9 651->668 669 6ed81b2 651->669 665 6ed811e 662->665 666 6ed8127 662->666 665->666 666->649 668->669 669->650
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fcq$XPcq$\Ocq
                                                          • API String ID: 0-3575482020
                                                          • Opcode ID: e502e8b3f163a517c88fc62e366e7fc0f9fa3184abdb75dc24b1728dce395871
                                                          • Instruction ID: 51a1259a345caa77b34551afe755a1624dbde0deb0b4c6f9ff69855255e50de7
                                                          • Opcode Fuzzy Hash: e502e8b3f163a517c88fc62e366e7fc0f9fa3184abdb75dc24b1728dce395871
                                                          • Instruction Fuzzy Hash: E1617130F102099FEB549FA5C854BAEBBF6FF88704F20842AD116EB395DB758C458B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDC967 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1250 6edc967-6edc970 1252 6edc901 1250->1252 1253 6edc972-6edc99d 1250->1253 1255 6edc90d-6edc915 1252->1255 1256 6edc99f-6edc9a2 1253->1256 1259 6edc91c-6edc92b 1255->1259 1257 6edc9a8-6edc9bd 1256->1257 1258 6edd260-6edd263 1256->1258 1269 6edc9bf-6edc9c5 1257->1269 1270 6edc9d5-6edc9eb 1257->1270 1260 6edd289-6edd28b 1258->1260 1261 6edd265-6edd284 1258->1261 1266 6edc92d-6edc942 1259->1266 1267 6edc8b9-6edc8c3 1259->1267 1262 6edd28d 1260->1262 1263 6edd292-6edd295 1260->1263 1261->1260 1262->1263 1263->1256 1268 6edd29b-6edd2a5 1263->1268 1279 6edc943 1266->1279 1267->1259 1275 6edc8c5-6edc905 call 6ed99c8 1267->1275 1273 6edc9c9-6edc9cb 1269->1273 1274 6edc9c7 1269->1274 1281 6edc9f6-6edc9f8 1270->1281 1273->1270 1274->1270 1275->1255 1279->1279 1283 6edc9fa-6edca00 1281->1283 1284 6edca10-6edca81 1281->1284 1285 6edca04-6edca06 1283->1285 1286 6edca02 1283->1286 1298 6edcaad-6edcac9 1284->1298 1299 6edca83-6edcaa6 1284->1299 1285->1284 1286->1284 1304 6edcacb-6edcaee 1298->1304 1305 6edcaf5-6edcb10 1298->1305 1299->1298 1304->1305 1310 6edcb3b-6edcb56 1305->1310 1311 6edcb12-6edcb34 1305->1311 1316 6edcb58-6edcb74 1310->1316 1317 6edcb7b-6edcb89 1310->1317 1311->1310 1316->1317 1318 6edcb99-6edcc13 1317->1318 1319 6edcb8b-6edcb94 1317->1319 1325 6edcc15-6edcc33 1318->1325 1326 6edcc60-6edcc75 1318->1326 1319->1268 1330 6edcc4f-6edcc5e 1325->1330 1331 6edcc35-6edcc44 1325->1331 1326->1258 1330->1325 1330->1326 1331->1330
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q
                                                          • API String ID: 0-355816377
                                                          • Opcode ID: 2fbf4a3949921488dabd76e73611d7832fc469646006c6620b7ced60eed1f13f
                                                          • Instruction ID: c55b6e80d08e614335292a6fcb1b993ef659842a13fd179239929c83f9efe968
                                                          • Opcode Fuzzy Hash: 2fbf4a3949921488dabd76e73611d7832fc469646006c6620b7ced60eed1f13f
                                                          • Instruction Fuzzy Hash: E8513530B0020A9FDB54EB75D950BAF77FAABC8644F209469D409DB358DA31DC43CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 011D7EC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1919 11d7ec0-11d7f4c CheckRemoteDebuggerPresent 1921 11d7f4e-11d7f54 1919->1921 1922 11d7f55-11d7f90 1919->1922 1921->1922
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 011D7F3F
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4170399979.00000000011D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 011D0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_11d0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: a950dc12cc8124abcb0ea16a01abcf88ce155ab033a3731d0e4e22b83897b0e6
                                                          • Instruction ID: 3b125d768d6dfc2d8ee5fe04c97b39544e0890d12ae1e9ddba39f54ee6f8ce07
                                                          • Opcode Fuzzy Hash: a950dc12cc8124abcb0ea16a01abcf88ce155ab033a3731d0e4e22b83897b0e6
                                                          • Instruction Fuzzy Hash: B72175B1800259CFCB14CFAAC484BEEBBF4EF48324F14846AE458A7750C338A944CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED7F71 Relevance: 1.4, Strings: 1, Instructions: 134COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1990 6ed7f71-6ed7fa4 1992 6ed7fa6-6ed7fa9 1990->1992 1993 6ed7faf-6ed80a7 1992->1993 1994 6ed8688-6ed868b 1992->1994 2014 6ed80ad-6ed80fa call 6ed8828 1993->2014 2015 6ed812a-6ed8131 1993->2015 1995 6ed868d-6ed86a7 1994->1995 1996 6ed86ac-6ed86ae 1994->1996 1995->1996 1998 6ed86b5-6ed86b8 1996->1998 1999 6ed86b0 1996->1999 1998->1992 2001 6ed86be-6ed86cb 1998->2001 1999->1998 2028 6ed8100-6ed811c 2014->2028 2016 6ed81b5-6ed81be 2015->2016 2017 6ed8137-6ed81a7 2015->2017 2016->2001 2034 6ed81a9 2017->2034 2035 6ed81b2 2017->2035 2031 6ed811e 2028->2031 2032 6ed8127 2028->2032 2031->2032 2032->2015 2034->2035 2035->2016
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XPcq
                                                          • API String ID: 0-714321711
                                                          • Opcode ID: f11a7a28c140ddbd3dc59da532b0e295fd9d5015311c181526c59c92e3b2fb8b
                                                          • Instruction ID: b21de187d2746cd043e43324a058cabc9938b660a4136deaca466432524e237f
                                                          • Opcode Fuzzy Hash: f11a7a28c140ddbd3dc59da532b0e295fd9d5015311c181526c59c92e3b2fb8b
                                                          • Instruction Fuzzy Hash: 57418E30E102099FDB459FA5C854BAEBBF7FF88700F20852AE116AB395DB708D459B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED5918 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2122 6ed5918-6ed5933 2123 6ed5935-6ed5938 2122->2123 2124 6ed595b-6ed595d 2123->2124 2125 6ed593a-6ed5956 2123->2125 2126 6ed595f 2124->2126 2127 6ed5964-6ed5967 2124->2127 2125->2124 2126->2127 2127->2123 2128 6ed5969-6ed598f 2127->2128 2134 6ed5996-6ed59c4 2128->2134 2139 6ed5a3b-6ed5a5f 2134->2139 2140 6ed59c6-6ed59d0 2134->2140 2148 6ed5a69 2139->2148 2149 6ed5a61 2139->2149 2143 6ed59e8-6ed5a39 2140->2143 2144 6ed59d2-6ed59d8 2140->2144 2143->2139 2143->2140 2146 6ed59dc-6ed59de 2144->2146 2147 6ed59da 2144->2147 2146->2143 2147->2143 2149->2148
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH^q
                                                          • API String ID: 0-2549759414
                                                          • Opcode ID: 452f6628ea94fb5f91d26680e750fe72e4b34447b0d27aa24eb497e64307b43e
                                                          • Instruction ID: 3c4931ac3a2a0a6df8f7c4882e3828e5377795435ce45dcd279163c4dc8a21e7
                                                          • Opcode Fuzzy Hash: 452f6628ea94fb5f91d26680e750fe72e4b34447b0d27aa24eb497e64307b43e
                                                          • Instruction Fuzzy Hash: 7D31F070B003058FDB59AB74C56426F7AE7AB89214F249539D01ADB388DE31DC46CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED9A18 Relevance: .6, Instructions: 558COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1c0ecc68b22bd96aa29ddff8ec41ed4a81616714a528f7872512d8954ae568d
                                                          • Instruction ID: 58b72a4a586bb850182e523b37f94c24bb4a0403d8125080c5579fbff9f5b2c4
                                                          • Opcode Fuzzy Hash: f1c0ecc68b22bd96aa29ddff8ec41ed4a81616714a528f7872512d8954ae568d
                                                          • Instruction Fuzzy Hash: 7F129D34B002059FDB54DBA8D990AADB7F2EF88318F209429E40ADB395DB35DD42CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED9A08 Relevance: .3, Instructions: 313COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c684190680bff1bf442a96e87588fa7c951682a0f6f18d9004a9041dbebed1af
                                                          • Instruction ID: dbc2c68cfe6f0b78cc619f7fd6c74d978f2469a4e2440da8bc252c22a8c79492
                                                          • Opcode Fuzzy Hash: c684190680bff1bf442a96e87588fa7c951682a0f6f18d9004a9041dbebed1af
                                                          • Instruction Fuzzy Hash: CFC15D34E002098FDF54DBA8D990AADB7F2EF88314F249425E806EB396DB35DD42CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDC250 Relevance: .3, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 654682ee6de59c7ef1250905f70cb3247c97fb4f0097e72f8cecb7c4f8c417b5
                                                          • Instruction ID: 8dbe9b015c64be3053a8d62ab48c48bcc768e63d83eb55b5a6ae9c65795b3f6c
                                                          • Opcode Fuzzy Hash: 654682ee6de59c7ef1250905f70cb3247c97fb4f0097e72f8cecb7c4f8c417b5
                                                          • Instruction Fuzzy Hash: C2A12B30B003198FDB59EF74C9507AEB7B2EB88604F2085A9D409AB395DB35DD86CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDA540 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ab788206412fed01c9eff9f920855575153e0d2d5424cbf6d1b141984835436
                                                          • Instruction ID: ae2d05c7c2eef614463563817d864c27fa7016a174fa422c07294930997f5ef0
                                                          • Opcode Fuzzy Hash: 6ab788206412fed01c9eff9f920855575153e0d2d5424cbf6d1b141984835436
                                                          • Instruction Fuzzy Hash: 64A16B34A003049FCB64EB68D548A9DB7F2FF84318F149479E81A9B394DB35ED46CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED76B8 Relevance: .2, Instructions: 230COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 908a70d4fdf1fb7bf7b144631ae0be5f9c41b2981d5d37ccc33919576e87930e
                                                          • Instruction ID: 215cacfcc38b4e1f49bd4d9c166239f85033a0cda8de1c49db28c68011c06fb5
                                                          • Opcode Fuzzy Hash: 908a70d4fdf1fb7bf7b144631ae0be5f9c41b2981d5d37ccc33919576e87930e
                                                          • Instruction Fuzzy Hash: D5814F34B002099FDF54DBA9D5506AEB7F3EF89304F209429E40ADB394EB35EC468B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED9618 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 587c979f7a6025deeb10ad5fcaa37e19477e96202a664314f7b5da8265f5c825
                                                          • Instruction ID: 1d206d484457764f08d3b7c4b0e188bcf6b72f789d2613f003820e20ccdbebb9
                                                          • Opcode Fuzzy Hash: 587c979f7a6025deeb10ad5fcaa37e19477e96202a664314f7b5da8265f5c825
                                                          • Instruction Fuzzy Hash: 0561CE71F101114FCB50AA7ACC946AFBAD7AFC4624B25443AD80EDB365EEA5DD0387C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED79D4 Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0de0a39325e2a37f05a09e6fc9d49f184ee57eef56c77ddf0987e10d6648bdf8
                                                          • Instruction ID: 8d025a146e7447a492f6e1df5c3a3d3cbadd0408cad9733e2058272fb2220e20
                                                          • Opcode Fuzzy Hash: 0de0a39325e2a37f05a09e6fc9d49f184ee57eef56c77ddf0987e10d6648bdf8
                                                          • Instruction Fuzzy Hash: 47912030E102198FDF64DF68C880B9DB7B1FF89314F208599D549AB395DB70AA86CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDE740 Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82537ff14843151f0b80666780c8a26cc1586214fa2a6773c7591e6bb1a718ad
                                                          • Instruction ID: 9ca124d1dfcb717acc876ed9c4444775c768b8cf80794c47eb4cece014ddd853
                                                          • Opcode Fuzzy Hash: 82537ff14843151f0b80666780c8a26cc1586214fa2a6773c7591e6bb1a718ad
                                                          • Instruction Fuzzy Hash: A3714D31E1031A8FCB59DFA9C5546AEB7B2FF85308F108529D409AF354EB71E8478B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED79E8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a8049a6b1741e045f29453ae8fec3b02c851c231f43d185762786300e33dafe
                                                          • Instruction ID: 17832208ffc243cd66f2d6e155dc4928d08655b9aca0132107ee4da41b11c388
                                                          • Opcode Fuzzy Hash: 7a8049a6b1741e045f29453ae8fec3b02c851c231f43d185762786300e33dafe
                                                          • Instruction Fuzzy Hash: AB911D30E1021A8BDF64DF68C880B9DB7B1FF89304F208595D549AB395DB70AA86CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED8828 Relevance: .1, Instructions: 134COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e48658e8417b5d21f99fefd6c89a03534bcfa6b2f7cac94010e3ca955d47f1aa
                                                          • Instruction ID: 85f058f87b1c1f3bda9c2ee469176bb35d76b08d59e609204809ff31c0cce4d4
                                                          • Opcode Fuzzy Hash: e48658e8417b5d21f99fefd6c89a03534bcfa6b2f7cac94010e3ca955d47f1aa
                                                          • Instruction Fuzzy Hash: 1D418E71E003099FCB60CEA9D880AAFFBB2FB45314F10492AE19AD7640D331E9468B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED57C8 Relevance: .1, Instructions: 101COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b38f39b9225ba6d12c0ab42476c9e861e3a559d118e17eb077e15364fcd23731
                                                          • Instruction ID: 0b7475d6bc2dab3bc8b42d25958e2dd0832f3c0f819123de9bb089c0738a8874
                                                          • Opcode Fuzzy Hash: b38f39b9225ba6d12c0ab42476c9e861e3a559d118e17eb077e15364fcd23731
                                                          • Instruction Fuzzy Hash: D8316D34E1030A9BCB55DFA5D85469EB7F6AF89304F10C529E916EB740DB70A846CB90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED72C0 Relevance: .1, Instructions: 97COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f3dc9a35878b228d52014bff967a779e74aa1d6b835d939326769e0bf996d698
                                                          • Instruction ID: 6e30c6b6ab96948359340e61312fc4e66307a7926385d6dccf2ceb302eec2831
                                                          • Opcode Fuzzy Hash: f3dc9a35878b228d52014bff967a779e74aa1d6b835d939326769e0bf996d698
                                                          • Instruction Fuzzy Hash: 6531AD75E01319AFDB00DFB9DC80AEE7BB6EB48254F244025F805EB350E731D9428B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED57D8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 97483c052ad09eb0b04545951565a668a7d52a49338f20cf358f43a45b60f214
                                                          • Instruction ID: bed809c3dbb9ded8d31100b81496231adc930056cd1e29fd6392d8c62f44ebca
                                                          • Opcode Fuzzy Hash: 97483c052ad09eb0b04545951565a668a7d52a49338f20cf358f43a45b60f214
                                                          • Instruction Fuzzy Hash: 57315C34E1030A9FCB55CFA4D45469EB7F2AF89304F10C529E916EB750DB70AC46CB50
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED72D0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7baf25d9c94aa001415a29e60d9af91ca9d3a16ddea6cbb1bac51e6f4b9b0fc1
                                                          • Instruction ID: 66c3430f25e31678c0b7fe8238aada6b7652f99f20eb0c8c85c1d7284c178076
                                                          • Opcode Fuzzy Hash: 7baf25d9c94aa001415a29e60d9af91ca9d3a16ddea6cbb1bac51e6f4b9b0fc1
                                                          • Instruction Fuzzy Hash: 4B217A75E003199FDF50DFB9D890AAEBBF5EB48614F20902AE905E7384E730D9428B95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0118D044 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4169635566.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_118d000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8eb385af7270aaa3d246320a5f9826491714d5cf3e6938dba4b6e0754e27d32a
                                                          • Instruction ID: 324a63684538fdc0b1786ed0a1a16bb350ee9181211d4aba56af14d1422ad628
                                                          • Opcode Fuzzy Hash: 8eb385af7270aaa3d246320a5f9826491714d5cf3e6938dba4b6e0754e27d32a
                                                          • Instruction Fuzzy Hash: 2421D371504304DFDF19EF68E984B26BB65EB84314F20C5A9E9494B292C736D447CE62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDA53E Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7b808b3fe7a2eaea732a0ad0c590e73d7e910385530cc69ce8d83d31409f7802
                                                          • Instruction ID: dea3c860c6f6cffbbf046de37f04f0056eab0bb423723307de00445e96b54ed6
                                                          • Opcode Fuzzy Hash: 7b808b3fe7a2eaea732a0ad0c590e73d7e910385530cc69ce8d83d31409f7802
                                                          • Instruction Fuzzy Hash: 64219030B102189BDF54EB6DE85069EB7B7EB84314F24843AE809DB344DB31ED428BC5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED7619 Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: dc7441ba91662117de97b2d5b79a1248af2b800c21221ce302a1849220075206
                                                          • Instruction ID: e2a954c11863acf2d8a0cc671b21cb6c39685021df7d3b2f76b67f1be518d0e8
                                                          • Opcode Fuzzy Hash: dc7441ba91662117de97b2d5b79a1248af2b800c21221ce302a1849220075206
                                                          • Instruction Fuzzy Hash: F901B530B242111FDB65A66EA81076FB7DFCBCA654F18843AF50AC7345E955CC4643E1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED73E0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a7a5a8f9f3397b2570b24f169115ca2b97847731483ee64f1a9e59d94145cc76
                                                          • Instruction ID: e5fe4b5841be80ab86b550ccf73ad2f6f836c894efe9cb86374aa6a19d973419
                                                          • Opcode Fuzzy Hash: a7a5a8f9f3397b2570b24f169115ca2b97847731483ee64f1a9e59d94145cc76
                                                          • Instruction Fuzzy Hash: B5118E32B142295FDF55AB68DC14AAF77EAEBC8214B01443AD50AE7344EE349C038B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED7099 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 869b6e2c13ec1ce753f3403700c614b90683b2441f24d7edaa944932e33d35a5
                                                          • Instruction ID: ca67dd969afd3ddaa97de80c77880280ab69e5939ab13ece590888b3e06fedbc
                                                          • Opcode Fuzzy Hash: 869b6e2c13ec1ce753f3403700c614b90683b2441f24d7edaa944932e33d35a5
                                                          • Instruction Fuzzy Hash: 9F21C4B5D01259AFCB00DF9AD985ACEFFB8FB49320F10812AE918A7241C3756954CFE5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED73CF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 52a7ea39df55d2cf48b0e63db740dcb5e161b5f182559c7c88dc82a75ee19553
                                                          • Instruction ID: ee95a3db12ae13a45e20d3458a4eaf16a71b255bd8bcb864ca1a7b4ce9090149
                                                          • Opcode Fuzzy Hash: 52a7ea39df55d2cf48b0e63db740dcb5e161b5f182559c7c88dc82a75ee19553
                                                          • Instruction Fuzzy Hash: B901D832B201196BDF5597689C20AEF77EBDBC4614F01443AE40AE7344DE248C0387D2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDDB28 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b32ad20b0d87e9f4168189750de0cc58eff28693f381592a01132101fb6c2d83
                                                          • Instruction ID: c15464752081b171e6252d331ac8dd43afed931b2533fb6f080d3baaadfeb195
                                                          • Opcode Fuzzy Hash: b32ad20b0d87e9f4168189750de0cc58eff28693f381592a01132101fb6c2d83
                                                          • Instruction Fuzzy Hash: 1F012430B102015FDB62A638EC607AA77E6DF8A218F148579F00ACB389DA15DC478381
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0118D03F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4169635566.000000000118D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0118D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_118d000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction ID: ecd681262eb7b7e5a1f26dd8948f0da6ad2876c30d38d8b0ca03c170e35c1a58
                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction Fuzzy Hash: BC11A9755042848FDB16DF64D9C4B16BBA2FB84314F24C6AAD8494B292C33AD44ACF62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED70A0 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f55488b5a89494d0d729dcbcbdbd36a16239d5e822bf607eab336a745a99c4e6
                                                          • Instruction ID: 34885152b9a150197a350b848e01204a0df6fbf67f3f4b676c53da54d2e3fbc4
                                                          • Opcode Fuzzy Hash: f55488b5a89494d0d729dcbcbdbd36a16239d5e822bf607eab336a745a99c4e6
                                                          • Instruction Fuzzy Hash: B211D0B5D01259AFCB00DF9AD885ACEFFB4FB49320F10812AE918A7240C374A954CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDC240 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0ab909dde2a1ad2cd1c1f15d34acf210a37f3580c6c4222adf71c96878a63f9f
                                                          • Instruction ID: fa74e2894e77ef1cc157e2bc388f75bfaf1f018acbd28935a8891fc864e02a6f
                                                          • Opcode Fuzzy Hash: 0ab909dde2a1ad2cd1c1f15d34acf210a37f3580c6c4222adf71c96878a63f9f
                                                          • Instruction Fuzzy Hash: 95012430B1021C1BEB209664DC2079B77BED780258F2004B6D40ED3384DA315D438BD2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED7628 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 839aac527028d837d3abd56c3780add0261e2695d3553c195e578a4470dcc599
                                                          • Instruction ID: d3c30b2b3bb811d7b2f40030e9468998894a27f91f79e302273496d6095dcccc
                                                          • Opcode Fuzzy Hash: 839aac527028d837d3abd56c3780add0261e2695d3553c195e578a4470dcc599
                                                          • Instruction Fuzzy Hash: CF016931B202111BDF64966EE81072EB2EBDBC9628F24843AE11EC7788EA65DC434395
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDDB38 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a82fb54b64f2024eb8ed0e8530717005946dfdf691eac53ed3bed30fd01d8aef
                                                          • Instruction ID: 17cdefd5eb187ebb737371ea8e46b4dcdccb553464c99f500fd976f17b9fc263
                                                          • Opcode Fuzzy Hash: a82fb54b64f2024eb8ed0e8530717005946dfdf691eac53ed3bed30fd01d8aef
                                                          • Instruction Fuzzy Hash: 5D01A430B106145FDB60EA3DE86072AB3DAEF89718F109539F10ECB388DA25DC434785
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06ED9899 Relevance: .0, Instructions: 30COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71b0e748ab21c0efa7e69d69d77762c203b3ed39c8f54c722dba84e43d24e32b
                                                          • Instruction ID: 3c6c5a9de67f0ea4e7372471baecfd5e522d6287f3d4f75513c6502cfeff1a5b
                                                          • Opcode Fuzzy Hash: 71b0e748ab21c0efa7e69d69d77762c203b3ed39c8f54c722dba84e43d24e32b
                                                          • Instruction Fuzzy Hash: AEF02230D0A3486FDB10DAB08D007AA7BAC9B03208F20899AE844CB243D236CA0683A0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 06EDAEC8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2222239885
                                                          • Opcode ID: eba4742abc16fb721499b70b9f2968f1ba284a67ce0d6d66fd19356958e03f70
                                                          • Instruction ID: 79a6462f6c5832f032bb8c12efd7bc06c0963e7927ed984b3d68337e18dcdec4
                                                          • Opcode Fuzzy Hash: eba4742abc16fb721499b70b9f2968f1ba284a67ce0d6d66fd19356958e03f70
                                                          • Instruction Fuzzy Hash: 99123B70E003198FDB68DF65C954A9EB7F2BF88304F2195A9D009AB354EB31DD86CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDE158 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-3823777903
                                                          • Opcode ID: dd4cab665a3f8456a0211d98167a81c12388971764dab3f3c8010ead340e3380
                                                          • Instruction ID: 9f8d23132cb906c4dea7e5d96ec3923fe865cc903502aa0e395888b55a1dd117
                                                          • Opcode Fuzzy Hash: dd4cab665a3f8456a0211d98167a81c12388971764dab3f3c8010ead340e3380
                                                          • Instruction Fuzzy Hash: A9917030E0030ADFEB68EF65D958BAE7BF6AF44308F109529E4059F394DB749846CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDE4F0 Relevance: 10.2, Strings: 8, Instructions: 183COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-3823777903
                                                          • Opcode ID: e65866ffae4d662afce72dea7210edbe07324cf63704c24b03805f5ff9dddfb0
                                                          • Instruction ID: 9a15b37bacf75bcafcf91981634f73879d3be59b219c3c8ff6ae299a4a02c7e2
                                                          • Opcode Fuzzy Hash: e65866ffae4d662afce72dea7210edbe07324cf63704c24b03805f5ff9dddfb0
                                                          • Instruction Fuzzy Hash: 9351E430E113098FDB68EB68D598AAEB7F2EB84304F209529E415DF358DB31DC46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDA8C8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-390881366
                                                          • Opcode ID: 35833c34a4024fceef6ff0ad7fddba61b1bb36cc9b3730fce5f49215e61fb9d5
                                                          • Instruction ID: 08663c4d3e88602021f6315c4612c6e4d1a08ce28405bd10d5b5b08987778b3e
                                                          • Opcode Fuzzy Hash: 35833c34a4024fceef6ff0ad7fddba61b1bb36cc9b3730fce5f49215e61fb9d5
                                                          • Instruction Fuzzy Hash: F1F10B30A01309CFDB59EF68D594A6EB7B3BF88304F248569D4059B3A9CB31DD86CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDBC00 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 2237709c49c90970e7746dbefa7189820243c7114f14c03ec07106e82402fe93
                                                          • Instruction ID: a400ae60cc87c0d76e48e009ea532f070d95ea4e201135c0ffd01768b28a558f
                                                          • Opcode Fuzzy Hash: 2237709c49c90970e7746dbefa7189820243c7114f14c03ec07106e82402fe93
                                                          • Instruction Fuzzy Hash: C6B15D70A103098FDB58EF68D99466EB7B2FF88308F259469E405DB355EB71DC86CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDC018 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR^q$LR^q$$^q$$^q
                                                          • API String ID: 0-2454687669
                                                          • Opcode ID: c032280c4b72248a4aa5d0f2b473a3ddf87a09ddec015be579af7cb0e0c3612d
                                                          • Instruction ID: 9c5cb28355e1839b9e306999a78ca47e99c85de9319a50be6c076db14be76791
                                                          • Opcode Fuzzy Hash: c032280c4b72248a4aa5d0f2b473a3ddf87a09ddec015be579af7cb0e0c3612d
                                                          • Instruction Fuzzy Hash: 6951F730B003059FDB58EB68D950A6AB7F6FF84744F209569E405CB3A5DB31EC46CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 06EDE4E1 Relevance: 5.2, Strings: 4, Instructions: 166COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000007.00000002.4185917263.0000000006ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06ED0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_7_2_6ed0000_SecuriteInfo.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 7edf4f9bbdc568a9bae0bd1a5fa005714bd6a8ea40c66fed79b9808f31c9e8f6
                                                          • Instruction ID: 24266d6177d05fe4c10786b9cd316d4632f714b043e19131840a75c787964517
                                                          • Opcode Fuzzy Hash: 7edf4f9bbdc568a9bae0bd1a5fa005714bd6a8ea40c66fed79b9808f31c9e8f6
                                                          • Instruction Fuzzy Hash: 3C51B530E113099FDF69EB64D994AAEB3B2EB84304F145529E415DF394DB31EC42CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:13.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:158
                                                          Total number of Limit Nodes:11
                                                          execution_graph 22830 f84668 22831 f84672 22830->22831 22833 f84758 22830->22833 22834 f8475d 22833->22834 22838 f84868 22834->22838 22842 f84858 22834->22842 22840 f8488f 22838->22840 22839 f8496c 22840->22839 22846 f8449c 22840->22846 22844 f8488f 22842->22844 22843 f8496c 22843->22843 22844->22843 22845 f8449c CreateActCtxA 22844->22845 22845->22843 22847 f858f8 CreateActCtxA 22846->22847 22849 f859bb 22847->22849 22850 f8d558 22851 f8d59a 22850->22851 22852 f8d5a0 GetModuleHandleW 22850->22852 22851->22852 22853 f8d5cd 22852->22853 22856 83fa088 22857 83fa213 22856->22857 22859 83fa0ae 22856->22859 22859->22857 22860 83f5c50 22859->22860 22861 83fa710 PostMessageW 22860->22861 22862 83fa77c 22861->22862 22862->22859 22854 f8fc50 DuplicateHandle 22855 f8fce6 22854->22855 22863 f8d600 22864 f8d614 22863->22864 22866 f8d639 22864->22866 22867 f8c6f0 22864->22867 22868 f8d7e0 LoadLibraryExW 22867->22868 22870 f8d859 22868->22870 22870->22866 22871 f8f600 22872 f8f646 GetCurrentProcess 22871->22872 22874 f8f698 GetCurrentThread 22872->22874 22875 f8f691 22872->22875 22876 f8f6ce 22874->22876 22877 f8f6d5 GetCurrentProcess 22874->22877 22875->22874 22876->22877 22878 f8f70b GetCurrentThreadId 22877->22878 22880 f8f764 22878->22880 22672 83f7c70 22674 83f7a1c 22672->22674 22673 83f7bcc 22674->22673 22677 83f8ef8 22674->22677 22691 83f8ee8 22674->22691 22678 83f8f12 22677->22678 22705 83f9306 22678->22705 22709 83f96e6 22678->22709 22715 83f9a87 22678->22715 22720 83f93f8 22678->22720 22729 83f94a8 22678->22729 22733 83f96aa 22678->22733 22742 83f939c 22678->22742 22750 83f940f 22678->22750 22759 83f95bf 22678->22759 22763 83f9541 22678->22763 22767 83f9364 22678->22767 22679 83f8f36 22679->22673 22692 83f8f12 22691->22692 22694 83f95bf 2 API calls 22692->22694 22695 83f940f 4 API calls 22692->22695 22696 83f939c 4 API calls 22692->22696 22697 83f96aa 4 API calls 22692->22697 22698 83f94a8 2 API calls 22692->22698 22699 83f93f8 4 API calls 22692->22699 22700 83f9a87 2 API calls 22692->22700 22701 83f96e6 2 API calls 22692->22701 22702 83f9306 2 API calls 22692->22702 22703 83f9364 2 API calls 22692->22703 22704 83f9541 2 API calls 22692->22704 22693 83f8f36 22693->22673 22694->22693 22695->22693 22696->22693 22697->22693 22698->22693 22699->22693 22700->22693 22701->22693 22702->22693 22703->22693 22704->22693 22772 83f75f4 22705->22772 22776 83f7600 22705->22776 22711 83f96eb 22709->22711 22710 83f99e0 22710->22679 22711->22710 22780 83f6cf8 22711->22780 22784 83f6cf0 22711->22784 22712 83f9af6 22716 83f9a8d 22715->22716 22718 83f6cf8 ResumeThread 22716->22718 22719 83f6cf0 ResumeThread 22716->22719 22717 83f9af6 22718->22717 22719->22717 22721 83f9409 22720->22721 22788 83f7378 22721->22788 22792 83f7372 22721->22792 22722 83f997b 22723 83f9364 22723->22722 22796 83f9f5f 22723->22796 22801 83f9f70 22723->22801 22724 83f97cc 22724->22679 22814 83f7468 22729->22814 22818 83f7460 22729->22818 22730 83f93e9 22735 83f96bb 22733->22735 22734 83f9b2c 22734->22679 22735->22734 22736 83f9364 22735->22736 22740 83f7378 WriteProcessMemory 22735->22740 22741 83f7372 WriteProcessMemory 22735->22741 22738 83f9f5f 2 API calls 22736->22738 22739 83f9f70 2 API calls 22736->22739 22737 83f97cc 22737->22679 22738->22737 22739->22737 22740->22735 22741->22735 22746 83f7378 WriteProcessMemory 22742->22746 22747 83f7372 WriteProcessMemory 22742->22747 22743 83f9a65 22743->22679 22744 83f9364 22744->22743 22748 83f9f5f 2 API calls 22744->22748 22749 83f9f70 2 API calls 22744->22749 22745 83f97cc 22745->22679 22746->22744 22747->22744 22748->22745 22749->22745 22751 83f93a0 22750->22751 22753 83f9364 22751->22753 22755 83f7378 WriteProcessMemory 22751->22755 22756 83f7372 WriteProcessMemory 22751->22756 22752 83f9a65 22752->22679 22753->22752 22757 83f9f5f 2 API calls 22753->22757 22758 83f9f70 2 API calls 22753->22758 22754 83f97cc 22754->22679 22755->22753 22756->22753 22757->22754 22758->22754 22822 83f72b8 22759->22822 22826 83f72b2 22759->22826 22760 83f95dd 22760->22679 22765 83f6da8 Wow64SetThreadContext 22763->22765 22766 83f6da0 Wow64SetThreadContext 22763->22766 22764 83f9499 22765->22764 22766->22764 22768 83f936f 22767->22768 22770 83f9f5f 2 API calls 22768->22770 22771 83f9f70 2 API calls 22768->22771 22769 83f97cc 22769->22679 22770->22769 22771->22769 22773 83f7689 CreateProcessA 22772->22773 22775 83f784b 22773->22775 22775->22775 22777 83f7689 CreateProcessA 22776->22777 22779 83f784b 22777->22779 22779->22779 22781 83f6d38 ResumeThread 22780->22781 22783 83f6d69 22781->22783 22783->22712 22785 83f6d38 ResumeThread 22784->22785 22787 83f6d69 22785->22787 22787->22712 22789 83f73c0 WriteProcessMemory 22788->22789 22791 83f7417 22789->22791 22791->22723 22793 83f73c0 WriteProcessMemory 22792->22793 22795 83f7417 22793->22795 22795->22723 22797 83f9f85 22796->22797 22806 83f6da0 22797->22806 22810 83f6da8 22797->22810 22798 83f9f9b 22798->22724 22802 83f9f85 22801->22802 22804 83f6da8 Wow64SetThreadContext 22802->22804 22805 83f6da0 Wow64SetThreadContext 22802->22805 22803 83f9f9b 22803->22724 22804->22803 22805->22803 22807 83f6ded Wow64SetThreadContext 22806->22807 22809 83f6e35 22807->22809 22809->22798 22811 83f6ded Wow64SetThreadContext 22810->22811 22813 83f6e35 22811->22813 22813->22798 22815 83f74b3 ReadProcessMemory 22814->22815 22817 83f74f7 22815->22817 22817->22730 22819 83f7468 ReadProcessMemory 22818->22819 22821 83f74f7 22819->22821 22821->22730 22823 83f72f8 VirtualAllocEx 22822->22823 22825 83f7335 22823->22825 22825->22760 22827 83f72f8 VirtualAllocEx 22826->22827 22829 83f7335 22827->22829 22829->22760

                                                          Executed Functions

                                                          Function 00F8F600 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 294 f8f600-f8f68f GetCurrentProcess 298 f8f698-f8f6cc GetCurrentThread 294->298 299 f8f691-f8f697 294->299 300 f8f6ce-f8f6d4 298->300 301 f8f6d5-f8f709 GetCurrentProcess 298->301 299->298 300->301 303 f8f70b-f8f711 301->303 304 f8f712-f8f72a 301->304 303->304 306 f8f733-f8f762 GetCurrentThreadId 304->306 308 f8f76b-f8f7cd 306->308 309 f8f764-f8f76a 306->309 309->308
                                                          APIs
                                                          • GetCurrentProcess.KERNEL32 ref: 00F8F67E
                                                          • GetCurrentThread.KERNEL32 ref: 00F8F6BB
                                                          • GetCurrentProcess.KERNEL32 ref: 00F8F6F8
                                                          • GetCurrentThreadId.KERNEL32 ref: 00F8F751
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: Current$ProcessThread
                                                          • String ID: LUi
                                                          • API String ID: 2063062207-2136847991
                                                          • Opcode ID: beb20df8ab8cfa66fa80306c9984cb5c3e4429f760ab22f9551dca57a45a67bb
                                                          • Instruction ID: 649ec96dd4bce76828b6708e2d8a5d8c23a4841af8d0a4ef5d409ae007c8071c
                                                          • Opcode Fuzzy Hash: beb20df8ab8cfa66fa80306c9984cb5c3e4429f760ab22f9551dca57a45a67bb
                                                          • Instruction Fuzzy Hash: B85134B0D012498FDB14DFA9D548BEEBBF1EF48314F20C469E419A7260DB749988CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F75F4 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 245processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 315 83f75f4-83f7695 317 83f76ce-83f76ee 315->317 318 83f7697-83f76a1 315->318 325 83f7727-83f7756 317->325 326 83f76f0-83f76fa 317->326 318->317 319 83f76a3-83f76a5 318->319 320 83f76c8-83f76cb 319->320 321 83f76a7-83f76b1 319->321 320->317 323 83f76b5-83f76c4 321->323 324 83f76b3 321->324 323->323 327 83f76c6 323->327 324->323 332 83f778f-83f7849 CreateProcessA 325->332 333 83f7758-83f7762 325->333 326->325 328 83f76fc-83f76fe 326->328 327->320 330 83f7721-83f7724 328->330 331 83f7700-83f770a 328->331 330->325 334 83f770e-83f771d 331->334 335 83f770c 331->335 346 83f784b-83f7851 332->346 347 83f7852-83f78d8 332->347 333->332 337 83f7764-83f7766 333->337 334->334 336 83f771f 334->336 335->334 336->330 338 83f7789-83f778c 337->338 339 83f7768-83f7772 337->339 338->332 341 83f7776-83f7785 339->341 342 83f7774 339->342 341->341 344 83f7787 341->344 342->341 344->338 346->347 357 83f78da-83f78de 347->357 358 83f78e8-83f78ec 347->358 357->358 359 83f78e0 357->359 360 83f78ee-83f78f2 358->360 361 83f78fc-83f7900 358->361 359->358 360->361 362 83f78f4 360->362 363 83f7902-83f7906 361->363 364 83f7910-83f7914 361->364 362->361 363->364 365 83f7908 363->365 366 83f7926-83f792d 364->366 367 83f7916-83f791c 364->367 365->364 368 83f792f-83f793e 366->368 369 83f7944 366->369 367->366 368->369 371 83f7945 369->371 371->371
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 083F7836
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: LUi$LUi
                                                          • API String ID: 963392458-324199153
                                                          • Opcode ID: ea760f0d78513b4db7eb3fa449fbaaddb84291bdcf7a789a5d992a01f612485e
                                                          • Instruction ID: ab7cfd9c304fab3aea38e213d22940c3548381d582bc9a2e41eb11e27ea97ba8
                                                          • Opcode Fuzzy Hash: ea760f0d78513b4db7eb3fa449fbaaddb84291bdcf7a789a5d992a01f612485e
                                                          • Instruction Fuzzy Hash: 1BA19E71D10259CFDF20DF68C841BEEBBB2BF88311F1481A9E908A7251DB749985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F7600 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 372 83f7600-83f7695 374 83f76ce-83f76ee 372->374 375 83f7697-83f76a1 372->375 382 83f7727-83f7756 374->382 383 83f76f0-83f76fa 374->383 375->374 376 83f76a3-83f76a5 375->376 377 83f76c8-83f76cb 376->377 378 83f76a7-83f76b1 376->378 377->374 380 83f76b5-83f76c4 378->380 381 83f76b3 378->381 380->380 384 83f76c6 380->384 381->380 389 83f778f-83f7849 CreateProcessA 382->389 390 83f7758-83f7762 382->390 383->382 385 83f76fc-83f76fe 383->385 384->377 387 83f7721-83f7724 385->387 388 83f7700-83f770a 385->388 387->382 391 83f770e-83f771d 388->391 392 83f770c 388->392 403 83f784b-83f7851 389->403 404 83f7852-83f78d8 389->404 390->389 394 83f7764-83f7766 390->394 391->391 393 83f771f 391->393 392->391 393->387 395 83f7789-83f778c 394->395 396 83f7768-83f7772 394->396 395->389 398 83f7776-83f7785 396->398 399 83f7774 396->399 398->398 401 83f7787 398->401 399->398 401->395 403->404 414 83f78da-83f78de 404->414 415 83f78e8-83f78ec 404->415 414->415 416 83f78e0 414->416 417 83f78ee-83f78f2 415->417 418 83f78fc-83f7900 415->418 416->415 417->418 419 83f78f4 417->419 420 83f7902-83f7906 418->420 421 83f7910-83f7914 418->421 419->418 420->421 422 83f7908 420->422 423 83f7926-83f792d 421->423 424 83f7916-83f791c 421->424 422->421 425 83f792f-83f793e 423->425 426 83f7944 423->426 424->423 425->426 428 83f7945 426->428 428->428
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 083F7836
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: LUi$LUi
                                                          • API String ID: 963392458-324199153
                                                          • Opcode ID: 1c5890510a2026190332e60aa2ed525c9874c955a8cbb2b0b6424e49953e75c0
                                                          • Instruction ID: 76514591bb6266cd96d20c5daadaff4ebf2222da933e2d46fd88e1da1bf0e6d5
                                                          • Opcode Fuzzy Hash: 1c5890510a2026190332e60aa2ed525c9874c955a8cbb2b0b6424e49953e75c0
                                                          • Instruction Fuzzy Hash: 0D918C71D10259CFDF20DFA8C841BEEBBB2BF88315F1481A9E908A7251DB749985CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F8449C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 451 f8449c-f859b9 CreateActCtxA 454 f859bb-f859c1 451->454 455 f859c2-f85a1c 451->455 454->455 462 f85a2b-f85a2f 455->462 463 f85a1e-f85a21 455->463 464 f85a40 462->464 465 f85a31-f85a3d 462->465 463->462 467 f85a41 464->467 465->464 467->467
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00F859A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID: LUi
                                                          • API String ID: 2289755597-2136847991
                                                          • Opcode ID: 88f5d1606c17fe971d44bccbe6447deff8ca26c9eef82304238fcffb1a072a0a
                                                          • Instruction ID: 8823a68817c6f59dc3eb82971c8500ea76d6a69da9f6f53a469be35db251d140
                                                          • Opcode Fuzzy Hash: 88f5d1606c17fe971d44bccbe6447deff8ca26c9eef82304238fcffb1a072a0a
                                                          • Instruction Fuzzy Hash: A241F1B0C00719CBDB24DFA9C884BDEBBB5BF48714F20806AD408AB255DB756949CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F858ED Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 468 f858ed-f858f2 469 f858fc-f859b9 CreateActCtxA 468->469 471 f859bb-f859c1 469->471 472 f859c2-f85a1c 469->472 471->472 479 f85a2b-f85a2f 472->479 480 f85a1e-f85a21 472->480 481 f85a40 479->481 482 f85a31-f85a3d 479->482 480->479 484 f85a41 481->484 482->481 484->484
                                                          APIs
                                                          • CreateActCtxA.KERNEL32(?), ref: 00F859A9
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: Create
                                                          • String ID: LUi
                                                          • API String ID: 2289755597-2136847991
                                                          • Opcode ID: 36d71a802a2b56a89817a63c389a6b1e44bbfbbba7a9c2ed56c8fda78cc82f71
                                                          • Instruction ID: 720970445c109d45ae90bb0126d565e5dd7c6c4721e89cec5a939630488adf01
                                                          • Opcode Fuzzy Hash: 36d71a802a2b56a89817a63c389a6b1e44bbfbbba7a9c2ed56c8fda78cc82f71
                                                          • Instruction Fuzzy Hash: 7D4105B0C00719CFDB14DFA9C8847CDBBB5BF45714F24816AD408AB255DB756989CF90
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F7372 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 485 83f7372-83f73c6 487 83f73c8-83f73d4 485->487 488 83f73d6-83f7415 WriteProcessMemory 485->488 487->488 490 83f741e-83f744e 488->490 491 83f7417-83f741d 488->491 491->490
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 083F7408
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID: LUi
                                                          • API String ID: 3559483778-2136847991
                                                          • Opcode ID: d08449255e519b7c4f6c44f6d39b5a1b209139319b97e7d20c6dcf617cf4406e
                                                          • Instruction ID: 432c4580d6260fd37e30185026611a179340f9e0b78f9ca1dc59e7c9f727ca3d
                                                          • Opcode Fuzzy Hash: d08449255e519b7c4f6c44f6d39b5a1b209139319b97e7d20c6dcf617cf4406e
                                                          • Instruction Fuzzy Hash: 262115B59002599FCF10CFA9C885BEEBBF1FF88310F10842AE959A7251C7789954DBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F7378 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 495 83f7378-83f73c6 497 83f73c8-83f73d4 495->497 498 83f73d6-83f7415 WriteProcessMemory 495->498 497->498 500 83f741e-83f744e 498->500 501 83f7417-83f741d 498->501 501->500
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 083F7408
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID: LUi
                                                          • API String ID: 3559483778-2136847991
                                                          • Opcode ID: eda1faed9f2aa22a373f6b924b5f0d51191bac13689a124a8081f1227438bee4
                                                          • Instruction ID: 73e42296655a7577c6c3bed4dc060482375558a992b364280864b97290c910c3
                                                          • Opcode Fuzzy Hash: eda1faed9f2aa22a373f6b924b5f0d51191bac13689a124a8081f1227438bee4
                                                          • Instruction Fuzzy Hash: 7F2155B59003599FCB10CFAAC881BDEBBF5FF88310F10842AE918A7251C7789944CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F7460 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 515 83f7460-83f74f5 ReadProcessMemory 519 83f74fe-83f752e 515->519 520 83f74f7-83f74fd 515->520 520->519
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F74E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID: LUi
                                                          • API String ID: 1726664587-2136847991
                                                          • Opcode ID: c3de15cce105b05d4fea443572121e180dca06942e7da2646f536b9b2152d737
                                                          • Instruction ID: faa10579cff4eccf583c42537edaed513091442b9d215f9a2f09641c62dd7e04
                                                          • Opcode Fuzzy Hash: c3de15cce105b05d4fea443572121e180dca06942e7da2646f536b9b2152d737
                                                          • Instruction Fuzzy Hash: 732139B19002599FCB10DFAAC841BEEFBF5FF88310F10842AE519A7250C7389541CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F6DA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 505 83f6da0-83f6df3 507 83f6df5-83f6e01 505->507 508 83f6e03-83f6e33 Wow64SetThreadContext 505->508 507->508 510 83f6e3c-83f6e6c 508->510 511 83f6e35-83f6e3b 508->511 511->510
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 083F6E26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID: LUi
                                                          • API String ID: 983334009-2136847991
                                                          • Opcode ID: 4e892c43f3f09dde22bc58771117e286388aba1a158c70c945e4e7e2c19cd0e9
                                                          • Instruction ID: c7948d3e4f5de82e2c14e06409b037eeb362be74b8dac4558008e66499190e2c
                                                          • Opcode Fuzzy Hash: 4e892c43f3f09dde22bc58771117e286388aba1a158c70c945e4e7e2c19cd0e9
                                                          • Instruction Fuzzy Hash: 6C2175B29002088FCB10CFAAC5857EEBFF4AF98320F10842ED559A7241C7789984CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F7468 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 534 83f7468-83f74f5 ReadProcessMemory 537 83f74fe-83f752e 534->537 538 83f74f7-83f74fd 534->538 538->537
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 083F74E8
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID: LUi
                                                          • API String ID: 1726664587-2136847991
                                                          • Opcode ID: 526122dd8c7698abf28a6559e707326b95c3b2328fb3c39ab8f6c5718660caad
                                                          • Instruction ID: 77b1a4166d6f769fd6e9b94c32ca40548427b289b737099b7a0bf94f071a50e2
                                                          • Opcode Fuzzy Hash: 526122dd8c7698abf28a6559e707326b95c3b2328fb3c39ab8f6c5718660caad
                                                          • Instruction Fuzzy Hash: 192128B19002599FCB10DFAAC841BEEFBF5FF88320F108429E958A7251C7389544CBA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F6DA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 524 83f6da8-83f6df3 526 83f6df5-83f6e01 524->526 527 83f6e03-83f6e33 Wow64SetThreadContext 524->527 526->527 529 83f6e3c-83f6e6c 527->529 530 83f6e35-83f6e3b 527->530 530->529
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 083F6E26
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID: LUi
                                                          • API String ID: 983334009-2136847991
                                                          • Opcode ID: 4b90e7a4ed0d991fa8601dd406d4ea45c395ea80ca9e8d27f26418c648cf431e
                                                          • Instruction ID: 6c3cbfdfc7a2c8284f9f73e514962977384ad7c951fe5d02238bc0e386d31b7b
                                                          • Opcode Fuzzy Hash: 4b90e7a4ed0d991fa8601dd406d4ea45c395ea80ca9e8d27f26418c648cf431e
                                                          • Instruction Fuzzy Hash: 1C2138B2D002098FDB10DFAAC5857EEBBF4EF98324F108429D559A7241D7789984CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F8FC50 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 542 f8fc50-f8fce4 DuplicateHandle 543 f8fced-f8fd0a 542->543 544 f8fce6-f8fcec 542->544 544->543
                                                          APIs
                                                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00F8FCD7
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: DuplicateHandle
                                                          • String ID: LUi
                                                          • API String ID: 3793708945-2136847991
                                                          • Opcode ID: 7033bae2e7ab0193df696a8c840027d5210638403fd14de9c488a496749e9a6a
                                                          • Instruction ID: c7ae11b0deae3549c7b38a7401287ab3d050637977a13d06fcd8f408da471c01
                                                          • Opcode Fuzzy Hash: 7033bae2e7ab0193df696a8c840027d5210638403fd14de9c488a496749e9a6a
                                                          • Instruction Fuzzy Hash: AF21E4B59002089FDB10CFAAD584ADEBBF4FB48320F14841AE914A7310C374AA44DFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F8C6F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 547 f8c6f0-f8d820 549 f8d828-f8d857 LoadLibraryExW 547->549 550 f8d822-f8d825 547->550 551 f8d859-f8d85f 549->551 552 f8d860-f8d87d 549->552 550->549 551->552
                                                          APIs
                                                          • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00F8D639,00000800,00000000,00000000), ref: 00F8D84A
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: LibraryLoad
                                                          • String ID: LUi
                                                          • API String ID: 1029625771-2136847991
                                                          • Opcode ID: f410a88618d8a1b4103cf69f8f45837611133fdb3b9e589b6905e6fb1a5cb8dc
                                                          • Instruction ID: ab87a8c40f11116305bcec6e6df72074453c54aed14fea3d8a6a0f1353407180
                                                          • Opcode Fuzzy Hash: f410a88618d8a1b4103cf69f8f45837611133fdb3b9e589b6905e6fb1a5cb8dc
                                                          • Instruction Fuzzy Hash: 2E11D0B6D002099FDB10DF9AD444BDEFBF5EB88320F10842AE919A7250C375A945CFA9
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F72B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 54memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 083F7326
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: LUi
                                                          • API String ID: 4275171209-2136847991
                                                          • Opcode ID: a5829f8ef92d2c99e632802fc989ca62b9606cbe623738721ca2acc5f3d94f8c
                                                          • Instruction ID: bbef009e9f397701f1078fb44b9d94e8f931c58221bb1c16250ed78e6d820230
                                                          • Opcode Fuzzy Hash: a5829f8ef92d2c99e632802fc989ca62b9606cbe623738721ca2acc5f3d94f8c
                                                          • Instruction Fuzzy Hash: 4A116A758002489FCF20DFAAC844BDEBFF1EF88320F248829D555A7251C7759554CFA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F72B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 083F7326
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID: LUi
                                                          • API String ID: 4275171209-2136847991
                                                          • Opcode ID: 4ff532b341402d4b3cf76b55f624e54facba7c3a614ea04f610b43dd2f3e061a
                                                          • Instruction ID: a588eb70ac42fa7af49d9fe587632f254c1903cdffb3ab3f6c632af784a5f40f
                                                          • Opcode Fuzzy Hash: 4ff532b341402d4b3cf76b55f624e54facba7c3a614ea04f610b43dd2f3e061a
                                                          • Instruction Fuzzy Hash: B31167718002489FCB10DFAAC844BDEBFF5EF88320F10882AE919A7250C735A550CFA4
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F6CF0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID: LUi
                                                          • API String ID: 947044025-2136847991
                                                          • Opcode ID: 47188021ac4a64a4731a4664eab9e683cad734c852c11e2f37559fcdb724ea5b
                                                          • Instruction ID: 812262ef26173f775dc8c24add60a806adb42b0748222493dac2ca2243e5dff9
                                                          • Opcode Fuzzy Hash: 47188021ac4a64a4731a4664eab9e683cad734c852c11e2f37559fcdb724ea5b
                                                          • Instruction Fuzzy Hash: 151158B59042488FCB20DFAAC4457EEFFF5EB88324F20842DD459A7250C679A984CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F6CF8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID: LUi
                                                          • API String ID: 947044025-2136847991
                                                          • Opcode ID: 5f5f5b974cb8a28f5614beb74ef906507a9760877a671507e64c19ee63a1a027
                                                          • Instruction ID: 4d9db051fdc0d27b01e6d4ae60fdd6c69441500a1ae86bb942aac8350dcab490
                                                          • Opcode Fuzzy Hash: 5f5f5b974cb8a28f5614beb74ef906507a9760877a671507e64c19ee63a1a027
                                                          • Instruction Fuzzy Hash: 551136B19002488FCB20DFAAC4457DEFBF5EB88324F208429D559A7250CB75A984CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F8D558 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8D5BE
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762720291.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f80000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: HandleModule
                                                          • String ID: LUi
                                                          • API String ID: 4139908857-2136847991
                                                          • Opcode ID: 34ad895e2c7f888ec9b0413300337ed38112da37e02b6027534e7b79de41d02b
                                                          • Instruction ID: a1a349b9fc9dccf327ed464daa1dae45f967ac9ae72699eca2354cc3da5f5dd5
                                                          • Opcode Fuzzy Hash: 34ad895e2c7f888ec9b0413300337ed38112da37e02b6027534e7b79de41d02b
                                                          • Instruction Fuzzy Hash: B811EDB6C002498FCB10DF9AC444BDEFBF4AF88324F14842AD869AB650D379A545CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083F5C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 083FA76D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID: LUi
                                                          • API String ID: 410705778-2136847991
                                                          • Opcode ID: 291e7b8ac91eb71b4ef273a9716c7a371d76919350dd193050aabf39cc53f7ad
                                                          • Instruction ID: 27c774a74a9b22bcdddb02a8d4a8997d96ea1a2a61966f1be8fa2332dc96f283
                                                          • Opcode Fuzzy Hash: 291e7b8ac91eb71b4ef273a9716c7a371d76919350dd193050aabf39cc53f7ad
                                                          • Instruction Fuzzy Hash: 731103B5800358DFCB10DF9AC585BDEBBF8EB48324F20841AE958A7611C375A984CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 083FA708 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 083FA76D
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1769492094.00000000083F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 083F0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_83f0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID: LUi
                                                          • API String ID: 410705778-2136847991
                                                          • Opcode ID: 80cad85974a65a298b9753e29039c213026d06c55ac5cfd4895d201157bdaf58
                                                          • Instruction ID: f98c01d5deb205ea2adda3885d8bfce7c7f56c443f4ae0ac7a89a8310691d68f
                                                          • Opcode Fuzzy Hash: 80cad85974a65a298b9753e29039c213026d06c55ac5cfd4895d201157bdaf58
                                                          • Instruction Fuzzy Hash: 2C1103B58003599FCB20DF9AD589BDEBFF4EB48324F20841AD559A7211C375A984CFA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F2D4C4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762034400.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f2d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 82bb6fb91396d03942b1473a9b2de4ac5f83b25aba0df8b99cd2d20d4a437c8c
                                                          • Instruction ID: 0be65557697d05b3af7ba653d9b3e4482d06e07561e86ae2074026b658bca3a1
                                                          • Opcode Fuzzy Hash: 82bb6fb91396d03942b1473a9b2de4ac5f83b25aba0df8b99cd2d20d4a437c8c
                                                          • Instruction Fuzzy Hash: A7213A72504240DFDB05DF14E9C0B27BF65FB94328F34C569E8054B256C376D856E7A2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F3D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762096884.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f3d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                          • Instruction ID: 19aabfbd39324e077728a1739482deeb19e995ba52b7e1bb92d9f119cc1591d0
                                                          • Opcode Fuzzy Hash: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                          • Instruction Fuzzy Hash: 6F212671904204EFDB05DF14E9C0B27BBA5FB84334F20C66DE8494B396C736D846DA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F3D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762096884.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f3d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                          • Instruction ID: 4b8e47fa1f3cab78e1349494b7119c2c97f4fd9a92f89d709df95d5de2a12137
                                                          • Opcode Fuzzy Hash: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                          • Instruction Fuzzy Hash: BC21F5B1504200DFCB18DF14E5C4B16BB65FB84734F20C569D84A4B25AC336D847DA61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F3D005 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762096884.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f3d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                          • Instruction ID: 437544e1a76286c47c7034fc79f19344b6cc6d7ec93ebd85d0783ff2431734ca
                                                          • Opcode Fuzzy Hash: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                          • Instruction Fuzzy Hash: 192180755093808FCB06CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ADB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F2D4BF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762034400.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f2d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction ID: d9c904987faddc932053a32b693e3a36fcc80d0f57272c689c2a45d529b800eb
                                                          • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                          • Instruction Fuzzy Hash: 67110372804280CFCB06CF10D5C4B16BF71FB94328F28C6A9D8090B256C336D85ADBA2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 00F3D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000009.00000002.1762096884.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_9_2_f3d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction ID: 996be3665a5de8b36d41f48cdb1adbbff3b48ad0309448b7e336a27446082e41
                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction Fuzzy Hash: 8C11BB75904280DFCB06CF10D9C4B16BBA1FB84324F24C6AAD8494B296C33AD80ADB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Execution Graph

                                                          Execution Coverage:10.5%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:3
                                                          Total number of Limit Nodes:0
                                                          execution_graph 25819 19c7ec8 25820 19c7ec9 CheckRemoteDebuggerPresent 25819->25820 25822 19c7f4e 25820->25822

                                                          Executed Functions

                                                          Function 07276880 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 7276880-72768a1 1 72768a3-72768a6 0->1 2 72768cc-72768cf 1->2 3 72768a8-72768c7 1->3 4 72768d5-72768f4 2->4 5 7277070-7277072 2->5 3->2 13 72768f6-72768f9 4->13 14 727690d-7276917 4->14 7 7277074 5->7 8 7277079-727707c 5->8 7->8 8->1 10 7277082-727708b 8->10 13->14 15 72768fb-727690b 13->15 17 727691d-727692c 14->17 15->17 126 727692e call 72770a0 17->126 127 727692e call 7277099 17->127 19 7276933-7276938 20 7276945-7276c22 19->20 21 727693a-7276940 19->21 42 7277062-727706f 20->42 43 7276c28-7276cd7 20->43 21->10 52 7276d00 43->52 53 7276cd9-7276cfe 43->53 55 7276d09-7276d1c 52->55 53->55 57 7276d22-7276d44 55->57 58 7277049-7277055 55->58 57->58 61 7276d4a-7276d54 57->61 58->43 59 727705b 58->59 59->42 61->58 62 7276d5a-7276d65 61->62 62->58 63 7276d6b-7276e41 62->63 75 7276e43-7276e45 63->75 76 7276e4f-7276e7f 63->76 75->76 80 7276e81-7276e83 76->80 81 7276e8d-7276e99 76->81 80->81 82 7276e9b-7276e9f 81->82 83 7276ef9-7276efd 81->83 82->83 84 7276ea1-7276ecb 82->84 85 7276f03-7276f3f 83->85 86 727703a-7277043 83->86 93 7276ecd-7276ecf 84->93 94 7276ed9-7276ef6 84->94 96 7276f41-7276f43 85->96 97 7276f4d-7276f5b 85->97 86->58 86->63 93->94 94->83 96->97 100 7276f72-7276f7d 97->100 101 7276f5d-7276f68 97->101 105 7276f95-7276fa6 100->105 106 7276f7f-7276f85 100->106 101->100 104 7276f6a 101->104 104->100 110 7276fbe-7276fca 105->110 111 7276fa8-7276fae 105->111 107 7276f87 106->107 108 7276f89-7276f8b 106->108 107->105 108->105 115 7276fe2-7277033 110->115 116 7276fcc-7276fd2 110->116 112 7276fb2-7276fb4 111->112 113 7276fb0 111->113 112->110 113->110 115->86 117 7276fd6-7276fd8 116->117 118 7276fd4 116->118 117->115 118->115 126->19 127->19
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: 50789d9599d1f9bb4ef2fb5645610a3d956250ca05f1073747e374989e0c1a7f
                                                          • Instruction ID: 23a36599cadfbb04c9d599d19258b95aa4d9b99980d003db506a6783251f40b3
                                                          • Opcode Fuzzy Hash: 50789d9599d1f9bb4ef2fb5645610a3d956250ca05f1073747e374989e0c1a7f
                                                          • Instruction Fuzzy Hash: 31323E31E2061ACBCB14DF75C9545ADF7B6FFC9300F1096AAD409AB264EB30AD85CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727B5A8 Relevance: 3.0, Strings: 2, Instructions: 480COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 675 727b5a8-727b5c6 676 727b5c8-727b5cb 675->676 678 727b5e2-727b5e5 676->678 679 727b5cd-727b5db 676->679 680 727b5e7-727b601 678->680 681 727b606-727b609 678->681 687 727b64e-727b664 679->687 688 727b5dd 679->688 680->681 683 727b62c-727b62f 681->683 684 727b60b-727b627 681->684 685 727b631-727b63b 683->685 686 727b63c-727b63e 683->686 684->683 691 727b645-727b648 686->691 692 727b640 686->692 696 727b87f-727b889 687->696 697 727b66a-727b673 687->697 688->678 691->676 691->687 692->691 698 727b88a-727b895 697->698 699 727b679-727b696 697->699 702 727b897-727b899 698->702 703 727b8bf 698->703 708 727b86c-727b879 699->708 709 727b69c-727b6c4 699->709 705 727b8c3-727b8c4 702->705 706 727b89b-727b8bd 702->706 707 727b8c1 703->707 710 727b8c5-727b8d6 705->710 711 727b971-727b974 705->711 706->703 707->705 708->696 708->697 709->708 732 727b6ca-727b6d3 709->732 717 727b8e1-727b8e3 710->717 712 727b997-727b99a 711->712 713 727b976-727b992 711->713 715 727b9a0-727b9af 712->715 716 727bbcf-727bbd1 712->716 713->712 733 727b9b1-727b9cc 715->733 734 727b9ce-727ba12 715->734 719 727bbd3 716->719 720 727bbd8-727bbdb 716->720 721 727b8e5-727b8eb 717->721 722 727b8fb-727b8ff 717->722 719->720 720->707 727 727bbe1-727bbea 720->727 728 727b8ef-727b8f1 721->728 729 727b8ed 721->729 723 727b901-727b90b 722->723 724 727b90d 722->724 730 727b912-727b914 723->730 724->730 728->722 729->722 735 727b916-727b919 730->735 736 727b92b-727b964 730->736 732->698 737 727b6d9-727b6f5 732->737 733->734 740 727bba3-727bbb8 734->740 741 727ba18-727ba29 734->741 735->727 736->715 760 727b966-727b970 736->760 745 727b6fb-727b725 737->745 746 727b85a-727b866 737->746 740->716 750 727ba2f-727ba4c 741->750 751 727bb8e-727bb9d 741->751 761 727b850-727b855 745->761 762 727b72b-727b753 745->762 746->708 746->732 750->751 763 727ba52-727bb48 call 72799c8 750->763 751->740 751->741 761->746 762->761 769 727b759-727b787 762->769 812 727bb56 763->812 813 727bb4a-727bb54 763->813 769->761 775 727b78d-727b796 769->775 775->761 776 727b79c-727b7ce 775->776 783 727b7d0-727b7d4 776->783 784 727b7d9-727b7f5 776->784 783->761 786 727b7d6 783->786 784->746 787 727b7f7-727b84e call 72799c8 784->787 786->784 787->746 814 727bb5b-727bb5d 812->814 813->814 814->751 815 727bb5f-727bb64 814->815 816 727bb66-727bb70 815->816 817 727bb72 815->817 818 727bb77-727bb79 816->818 817->818 818->751 819 727bb7b-727bb87 818->819 819->751
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q
                                                          • API String ID: 0-355816377
                                                          • Opcode ID: 5f58b25ec1e4ca883bd28926096af921a3f7b0fb9000e1ad4014c8b209325375
                                                          • Instruction ID: 8e2edc04fe3b6702abcc4375d327876b06255bc92543d60ca0b59945d9a7ef5c
                                                          • Opcode Fuzzy Hash: 5f58b25ec1e4ca883bd28926096af921a3f7b0fb9000e1ad4014c8b209325375
                                                          • Instruction Fuzzy Hash: 52029CB0B102168FDB14DF68D69066EB7E2FF88314F148569D80ADB394DB35ED82CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07270040 Relevance: 2.8, Instructions: 2761COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37f39902f995b920fa2451e70f21af8a8c05e394d95a1d5fb6ed1f8bcd7decf1
                                                          • Instruction ID: 619fa6045b6a35511a22acc4bc33bb6b596197e88072b8d43dbd2156517f86d6
                                                          • Opcode Fuzzy Hash: 37f39902f995b920fa2451e70f21af8a8c05e394d95a1d5fb6ed1f8bcd7decf1
                                                          • Instruction Fuzzy Hash: 9A53F771D10B1A8ACB11EB68C980699F7B1FF99300F55D79AE45877221FB70AAC4CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072733C0 Relevance: 2.2, Instructions: 2244COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 159b3803ced504a9f0f9178497d1e0d47b010ce9365a780c39a6437f9d9b56dd
                                                          • Instruction ID: 9d5f9f53d6538339257a68ee61ca605783f1131e44f6e4a27b99247522ab7727
                                                          • Opcode Fuzzy Hash: 159b3803ced504a9f0f9178497d1e0d47b010ce9365a780c39a6437f9d9b56dd
                                                          • Instruction Fuzzy Hash: 86331B71D1075A8EDB11EF68C88069DF7B1FF99300F15C69AD458AB221EB30AAD5CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072789B8 Relevance: 1.9, Strings: 1, Instructions: 604COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1746 72789b8-72789d5 1747 72789d7-72789da 1746->1747 1748 72789e4-72789e7 1747->1748 1749 72789dc-72789df 1747->1749 1750 72789f9-72789fc 1748->1750 1751 72789e9-72789f2 1748->1751 1749->1748 1754 7278a0f-7278a12 1750->1754 1755 72789fe-7278a04 1750->1755 1752 72789f4 1751->1752 1753 7278a4c-7278a52 1751->1753 1752->1750 1760 7278b94-7278bc3 1753->1760 1761 7278a58-7278a60 1753->1761 1758 7278a14-7278a33 1754->1758 1759 7278a38-7278a3b 1754->1759 1756 7278b34-7278b37 1755->1756 1757 7278a0a 1755->1757 1762 7278b3c-7278b3f 1756->1762 1757->1754 1758->1759 1764 7278a47-7278a4a 1759->1764 1765 7278a3d-7278a46 1759->1765 1781 7278bcd-7278bd0 1760->1781 1761->1760 1763 7278a66-7278a73 1761->1763 1762->1751 1769 7278b45-7278b48 1762->1769 1763->1760 1770 7278a79-7278a7d 1763->1770 1764->1753 1768 7278a82-7278a85 1764->1768 1771 7278a87-7278a8d 1768->1771 1772 7278a94-7278a97 1768->1772 1773 7278b55-7278b58 1769->1773 1774 7278b4a-7278b4e 1769->1774 1770->1768 1777 7278af5-7278aff 1771->1777 1778 7278a8f 1771->1778 1779 7278ab0-7278ab3 1772->1779 1780 7278a99-7278aab 1772->1780 1775 7278b75-7278b77 1773->1775 1776 7278b5a-7278b70 1773->1776 1783 7278b87-7278b93 1774->1783 1784 7278b50 1774->1784 1785 7278b7e-7278b81 1775->1785 1786 7278b79 1775->1786 1776->1775 1794 7278b06-7278b08 1777->1794 1778->1772 1787 7278ab5-7278ab7 1779->1787 1788 7278abc-7278abf 1779->1788 1780->1779 1789 7278be4-7278be7 1781->1789 1790 7278bd2-7278bd9 1781->1790 1784->1773 1785->1747 1785->1783 1786->1785 1787->1788 1796 7278ad2-7278ad5 1788->1796 1797 7278ac1-7278acd 1788->1797 1791 7278bf1-7278bf4 1789->1791 1792 7278be9-7278bf0 1789->1792 1798 7278cb6-7278cbd 1790->1798 1799 7278bdf 1790->1799 1800 7278c16-7278c19 1791->1800 1801 7278bf6-7278bfa 1791->1801 1802 7278b0d-7278b10 1794->1802 1803 7278ad7-7278ade 1796->1803 1804 7278ae3-7278ae6 1796->1804 1797->1796 1799->1789 1809 7278c3b-7278c3e 1800->1809 1810 7278c1b-7278c1f 1800->1810 1807 7278c00-7278c08 1801->1807 1808 7278cbe-7278cfc 1801->1808 1802->1771 1811 7278b16-7278b19 1802->1811 1803->1804 1805 7278af0-7278af3 1804->1805 1806 7278ae8-7278aed 1804->1806 1805->1777 1805->1802 1806->1805 1807->1808 1813 7278c0e-7278c11 1807->1813 1824 7278cfe-7278d01 1808->1824 1817 7278c40-7278c44 1809->1817 1818 7278c58-7278c5b 1809->1818 1810->1808 1814 7278c25-7278c2d 1810->1814 1815 7278b2f-7278b32 1811->1815 1816 7278b1b-7278b2a 1811->1816 1813->1800 1814->1808 1819 7278c33-7278c36 1814->1819 1815->1756 1815->1762 1816->1815 1817->1808 1820 7278c46-7278c4e 1817->1820 1821 7278c75-7278c78 1818->1821 1822 7278c5d-7278c61 1818->1822 1819->1809 1820->1808 1828 7278c50-7278c53 1820->1828 1825 7278c7a-7278c84 1821->1825 1826 7278c89-7278c8c 1821->1826 1822->1808 1829 7278c63-7278c6b 1822->1829 1831 7278d03-7278d06 1824->1831 1832 7278d48-7278edc 1824->1832 1825->1826 1833 7278ca4-7278ca6 1826->1833 1834 7278c8e-7278c9f 1826->1834 1828->1818 1829->1808 1830 7278c6d-7278c70 1829->1830 1830->1821 1835 7278d24-7278d27 1831->1835 1836 7278d08-7278d19 1831->1836 1895 7279015-7279028 1832->1895 1896 7278ee2-7278ee9 1832->1896 1838 7278cad-7278cb0 1833->1838 1839 7278ca8 1833->1839 1834->1833 1840 7278d3f-7278d42 1835->1840 1841 7278d29-7278d3c 1835->1841 1846 7278d1f 1836->1846 1847 727906e-7279075 1836->1847 1838->1781 1838->1798 1839->1838 1840->1832 1845 727902b-727902e 1840->1845 1848 7279030-7279041 1845->1848 1849 7279048-727904b 1845->1849 1846->1835 1852 727907a-727907d 1847->1852 1848->1847 1861 7279043 1848->1861 1853 727904d-727905e 1849->1853 1854 7279069-727906c 1849->1854 1856 727907f-7279090 1852->1856 1857 727909b-727909e 1852->1857 1853->1836 1863 7279064 1853->1863 1854->1847 1854->1852 1856->1841 1867 7279096 1856->1867 1859 72790a0-72790a5 1857->1859 1860 72790a8-72790ab 1857->1860 1859->1860 1860->1832 1866 72790b1-72790b4 1860->1866 1861->1849 1863->1854 1868 72790b6-72790bd 1866->1868 1869 72790c2-72790c5 1866->1869 1867->1857 1868->1869 1871 72790c7-72790d8 1869->1871 1872 72790df-72790e1 1869->1872 1871->1847 1878 72790da 1871->1878 1873 72790e3 1872->1873 1874 72790e8-72790eb 1872->1874 1873->1874 1874->1824 1876 72790f1-72790fa 1874->1876 1878->1872 1897 7278eef-7278f22 1896->1897 1898 7278f9d-7278fa4 1896->1898 1908 7278f27-7278f68 1897->1908 1909 7278f24 1897->1909 1898->1895 1899 7278fa6-7278fd9 1898->1899 1911 7278fde-727900b 1899->1911 1912 7278fdb 1899->1912 1920 7278f80-7278f87 1908->1920 1921 7278f6a-7278f7b 1908->1921 1909->1908 1911->1876 1911->1895 1912->1911 1922 7278f8f-7278f91 1920->1922 1921->1876 1922->1876
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 46bbc2ee886d223bb73cf2fdcbc4cec2a517cc8b33f892033cd85fb98419423c
                                                          • Instruction ID: 3bdffe66c2b43acadbf460c6a6b46dc25d92610a63aea320959f870d2ccdc48c
                                                          • Opcode Fuzzy Hash: 46bbc2ee886d223bb73cf2fdcbc4cec2a517cc8b33f892033cd85fb98419423c
                                                          • Instruction Fuzzy Hash: C422F3B1E102169FDF25CB68C5946AEBBB2FF89310F20846AD445EB344DB35ED81CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07270006 Relevance: 1.3, Instructions: 1334COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ef9d921cd93c402f04fd40749e86a4dcada58dc1ac36885bdb99c7c6cefa9b83
                                                          • Instruction ID: 0c9f6fdcb8db5948fc472576ecef55b346b186fbb01a571bba53b82224b09cf7
                                                          • Opcode Fuzzy Hash: ef9d921cd93c402f04fd40749e86a4dcada58dc1ac36885bdb99c7c6cefa9b83
                                                          • Instruction Fuzzy Hash: F8E20B71D10B5A8EDB20EF68C940599F7B1FF99300F15D69AE448B7221EB70AAD4CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07275A90 Relevance: 1.1, Instructions: 1053COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7a3538b1775165d754878960e09f8b252a9a03d35e523a85e3907664c873df55
                                                          • Instruction ID: 0736f09a9915c50270a728e6d8cc51659ad3a1b6122824ed239f2a10caf9fde2
                                                          • Opcode Fuzzy Hash: 7a3538b1775165d754878960e09f8b252a9a03d35e523a85e3907664c873df55
                                                          • Instruction Fuzzy Hash: 01A23674A10606CFDB64CB68C688BADBBF2FB49314F5484A9D409AB361DB35EC85CF41
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727EA56 Relevance: .6, Instructions: 571COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3ab514ec9f9d9380dd792fe4facd7b7a85aac54480c7cb9fc72aa001c11328f
                                                          • Instruction ID: 21a8da7ebf9d06365705b157ce06a6da08899b39ebeef4d04beda15e6b9a0cd7
                                                          • Opcode Fuzzy Hash: d3ab514ec9f9d9380dd792fe4facd7b7a85aac54480c7cb9fc72aa001c11328f
                                                          • Instruction Fuzzy Hash: D02292B4F1020B8FDF24CA6CD6907AEB7A6FB89310F258966E405D7355DA34DC81CB62
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727EE70 Relevance: 8.0, Strings: 6, Instructions: 474COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 128 727ee70-727ee92 129 727ee94-727ee97 128->129 130 727eea1-727eea4 129->130 131 727ee99-727ee9c 129->131 132 727eea6-727eea9 130->132 133 727eeae-727eeb1 130->133 131->130 132->133 134 727ef15-727ef18 133->134 135 727eeb3-727ef10 call 72799c8 133->135 136 727ef3f-727ef42 134->136 137 727ef1a-727ef1e 134->137 135->134 138 727f0cf-727f0d8 136->138 139 727ef48-727ef4b 136->139 140 727ef24-727ef34 137->140 141 727f21d-727f256 137->141 144 727f0de 138->144 145 727f1b9-727f1c2 138->145 146 727ef6e-727ef71 139->146 147 727ef4d-727ef69 139->147 155 727f016-727f01a 140->155 156 727ef3a 140->156 157 727f258-727f25b 141->157 151 727f0e3-727f0e6 144->151 145->141 152 727f1c4-727f1c8 145->152 153 727ef73-727ef79 146->153 154 727ef7e-727ef81 146->154 147->146 158 727f108-727f10b 151->158 159 727f0e8-727f103 151->159 160 727f1cd-727f1d0 152->160 153->154 162 727ef97-727ef9a 154->162 163 727ef83-727ef8c 154->163 155->141 170 727f020-727f030 155->170 156->136 165 727f4c7-727f4ca 157->165 166 727f261-727f289 157->166 158->163 169 727f111-727f114 158->169 159->158 167 727f1d2-727f1d8 160->167 168 727f1dd-727f1e0 160->168 173 727ef9c-727efa5 162->173 174 727efaa-727efad 162->174 171 727f186-727f18f 163->171 172 727ef92 163->172 179 727f4ed-727f4ef 165->179 180 727f4cc-727f4e8 165->180 235 727f293-727f2d7 166->235 236 727f28b-727f28e 166->236 167->168 182 727f1e2-727f1e7 168->182 183 727f1ea-727f1ed 168->183 184 727f126-727f129 169->184 185 727f116-727f121 169->185 170->132 196 727f036 170->196 171->141 176 727f195-727f19c 171->176 172->162 173->174 177 727efaf-727efc4 174->177 178 727efeb-727efee 174->178 188 727f1a1-727f1a4 176->188 177->141 215 727efca-727efe6 177->215 190 727eff0-727eff9 178->190 191 727effe-727f001 178->191 192 727f4f6-727f4f9 179->192 193 727f4f1 179->193 180->179 182->183 183->132 194 727f1f3-727f1f6 183->194 184->132 186 727f12f-727f132 184->186 185->184 197 727f134-727f13d 186->197 198 727f142-727f145 186->198 199 727f1a6-727f1aa 188->199 200 727f1b4-727f1b7 188->200 190->191 203 727f003-727f00c 191->203 204 727f011-727f014 191->204 192->157 206 727f4ff-727f508 192->206 193->192 207 727f200-727f202 194->207 208 727f1f8-727f1fd 194->208 210 727f03b-727f03e 196->210 197->198 211 727f147-727f14b 198->211 212 727f16c-727f16f 198->212 199->141 214 727f1ac-727f1af 199->214 200->145 200->160 203->204 204->155 204->210 217 727f204 207->217 218 727f209-727f20c 207->218 208->207 220 727f040-727f055 210->220 221 727f079-727f07c 210->221 211->141 222 727f151-727f161 211->222 223 727f181-727f184 212->223 224 727f171 212->224 214->200 215->178 217->218 218->129 219 727f212-727f21c 218->219 220->141 237 727f05b-727f074 220->237 221->132 226 727f082-727f085 221->226 222->137 238 727f167 222->238 223->171 223->188 234 727f179-727f17c 224->234 232 727f087-727f08b 226->232 233 727f09c-727f09f 226->233 232->141 239 727f091-727f097 232->239 240 727f0a1-727f0a5 233->240 241 727f0b0-727f0b3 233->241 234->223 251 727f2dd-727f2e6 235->251 252 727f4bc-727f4c6 235->252 236->206 237->221 238->212 239->233 240->203 243 727f0ab 240->243 245 727f0b5-727f0b9 241->245 246 727f0ca-727f0cd 241->246 243->241 245->141 248 727f0bf-727f0c5 245->248 246->138 246->151 248->246 253 727f4b2-727f4b7 251->253 254 727f2ec-727f358 call 72799c8 251->254 253->252 262 727f452-727f467 254->262 263 727f35e-727f363 254->263 262->253 264 727f365-727f36b 263->264 265 727f37f 263->265 267 727f371-727f373 264->267 268 727f36d-727f36f 264->268 269 727f381-727f387 265->269 270 727f37d 267->270 268->270 271 727f39c-727f3a9 269->271 272 727f389-727f38f 269->272 270->269 279 727f3c1-727f3ce 271->279 280 727f3ab-727f3b1 271->280 273 727f395 272->273 274 727f43d-727f44c 272->274 273->271 275 727f404-727f411 273->275 276 727f3d0-727f3dd 273->276 274->262 274->263 285 727f413-727f419 275->285 286 727f429-727f436 275->286 288 727f3f5-727f402 276->288 289 727f3df-727f3e5 276->289 279->274 282 727f3b5-727f3b7 280->282 283 727f3b3 280->283 282->279 283->279 290 727f41d-727f41f 285->290 291 727f41b 285->291 286->274 288->274 292 727f3e7 289->292 293 727f3e9-727f3eb 289->293 290->286 291->286 292->288 293->288
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2392861976
                                                          • Opcode ID: 606d65c8f2eee392c558f6dedca2b92f5f02b86614852ba8b897257fc95e69b6
                                                          • Instruction ID: 947ed798cb0a7712a3f06b8a277df0fc4461b08b26ee4f108df966db8549b3a8
                                                          • Opcode Fuzzy Hash: 606d65c8f2eee392c558f6dedca2b92f5f02b86614852ba8b897257fc95e69b6
                                                          • Instruction Fuzzy Hash: 94028EB0E1420B8FDB24CB68D7906ADB7B1FB85310F20896AD415DB345DB35EC86CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727C978 Relevance: 5.2, Strings: 4, Instructions: 230COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 296 727c978-727c99d 297 727c99f-727c9a2 296->297 298 727d260-727d263 297->298 299 727c9a8-727c9bd 297->299 300 727d265-727d284 298->300 301 727d289-727d28b 298->301 305 727c9d5-727c9eb 299->305 306 727c9bf-727c9c5 299->306 300->301 302 727d292-727d295 301->302 303 727d28d 301->303 302->297 308 727d29b-727d2a5 302->308 303->302 313 727c9f6-727c9f8 305->313 309 727c9c7 306->309 310 727c9c9-727c9cb 306->310 309->305 310->305 314 727ca10-727ca81 313->314 315 727c9fa-727ca00 313->315 326 727ca83-727caa6 314->326 327 727caad-727cac9 314->327 316 727ca04-727ca06 315->316 317 727ca02 315->317 316->314 317->314 326->327 332 727caf5-727cb10 327->332 333 727cacb-727caee 327->333 338 727cb12-727cb34 332->338 339 727cb3b-727cb56 332->339 333->332 338->339 344 727cb7b-727cb89 339->344 345 727cb58-727cb74 339->345 346 727cb8b-727cb94 344->346 347 727cb99-727cc13 344->347 345->344 346->308 353 727cc15-727cc33 347->353 354 727cc60-727cc75 347->354 358 727cc35-727cc44 353->358 359 727cc4f-727cc5e 353->359 354->298 358->359 359->353 359->354
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 02004def31fb98598292f98c7a5abddb5318dcb5f7756656d2e21b12d065b314
                                                          • Instruction ID: c7079b23055135fbb16ecd6fea9f500ef022aa12202d98d232a364790eaa2796
                                                          • Opcode Fuzzy Hash: 02004def31fb98598292f98c7a5abddb5318dcb5f7756656d2e21b12d065b314
                                                          • Instruction Fuzzy Hash: 93915070B1021A9FDB54DF75D9507AEB3FAABC9300F10956AC809EB344EA74DD828B91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07277F80 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 628 7277f80-7277fa4 629 7277fa6-7277fa9 628->629 630 7277faf-72780a7 629->630 631 7278688-727868b 629->631 651 72780ad-72780fa call 7278828 630->651 652 727812a-7278131 630->652 632 727868d-72786a7 631->632 633 72786ac-72786ae 631->633 632->633 634 72786b5-72786b8 633->634 635 72786b0 633->635 634->629 638 72786be-72786cb 634->638 635->634 665 7278100-727811c 651->665 653 7278137-72781a7 652->653 654 72781b5-72781be 652->654 671 72781b2 653->671 672 72781a9 653->672 654->638 668 7278127-7278128 665->668 669 727811e 665->669 668->652 669->668 671->654 672->671
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: fcq$XPcq$\Ocq
                                                          • API String ID: 0-3575482020
                                                          • Opcode ID: 4513ce663a730de09771aa6a7379e724e513b577e676107096ac50fca9bda580
                                                          • Instruction ID: c9db8c366103d1e546068a7f08bcf81a64bc9938fd7c9c65883d0f3d853e036e
                                                          • Opcode Fuzzy Hash: 4513ce663a730de09771aa6a7379e724e513b577e676107096ac50fca9bda580
                                                          • Instruction Fuzzy Hash: 95619070B1021A9FEB149FA8C954BAEBAF6FF88300F20842AD505EB394DB744D41CF55
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727C967 Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1255 727c967-727c970 1257 727c972-727c99d 1255->1257 1258 727c901 1255->1258 1261 727c99f-727c9a2 1257->1261 1259 727c90d-727c915 1258->1259 1262 727c91c-727c92b 1259->1262 1263 727d260-727d263 1261->1263 1264 727c9a8-727c9bd 1261->1264 1273 727c92d-727c942 1262->1273 1274 727c8b9-727c8c3 1262->1274 1265 727d265-727d284 1263->1265 1266 727d289-727d28b 1263->1266 1271 727c9d5-727c9eb 1264->1271 1272 727c9bf-727c9c5 1264->1272 1265->1266 1268 727d292-727d295 1266->1268 1269 727d28d 1266->1269 1268->1261 1276 727d29b-727d2a5 1268->1276 1269->1268 1286 727c9f6-727c9f8 1271->1286 1277 727c9c7 1272->1277 1278 727c9c9-727c9cb 1272->1278 1284 727c943 1273->1284 1274->1262 1279 727c8c5-727c905 call 72799c8 1274->1279 1277->1271 1278->1271 1279->1259 1284->1284 1288 727ca10-727ca81 1286->1288 1289 727c9fa-727ca00 1286->1289 1303 727ca83-727caa6 1288->1303 1304 727caad-727cac9 1288->1304 1290 727ca04-727ca06 1289->1290 1291 727ca02 1289->1291 1290->1288 1291->1288 1303->1304 1309 727caf5-727cb10 1304->1309 1310 727cacb-727caee 1304->1310 1315 727cb12-727cb34 1309->1315 1316 727cb3b-727cb56 1309->1316 1310->1309 1315->1316 1321 727cb7b-727cb89 1316->1321 1322 727cb58-727cb74 1316->1322 1323 727cb8b-727cb94 1321->1323 1324 727cb99-727cc13 1321->1324 1322->1321 1323->1276 1330 727cc15-727cc33 1324->1330 1331 727cc60-727cc75 1324->1331 1335 727cc35-727cc44 1330->1335 1336 727cc4f-727cc5e 1330->1336 1331->1263 1335->1336 1336->1330 1336->1331
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q
                                                          • API String ID: 0-355816377
                                                          • Opcode ID: 9eeddc700c6cf96ea9c854d644b65c9720ed6399bf5af3241673f9923d14d252
                                                          • Instruction ID: a177aa884838235fd846f25b13527d4ad8a4f9f0858de85b4f6c88e5d2305dc0
                                                          • Opcode Fuzzy Hash: 9eeddc700c6cf96ea9c854d644b65c9720ed6399bf5af3241673f9923d14d252
                                                          • Instruction Fuzzy Hash: 92617270B102079FDB54DF74D960BAE73FAEB88240F10956AC409EB344EA34DC82CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 019C7EC0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2153 19c7ec0-19c7ec2 2154 19c7ec9-19c7f4c CheckRemoteDebuggerPresent 2153->2154 2155 19c7ec4 2153->2155 2157 19c7f4e-19c7f54 2154->2157 2158 19c7f55-19c7f90 2154->2158 2155->2154 2157->2158
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 019C7F3F
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4172988639.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_19c0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: 8de0b709d9e1c8624b2a824354a55e2829c8bb4d80bc37763d3f9b9a651eee0f
                                                          • Instruction ID: 9027e9c2428850acbe2c74946d6279d7298fd28bc6a4f52aee0614cec45e812b
                                                          • Opcode Fuzzy Hash: 8de0b709d9e1c8624b2a824354a55e2829c8bb4d80bc37763d3f9b9a651eee0f
                                                          • Instruction Fuzzy Hash: BB2136B2800259CFCB14CF9AD4847EEBFF4AF49320F14846AE899A7350D778A944CF61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 019C7EC8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2161 19c7ec8-19c7f4c CheckRemoteDebuggerPresent 2164 19c7f4e-19c7f54 2161->2164 2165 19c7f55-19c7f90 2161->2165 2164->2165
                                                          APIs
                                                          • CheckRemoteDebuggerPresent.KERNELBASE(?,?), ref: 019C7F3F
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4172988639.00000000019C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 019C0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_19c0000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID: CheckDebuggerPresentRemote
                                                          • String ID:
                                                          • API String ID: 3662101638-0
                                                          • Opcode ID: fe43d76167e1c59f1577e8663432ea769bbbcc72ebfb47fbe1bec2892c859ec7
                                                          • Instruction ID: 436a9503651547c9cf04c7f8e4c757c1efb1c438e5e7ce76799694c75cba18d4
                                                          • Opcode Fuzzy Hash: fe43d76167e1c59f1577e8663432ea769bbbcc72ebfb47fbe1bec2892c859ec7
                                                          • Instruction Fuzzy Hash: CB2139B2801259CFCB14CF9AD484BEEFBF4AF49320F14846AE459A7350D778A944CF65
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07277F71 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2271 7277f71-7277fa4 2273 7277fa6-7277fa9 2271->2273 2274 7277faf-72780a7 2273->2274 2275 7278688-727868b 2273->2275 2295 72780ad-72780fa call 7278828 2274->2295 2296 727812a-7278131 2274->2296 2276 727868d-72786a7 2275->2276 2277 72786ac-72786ae 2275->2277 2276->2277 2278 72786b5-72786b8 2277->2278 2279 72786b0 2277->2279 2278->2273 2282 72786be-72786cb 2278->2282 2279->2278 2309 7278100-727811c 2295->2309 2297 7278137-72781a7 2296->2297 2298 72781b5-72781be 2296->2298 2315 72781b2 2297->2315 2316 72781a9 2297->2316 2298->2282 2312 7278127-7278128 2309->2312 2313 727811e 2309->2313 2312->2296 2313->2312 2315->2298 2316->2315
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: XPcq
                                                          • API String ID: 0-714321711
                                                          • Opcode ID: 81b4ecef915eeb054e3eeeeb12fb776b710ed1ef209c7a6e92ae45145c604dbb
                                                          • Instruction ID: e2504e923c887c126bdacb7b32aa74bf97c2b45193ce78c932ca11ac2048b0e7
                                                          • Opcode Fuzzy Hash: 81b4ecef915eeb054e3eeeeb12fb776b710ed1ef209c7a6e92ae45145c604dbb
                                                          • Instruction Fuzzy Hash: C7417F70B102099FDB159FA9C854BAEBBF6FF88700F20852AD505EB395DB748C41CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07275918 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2365 7275918-7275933 2366 7275935-7275938 2365->2366 2367 727595b-727595d 2366->2367 2368 727593a-7275956 2366->2368 2369 7275964-7275967 2367->2369 2370 727595f 2367->2370 2368->2367 2369->2366 2371 7275969-727598f 2369->2371 2370->2369 2377 7275996-72759c4 2371->2377 2382 72759c6-72759d0 2377->2382 2383 7275a3b-7275a5f 2377->2383 2386 72759d2-72759d8 2382->2386 2387 72759e8-7275a39 2382->2387 2391 7275a61 2383->2391 2392 7275a69 2383->2392 2389 72759dc-72759de 2386->2389 2390 72759da 2386->2390 2387->2382 2387->2383 2389->2387 2390->2387 2391->2392
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: PH^q
                                                          • API String ID: 0-2549759414
                                                          • Opcode ID: 683a4de6a58723416d1977b9e85160da800138016248a7ff6d8473af00d96c5f
                                                          • Instruction ID: 3f0b29aec19e318447b2fc1339ba892c25fff73f6f6e55478ac699928e039d12
                                                          • Opcode Fuzzy Hash: 683a4de6a58723416d1977b9e85160da800138016248a7ff6d8473af00d96c5f
                                                          • Instruction Fuzzy Hash: 3C31E171B00206CFCB199B75C66426FBAE7EB89610F108939D406DB384DE35DE46CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07279A18 Relevance: .6, Instructions: 558COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64c296312c56575c6f964ba3ea28b3c4641ca28cc1509e5a50ef04be211ccfc4
                                                          • Instruction ID: 711306e3fd603af3eac246b91f552e499d35605ddf96f93d0ca90a5357f64d3d
                                                          • Opcode Fuzzy Hash: 64c296312c56575c6f964ba3ea28b3c4641ca28cc1509e5a50ef04be211ccfc4
                                                          • Instruction Fuzzy Hash: 2612C270B102068FDB14DB68D694BADB7F2EF89310F10856AE445DB394DB35ED82CB52
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07279A08 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 96f03706fb287a021c9a8a0557f9434a9b17d7f00206d260d166fb97ba9bdee1
                                                          • Instruction ID: 67deff95d3f4362545aef6705d10072f000d04d94bec25486c08b8b373eadc7e
                                                          • Opcode Fuzzy Hash: 96f03706fb287a021c9a8a0557f9434a9b17d7f00206d260d166fb97ba9bdee1
                                                          • Instruction Fuzzy Hash: 38C191B4A102068FDF14DB68D694AADB7F2FF88300F24856AD845DB394DB35ED82CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727C250 Relevance: .3, Instructions: 262COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01892b12c742e635d003082edaf4521bfb06c3fe806aa2c371a54cec1e173c28
                                                          • Instruction ID: 9e225411cb0a84671e43c091a400d453f190aa4a8c462f308fa837d413763834
                                                          • Opcode Fuzzy Hash: 01892b12c742e635d003082edaf4521bfb06c3fe806aa2c371a54cec1e173c28
                                                          • Instruction Fuzzy Hash: 2DA15D70B002168FDB18DF78C55076EB7B6EB89304F1085AAD809EB354DB35DD86CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727A540 Relevance: .3, Instructions: 257COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9074982722136bd5a8c2a6fabae745908bb814994dece4cf20f642d1cf7752b7
                                                          • Instruction ID: 5570dbcc1e904ba1cefb926194eac1671e9d0627e7102ec1f936926d827043f1
                                                          • Opcode Fuzzy Hash: 9074982722136bd5a8c2a6fabae745908bb814994dece4cf20f642d1cf7752b7
                                                          • Instruction Fuzzy Hash: F9A18F70A10216CFCB24DB68D654A6DB7F2FF84324F54C569D41AAB350DB75ED82CB80
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07279618 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a01564a8681404c692a980afc1cc64eeddfa370a54ea9bdf6178fccbe140cb0
                                                          • Instruction ID: de6e8ce0d5c938beb688c5a27c85f0e537f2c253deaec79e34379d39b7486994
                                                          • Opcode Fuzzy Hash: 2a01564a8681404c692a980afc1cc64eeddfa370a54ea9bdf6178fccbe140cb0
                                                          • Instruction Fuzzy Hash: 2761E3B1F001124FCB109A7EC89456FBAD7AFC5214B15403AD80EDB364EE75ED4287C2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072776B8 Relevance: .2, Instructions: 228COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 23fd5fa818676ffcdf0e94fb874d8fe56d9612b4521629462557a3041a176a15
                                                          • Instruction ID: 98dc43fc50218375778d5aff2d0699a4daf2bebf279d13d61e960b0bc6593fa0
                                                          • Opcode Fuzzy Hash: 23fd5fa818676ffcdf0e94fb874d8fe56d9612b4521629462557a3041a176a15
                                                          • Instruction Fuzzy Hash: DA815B70B102069FDB14DBB9D56466EB7E6EB89300F148529D40ADB394EA34EC82CB92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072779D4 Relevance: .2, Instructions: 221COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b8a0b09bedd0f5249a2d32cbd1e9ae9aaa69802c4a1304ab6c588dc766f71afe
                                                          • Instruction ID: dd58e07d3e16c7c5eec8719a4edf3fd31e02fde7d9bdac7a7c37b5efcd688cfd
                                                          • Opcode Fuzzy Hash: b8a0b09bedd0f5249a2d32cbd1e9ae9aaa69802c4a1304ab6c588dc766f71afe
                                                          • Instruction Fuzzy Hash: 2D914D70E1021A8FDF20DF68C990B9DB7B1FF89310F208599D549AB355DB70AA85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727E740 Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5854ed2c2c18d6a7c3b66bcca650fec35ab8cb0209be3331042b490cf516714d
                                                          • Instruction ID: 0e02e0f25021476cf2c017763b1196dca7f7848cc4ad35007aed21e3f6622180
                                                          • Opcode Fuzzy Hash: 5854ed2c2c18d6a7c3b66bcca650fec35ab8cb0209be3331042b490cf516714d
                                                          • Instruction Fuzzy Hash: CF718C71E1031BCFCB15DFA8C5506AEB7A2FF88304F108669D409AB354EB74E986CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072779E8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ae7713b21b8b46b2675a904339b57e9f4b4e528d1179f08f49198955049d12f5
                                                          • Instruction ID: 605c7c1cfbe069dc54085f229b4b81248cc0e431d9918f4abea60fa88b7608fd
                                                          • Opcode Fuzzy Hash: ae7713b21b8b46b2675a904339b57e9f4b4e528d1179f08f49198955049d12f5
                                                          • Instruction Fuzzy Hash: 94913C70E1021A8BDF20DF68C990B9DB7B1FF89310F208599D549BB354EB70AA85CF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07278828 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5a859e86ec98e831d8071e5aadc521be1cfda20a129cd690fda07dc00eb51319
                                                          • Instruction ID: 40ffe9a0cadb40a4ae7ef351f3ef67a9dc9449f9cb9e0d309f1169c1f74ca997
                                                          • Opcode Fuzzy Hash: 5a859e86ec98e831d8071e5aadc521be1cfda20a129cd690fda07dc00eb51319
                                                          • Instruction Fuzzy Hash: B2417EB1A1060BCFDB20CEA9C985AAFFBF2EB45310F10492AD146D7640D731E945CB91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072757C8 Relevance: .1, Instructions: 100COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6c5ebbd245d11cd0939183a1d2ba45802fb47c7706fba4c402ccc14ee33e0f0a
                                                          • Instruction ID: 5e90802c216fbc7c73b70f228e00fa71e8a5292fea2060f87dd3f8b8d4fb6912
                                                          • Opcode Fuzzy Hash: 6c5ebbd245d11cd0939183a1d2ba45802fb47c7706fba4c402ccc14ee33e0f0a
                                                          • Instruction Fuzzy Hash: 2B317070E1020A9FCB15CFA6D95469EF7B2FF89300F148529E816EB350EB70AC86CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072757D8 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 719f5709041949eb86878996dd2544696158d30f5d454e55366ccc925a31cc8e
                                                          • Instruction ID: 4675532d900bd38f8e6edb8c9c120fc240916069a3477bbfc2116822469fe54f
                                                          • Opcode Fuzzy Hash: 719f5709041949eb86878996dd2544696158d30f5d454e55366ccc925a31cc8e
                                                          • Instruction Fuzzy Hash: EE313C70E1021A9BCB15CFA6D55469EF7F2FF89300F148929E816EB354EB70AC86CB51
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072772C0 Relevance: .1, Instructions: 90COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 76c3c1e48bcdc9d786c6f90b68a1da66eae4b95cb7f8b818a0013dd3e9088abb
                                                          • Instruction ID: 670bd849e51147d160babc48b30efdf9bb0549a86f6d57f0b6862ad65b8a36ca
                                                          • Opcode Fuzzy Hash: 76c3c1e48bcdc9d786c6f90b68a1da66eae4b95cb7f8b818a0013dd3e9088abb
                                                          • Instruction Fuzzy Hash: 5031E1B1F102169FDB11CFB9D980AAEBBF5EB4A310F108266E804E7390E730D941CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072772D0 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 24a496f0a7f6f93e0f17f0e7bd580b8b09bba9330c0838a97d47a3ccee1eda6c
                                                          • Instruction ID: 3f59ff789ac6b383d4efd996a189950ffdca03d6ae89668ff53cccccb46aced2
                                                          • Opcode Fuzzy Hash: 24a496f0a7f6f93e0f17f0e7bd580b8b09bba9330c0838a97d47a3ccee1eda6c
                                                          • Instruction Fuzzy Hash: 3E2177B5F102169FDB10CFB9D980AAEBBF5EB48710F10922AE904E7380E734D941CB95
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0183D044 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4170909080.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_183d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: eb2df04ce44d45230a2b8f5c822493ba035b48b761b1b0e94d8505c257b61554
                                                          • Instruction ID: ad23cafebc6f88544868fb87ac798af55871d5ceb011c8a4f41852f1c8c7a362
                                                          • Opcode Fuzzy Hash: eb2df04ce44d45230a2b8f5c822493ba035b48b761b1b0e94d8505c257b61554
                                                          • Instruction Fuzzy Hash: F7214271104204DFCB01DF68C9C0B26FBA5FBC4718F68CA6DE8098B252C73AD446CAA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727A53E Relevance: .1, Instructions: 70COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ef6b9157aa3522d9bfcf1b021f852faab46f507aa2d96daba21554cff5b90ca
                                                          • Instruction ID: da6671c17af231900e26e540af5191c285bc58f7be5f45a931282afe5ab09836
                                                          • Opcode Fuzzy Hash: 6ef6b9157aa3522d9bfcf1b021f852faab46f507aa2d96daba21554cff5b90ca
                                                          • Instruction Fuzzy Hash: C1218170B2011A9BDF14DA6DEA5069EB7B6EB84320F14C525E405D7340DB34DD42CBD5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072773CF Relevance: .1, Instructions: 63COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 37a9badc587e65f7ba1648f5b7286eeb0e5899e03c47bd18fd0d6448fe3b3aa6
                                                          • Instruction ID: 1ee3370343a5860a5e50ac09199dc6a93ea670498fd0d208706a2be80e8b903d
                                                          • Opcode Fuzzy Hash: 37a9badc587e65f7ba1648f5b7286eeb0e5899e03c47bd18fd0d6448fe3b3aa6
                                                          • Instruction Fuzzy Hash: AE11C672B101165BDB189A78DD206EE7BEAEBC8310F04457AD409DB344EE748C478786
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07277619 Relevance: .1, Instructions: 61COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 59b35eb35a26162b39adfafce10b8ab4d2be66791f06654548550fd27b14bad9
                                                          • Instruction ID: d0ab7314791a27746f49a2164d6d52a31da77680c039840b7662b57ebc66e79e
                                                          • Opcode Fuzzy Hash: 59b35eb35a26162b39adfafce10b8ab4d2be66791f06654548550fd27b14bad9
                                                          • Instruction Fuzzy Hash: 850192707001531FDB21967EA91476ABBEBCFCA710F28C42AE509C734AE975CC4283A6
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072773E0 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ebf2aa16b9ccbe0559959cd24294ac0d93ff59aea1f329cc86105a563166ccf3
                                                          • Instruction ID: ade348f167a70a8e9f8b2f2b060d825af8780d1be046bad0dc4999c7e5047d32
                                                          • Opcode Fuzzy Hash: ebf2aa16b9ccbe0559959cd24294ac0d93ff59aea1f329cc86105a563166ccf3
                                                          • Instruction Fuzzy Hash: B911A531B101295BDB189A78C924AAF77FAEBC8714F004536C40AE7344EE75DC028B92
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07277099 Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f38592223f36249e3d60bc7cf7b2c65935e07853f1f3fd957fb1914f6996a642
                                                          • Instruction ID: 57e078b182aaa1adcd523b8f4140f2113853151b43fc7d300aff39ebccec8692
                                                          • Opcode Fuzzy Hash: f38592223f36249e3d60bc7cf7b2c65935e07853f1f3fd957fb1914f6996a642
                                                          • Instruction Fuzzy Hash: 4121C3B5901259EFCB10DF9AD984ACEFFB8FB49320F10852AE958A7200D3746544CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727DB28 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6ddad3e76c7a3719f6e363fe5fb740f820800bd315fed1791ee308125523bf7e
                                                          • Instruction ID: a60eafc84db8496d65830c1c7d3bae5398cdce206c68e00bf4c3baae665c9835
                                                          • Opcode Fuzzy Hash: 6ddad3e76c7a3719f6e363fe5fb740f820800bd315fed1791ee308125523bf7e
                                                          • Instruction Fuzzy Hash: 7501FC707101136FCB11DA3DE96476ABBE6EF8A720F14556AE40AC7341EA34DC42C796
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0183D03F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4170909080.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_183d000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction ID: 0b32a99ac848766dbd43268ebc53c453416777767740fb27b3be532d0e39f187
                                                          • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                          • Instruction Fuzzy Hash: 3511D075504244CFDB12CF54C5C4B15FF61FB84314F28C6A9D8498B252C33AD54ACF91
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727C240 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b9ba412c38a2eab7ff7b03e0124514a13fdbb4458376a9e4a83e851248178aa9
                                                          • Instruction ID: b5cd582662afa3a7f2ad8433668164f5d98e43674996d6267c00339abfc3e49e
                                                          • Opcode Fuzzy Hash: b9ba412c38a2eab7ff7b03e0124514a13fdbb4458376a9e4a83e851248178aa9
                                                          • Instruction Fuzzy Hash: 2101BC31B1120A5BEB248AB4EC607EB777AEB85314F1005BBC50ED7340DA319D828BE2
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 072770A0 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05cd8a374dd67a55d10f4fa68d664541933238a129f18e031d3674522d2b4ff2
                                                          • Instruction ID: fdfd3f2c1d33913118036274397f78f8ed8c7c28ef75f8bc7ad40c72266494d8
                                                          • Opcode Fuzzy Hash: 05cd8a374dd67a55d10f4fa68d664541933238a129f18e031d3674522d2b4ff2
                                                          • Instruction Fuzzy Hash: F411C2B1D01219AFCB00DF9AD984ACEFFB4FB49320F10852AE918A7300C374A544CFA5
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 07277628 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 883107e2883a081fe50189c3305eec9403f0021683f3c93a85d44b03681b5db5
                                                          • Instruction ID: 4218d89cc040745421d6021e77e446a425fd90e26a30e08750549dfb0d598571
                                                          • Opcode Fuzzy Hash: 883107e2883a081fe50189c3305eec9403f0021683f3c93a85d44b03681b5db5
                                                          • Instruction Fuzzy Hash: 31016D71B101121BDB24996EE51472AB2DBDBC9720F24C43DE50EC7348E975DC428396
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727DB38 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ab254321f5e71d176fac2329257bb09d8a69d8416ce34dd0909c6330ae2d44eb
                                                          • Instruction ID: 57e79d6e0963f7c25a5adbebd88cbafaae7a9aa6061d6ebb8ccc61ebd585cc59
                                                          • Opcode Fuzzy Hash: ab254321f5e71d176fac2329257bb09d8a69d8416ce34dd0909c6330ae2d44eb
                                                          • Instruction Fuzzy Hash: B401A4707100125FDB24DA3DE96072AB3DAEF89720F10A539E50ECB344EA35EC428785
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727989B Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64e00c1b02fcea054a964aba6b38a513bd4b107acb11f43cadafc888d8e8b1f5
                                                          • Instruction ID: 94cf1d13ca040c3b925694c68d7569ba3cf6e5d5713e6b10be66325f36f7ed9e
                                                          • Opcode Fuzzy Hash: 64e00c1b02fcea054a964aba6b38a513bd4b107acb11f43cadafc888d8e8b1f5
                                                          • Instruction Fuzzy Hash: 2DE09BB0D1734A6FDB11DAB0CA0579A7BA99B03108F1484E6D448CB242D675DA45C791
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Non-executed Functions

                                                          Function 0727AEC8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-2222239885
                                                          • Opcode ID: fd540ded7b52a3903574d058d5f0ea1f81d0a118f8c79c5ff5c30b63b31a948d
                                                          • Instruction ID: 354068ed885f942696ee224229fce1b1d81c8032502a5e184095230275e68476
                                                          • Opcode Fuzzy Hash: fd540ded7b52a3903574d058d5f0ea1f81d0a118f8c79c5ff5c30b63b31a948d
                                                          • Instruction Fuzzy Hash: 7F123EB0E1021ACFDB24DF69C954AAEB7F2BF89704F208569D409AB354DB319D85CF81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727E158 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-3823777903
                                                          • Opcode ID: 908ffeb9777e239dbc5c0a92fb6d1f70de6dc4198599acd7ad7566ef987ca2c3
                                                          • Instruction ID: b278d3abf5c6ab733fdb22fc5b0867527b47e7605065b68eb01260aff7f27131
                                                          • Opcode Fuzzy Hash: 908ffeb9777e239dbc5c0a92fb6d1f70de6dc4198599acd7ad7566ef987ca2c3
                                                          • Instruction Fuzzy Hash: 6691FFB0E2020ADFDB28DF64DA54B6EBBB2FF84704F118569E4019B350CB749C45CBA0
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727E4F0 Relevance: 10.2, Strings: 8, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-3823777903
                                                          • Opcode ID: 1edae186ddc62a0bb97e9bbc666c6cbb732b33878b9170619821ba261a2c3fe9
                                                          • Instruction ID: b4eb22e09dfe2d5fe1ac061aca9c8a939a589e782ca3c54a6c65c7306c39bc45
                                                          • Opcode Fuzzy Hash: 1edae186ddc62a0bb97e9bbc666c6cbb732b33878b9170619821ba261a2c3fe9
                                                          • Instruction Fuzzy Hash: 3551C170F2020A8FCB29DB68D69466EB7B2EF88310F2585AED405DB354EB34DC45CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727A8C8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                                          • API String ID: 0-390881366
                                                          • Opcode ID: 3ca64d7f051bb461c620951b0588b15eaaab8401fa1791d1b96292c733bb25b0
                                                          • Instruction ID: 52068d677a5f32002406b3dec01b4ac838ecdc5ac5faa19023ba5538955220aa
                                                          • Opcode Fuzzy Hash: 3ca64d7f051bb461c620951b0588b15eaaab8401fa1791d1b96292c733bb25b0
                                                          • Instruction Fuzzy Hash: ECF16B74B1120ACFCB19DF68D594A6EB7B6FF88310F248569D4459B3A4CB35EC82CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727BC00 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: 70743b793b8946abe6a431bdf4ce551f98e307ab0206ab2cc0eafdb5481f78a1
                                                          • Instruction ID: fc532eb4d4a858a48e933fd1fd05b259d73dcedb34cac5d6d35951da8af64f36
                                                          • Opcode Fuzzy Hash: 70743b793b8946abe6a431bdf4ce551f98e307ab0206ab2cc0eafdb5481f78a1
                                                          • Instruction Fuzzy Hash: 18B15BB0A1020ACFDB18DF68D69466EB7B2FF88704F248529E409DB354DB34DC86CB81
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727C018 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: LR^q$LR^q$$^q$$^q
                                                          • API String ID: 0-2454687669
                                                          • Opcode ID: 1e749080851d25882064660c9e6b7eee5b38d9e93e3e8cea9349650655c03824
                                                          • Instruction ID: 928f606e513a326cd61f0c7935f539497db5e599220d65ed12f86588479aa987
                                                          • Opcode Fuzzy Hash: 1e749080851d25882064660c9e6b7eee5b38d9e93e3e8cea9349650655c03824
                                                          • Instruction Fuzzy Hash: 2C51D5707102028FCB18DF78DA54A6EB7EAFF89700F149569D8059B355DB35EC84CBA1
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%

                                                          Function 0727E4E1 Relevance: 5.2, Strings: 4, Instructions: 164COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000C.00000002.4184275333.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_12_2_7270000_PUwpftrjIH.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $^q$$^q$$^q$$^q
                                                          • API String ID: 0-2125118731
                                                          • Opcode ID: b2362b16e50a6e162e73c728f7ad3abdfb5254f266f6bb8b093dc1dae5e5a021
                                                          • Instruction ID: 4065ed35c3953db275e522c6fc15ed8ed4543b896237492e1bfb35a8c986d637
                                                          • Opcode Fuzzy Hash: b2362b16e50a6e162e73c728f7ad3abdfb5254f266f6bb8b093dc1dae5e5a021
                                                          • Instruction Fuzzy Hash: 2A51B4B0E2020A8FCF25DB68D69066EB7B6FF89310F1585AAD805DB354DB35DC41CB61
                                                          Uniqueness

                                                          Uniqueness Score: -1.00%