Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
sZXuT60Q6P.exe

Overview

General Information

Sample name:sZXuT60Q6P.exe
renamed because original name is a hash value
Original sample name:94f2ae1b5174532d81d5ea169b7f7726.exe
Analysis ID:1430171
MD5:94f2ae1b5174532d81d5ea169b7f7726
SHA1:a6f144862293920e5376e5b53a1723502c9de2fb
SHA256:d1b0b9a6b80f54be2a14ff19f3bd682185848d92443fa555a08cb07fa630a230
Tags:32exeFormbook
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code references suspicious native API functions
Check if machine is in data center or colocation facility
Contains functionality to capture screen (.Net source)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • sZXuT60Q6P.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\sZXuT60Q6P.exe" MD5: 94F2AE1B5174532D81D5EA169B7F7726)
    • powershell.exe (PID: 3176 cmdline: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegAsm.exe (PID: 3668 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • svchost.exe (PID: 5908 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zt22@qlststv.com", "Password": "28#75@ts76#V1F8h"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000004.00000002.4483187709.0000000002884000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.RegAsm.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              4.2.RegAsm.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  4.2.RegAsm.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x33e4d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x33ebf:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33f49:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x33fdb:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x34045:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x340b7:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3414d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x341dd:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.sZXuT60Q6P.exe.3c622a0.3.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 14 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', CommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\sZXuT60Q6P.exe", ParentImage: C:\Users\user\Desktop\sZXuT60Q6P.exe, ParentProcessId: 6696, ParentProcessName: sZXuT60Q6P.exe, ProcessCommandLine: "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe', ProcessId: 3176, ProcessName: powershell.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5908, ProcessName: svchost.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                    Found malware configuration
                    Source: 4.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "gator3220.hostgator.com", "Username": "zt22@qlststv.com", "Password": "28#75@ts76#V1F8h"}
                    Multi AV Scanner detection for submitted file
                    Source: sZXuT60Q6P.exeReversingLabs: Detection: 18%
                    Source: sZXuT60Q6P.exeVirustotal: Detection: 35%Perma Link
                    Machine Learning detection for sample
                    Source: sZXuT60Q6P.exeJoe Sandbox ML: detected
                    Source: sZXuT60Q6P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2
                    Source: sZXuT60Q6P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034346118.0000000005490000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2038802597.0000000003567000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb3 source: powershell.exe, 00000002.00000002.2048506249.0000000007C92000.00000004.00000020.00020000.00000000.sdmp

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                    Source: svchost.exe, 00000005.00000002.3637582487.000001876F400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
                    Source: qmgr.db.5.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
                    Source: edb.log.5.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                    Source: powershell.exe, 00000002.00000002.2040580784.000000000561D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002920000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002871000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002920000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002871000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                    Source: powershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                    Source: RegAsm.exe, 00000004.00000002.4498237173.0000000005C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: powershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBhq
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                    Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipif8
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/T
                    Source: RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/p
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                    Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                    Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                    Source: edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
                    Source: svchost.exe, 00000005.00000003.2027291394.000001876F1A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/sam210723/goesrecv-monitor/releases/latest
                    Source: powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                    Source: qmgr.db.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://vksdr.com/goesrecv-monitor
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.5:49707 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to capture screen (.Net source)
                    Source: sZXuT60Q6P.exe, ScreenCapturePInvoke.cs.Net Code: CaptureScreen
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, NDL2m67zO.cs.Net Code: MMM4IwC2IS
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_02933CF40_2_02933CF4
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_029324480_2_02932448
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_0293246B0_2_0293246B
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_0293DAFC0_2_0293DAFC
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04F903F00_2_04F903F0
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04F903E00_2_04F903E0
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04F9EC780_2_04F9EC78
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF54D00_2_04FF54D0
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF25C00_2_04FF25C0
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FFD3800_2_04FFD380
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FFAE980_2_04FFAE98
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF786A0_2_04FF786A
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF38180_2_04FF3818
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF69600_2_04FF6960
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F8B77C4_2_00F8B77C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F84AC04_2_00F84AC0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F83EA84_2_00F83EA8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F8AF304_2_00F8AF30
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F841F04_2_00F841F0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_066030784_2_06603078
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06603E204_2_06603E20
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_066055C04_2_066055C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_066000404_2_06600040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06604ED84_2_06604ED8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06609EA24_2_06609EA2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_06609EA84_2_06609EA8
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2027600254.0000000000DDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename1f940a0d-a27b-4ffe-9f6f-6b985da4c6d6.exe4 vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000000.2004807672.0000000000703000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameESET.exe, vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2034346118.0000000005490000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameBienvenida.exe6 vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamegoesrecv.dllB vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exeBinary or memory string: OriginalFilenameESET.exe, vs sZXuT60Q6P.exe
                    Source: sZXuT60Q6P.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: sZXuT60Q6P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.sZXuT60Q6P.exe.5430000.5.raw.unpack, ConstellationPanel.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, OTWUo99bfyR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, Ui9qhZiA7.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, BqMB7yHhrXg.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.sZXuT60Q6P.exe.5430000.5.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, Symbols.csBase64 encoded string: 'xHpF2m2TxzO3qr4FIuPswPaRZvbKhAgsHoUgVc5c1AMOAI4xiJqOjlkD3YO/6qULkSENmFl3GsolqcGGkZrBbaRXVu7YY+n3wiyv8wS+UHUpwhx/IX6ZerqvTzuOLuRdO08npei7HwfH2wKRuaecB8P/FVecfW9FoWjF1A6O/68O0qK192cnIhUcctWjx/GW8ULXo/Un0WwvyWYxGKqhFtUjf6hQETjLzO/F68/W3GXggNfn4E0tbsHcWJ4Qs9QeauMywyAB+V1+9Uw+hcoLBpcocrYAhSqf6iaaMKaTanR4JlGBlD4IjJQmV1gvQRYmjDXbZawN8IgwRgaI+xcKtFjiFVvuA6CawFF5jzi4mENimIA39OD54y/zMb7idEh4oTy+f+VDOiQ16HbDvRyX1gv6ar2K+vNdRpiEk+FL75Dwi1y2R1DSLLrnXH75cn9Sxxkx16fkjltmZNwZYnnZc0VCbJz5PE8snBKcKUEemoAvDwcgj8rVX1tuhqqeYXrhP1hn6oaUpa8dLV9GkxPvUPm2U2PxYjlaVQk75pkxpaspctI89cBy4lXgWn0XYPaK1+WjxY5j1F5jeSb75FxuowoTWUXfk8j1s2KbANCsBuN3nd5227aIGAKGm+1kHAm/4MePOuLnj7mVqVrGuW9smZZvnluk2n2p0v6RGPmD818=', 'kcUEXaQPPIwtVFtC1PL/HXXkxfIZB03eNHvJetoP4hJTCBXd428OqcdPbPWqvhIczQvj71Ac6LZ7OG/e+yr4Bxet9vqIWevSzbdwqqWPf8nK2cPiNSfXdemqzBs1kBKEGQlnxKecRQs0Fim2Dq/kkqqyy4FT/M/7aleIZqMCZ4mq5jKj7zWHx8js/y7INNJykRnbqqkNJse2whyml6+Dho8xXhyKKjEjHHCQ++yYATPvU+ZwZGQ1aiyg3xM2+Mufv6OdiWo+NL8qVblSY+ML74QQ3+qn2cEZW8xaJcMAsMta6fJiSREwzJ1z86EfJ/jsm5waxGaL/ovb6ftrSW+RglFtTXsgBL0RqWZpQItqPDkF2hues0c5OGEtzNWaUVXn+H8FUCAJ+aqWE9AG5vtPYKXmrSZj5IG/6FHSIYC0nWBx5wHsGRTyzUgkPZMLeX0qotsCm9lMlGpxKlh+Z1oic1vbrF8QbV1eNo4t2Pb5oYAk/LIRoTnuPlLXjaubmL1hSqvzPQ/sVXzd5mXTvaOq58aApZHbOXkjfhfbDwVLc3Bjs25RTwPrIWsIAKwX/3kGBu/AxMY0Wb07NTJmloyghXyX9HTSpFE3N+D/N7l3tVWX/n6tnybXZUsRqFSB6rG1tbIR1a+4GVp+//5BqD3kM0VXcBGmG3xpyDSDCLIVVEXY5GyYN1vEkdGhjGvmeOX02f1RKB3vh5V5M5RcsEYhGsS36zuGpaNhrGf4h+7HDzTIU9/1Xl1nPdFaQmDFTIiidpmn26+9CW+g2SPIPlPDTjgkYnTmXT+O8PHwjD7K5IOwDZUbbAFA1Lrdc9IlU412XoEdl5mDZkue1zwbLWf+qvNJbFX8sXHehpGS3HbJZGQqyBs/WGnME/zTep7mu3SAbJ/9lw9DubLAWm3eZ/MVjBNuE3yDINYwtRQMJcyCjqvOUaWeWaIkvESwPYK4f4DzXPSa187wG+9AlgF8f2wQOygxX1dsc+xQUYb6mjfKphwvQfA49LiS6QNKSqz15qqR0H8SkeLLJ7txSyPf5o/Vb8ElYF2R/Dsozjt09H5PLZg8Mx42byNjie81RXixtgWQpr4xblQ9zxj5IaMqOBw3U6yvkKqUNQd1pRUx/33LazNTVFgHRwpx+LutF/m3Ilc9LDSXQ2sLYadTLNM4H6sg88B3Ku0bJgNkN8dFdIsCjQkk9Mdt0ps7+1BSph400PLXGB8Ouast6dmU+lpkXpEGr/mWHaX4VEifmt6MFtiG9jSUTjA2VqhJ2qS66jKrnf1CuWF5qWbXjRlBXUK1jLibI8Is03eHlVAWQOFZcrfOpPq3o0OxUDbCLddsIsPCScNdGrBY2q9RllmuBZNg/W6T5m+X2KNwjQyVBQxBU34LaUg9GMhx5G6e5/2Gji8UiH7/fu4jgyKbpw9r0egwJJndmdSHGUdUQ49W56s9vPelsDJb08XuAjWQXFOdA1Kmsw9Dh45XsM/m10+4XbpvyJ7XmTYJAvhQMXLFqtS4GpKG69JRuO4n+L6rSLGlFzxmsEhm3QM9iDYz2US4Un+EjCOwvFtl/eeSBED1CLnNZf4IbflrasiyFM6IFES8MG62FqpfoichpMq3Dt3tPmAgGD89QmkCsMCq8pGj+3BeDc98BauK1JlOc3iObuBFb0NChpfWa1lZmLvdMib+Wp2pqytptC5Ad7o8p4gSVACx6up/YNr6I8YhsqGIHpFV7Jvk6nzQ19vdCSYcUt+o2i12lPTyUqO5WujSq7P41U0w2rtJQ26/ZzkoCHMKUckEWvk2ei4A+bBCG2520B3/6O1EclfvsvlFIIf2mfft+6FFGP8enxtpFqG/1EAjM3sSS6IKARWsy3s4D5H+dtzPSaR/PDr2jejgFGRPxSbuLutKf4Kq55+afwF989Ad3WDqFcnmc5BwJhXFPxqlmhbPFSMnMVSksaW8UAhMCwLnt31FSm9CfeXXjCj8+hrMcPtn4+PDQeiLyf5/nD/vwOnFGKuLEm9JR/FzB5RktFNWqSYEqRzg8LgsYcEHc4zWyBiABM1LbR2nzax5QE3aZASIx1za/lqdqTVimq7MZbrwQrWQinziaucgzSHxKw880yNElAHNJZFw5Z4rZRzj/oK/kMoAhV4H1jnZbSuePHvddP24l9YOvlGpCsWrI3fk7BWzD8DJD3X2bGim8xoEt4g/R1aCZC/UMvPk/1IixbWw1P+li3OayxAQlbUqmb7DPHGvkbTD8evGdp3QwQWtGkbPRmu+iUWIEefvCP02tcFiIPdm82jN+Oc7+krSiRmxMiJMVt8h+1THUxoF3qD
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/11@2/3
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sZXuT60Q6P.exe.logJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1868:120:WilError_03
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2oeooidd.gzn.ps1Jump to behavior
                    Source: sZXuT60Q6P.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: sZXuT60Q6P.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002962000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002950000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: sZXuT60Q6P.exeReversingLabs: Detection: 18%
                    Source: sZXuT60Q6P.exeVirustotal: Detection: 35%
                    Source: unknownProcess created: C:\Users\user\Desktop\sZXuT60Q6P.exe "C:\Users\user\Desktop\sZXuT60Q6P.exe"
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                    Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: sZXuT60Q6P.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: sZXuT60Q6P.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: C:\Users\GT350\source\repos\AtllasRunp\AtllasRunp\obj\Debug\Bienvenida.pdb source: sZXuT60Q6P.exe, 00000000.00000002.2029162979.0000000002AA1000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034346118.0000000005490000.00000004.08000000.00040000.00000000.sdmp
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2038802597.0000000003567000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb3 source: powershell.exe, 00000002.00000002.2048506249.0000000007C92000.00000004.00000020.00020000.00000000.sdmp
                    Source: sZXuT60Q6P.exeStatic PE information: 0x83DBA3F9 [Tue Feb 7 06:40:57 2040 UTC]
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeCode function: 0_2_04FF1218 pushad ; ret 0_2_04FF1219
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_037B12F8 push ebx; iretd 2_2_037B131A
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E433B3 push FFFFFF8Bh; retf 2_2_07E433BC
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E40959 push FFFFFF8Bh; iretd 2_2_07E4095B
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_07E40920 push FFFFFF8Bh; iretd 2_2_07E40922
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F80B4D push edi; ret 4_2_00F80CC2
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_0660F372 push es; ret 4_2_0660F380
                    Source: sZXuT60Q6P.exeStatic PE information: section name: .text entropy: 7.950055534042309

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: sZXuT60Q6P.exe PID: 6696, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002884000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeMemory allocated: 2AA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2820000 memory reserve | memory write watchJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595463Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594094Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7064Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2498Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7460Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2361Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exe TID: 5880Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep count: 7064 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1788Thread sleep time: -9223372036854770s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2140Thread sleep count: 2498 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep count: 36 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6984Thread sleep count: 7460 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6984Thread sleep count: 2361 > 30Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599766s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599547s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599219s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -599094s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -598110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -597110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596485s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596235s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -596110s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595985s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595860s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595735s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595610s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595463s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595360s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595250s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595141s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -595016s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594891s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594781s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594672s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594563s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594438s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594313s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594203s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5832Thread sleep time: -594094s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 5264Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exe TID: 6396Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 598110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 597110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596485Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596235Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 596110Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595463Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595360Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595141Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 595016Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594313Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 594094Jump to behavior
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: powershell.exe, 00000002.00000002.2038802597.0000000003567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VBranchCaMSFT_NetEventVmNetworkAdatper.format.ps1xml
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Remove-NetEventVmNetworkAdapter
                    Source: RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Add-NetEventVmNetworkAdapter
                    Source: svchost.exe, 00000005.00000002.3637582487.000001876F41F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3637704790.000001876F45B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.3637038791.0000018769C2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: RegAsm.exe, 00000004.00000002.4498237173.0000000005C26000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+
                    Source: RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: VMwareVBox
                    Source: powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Get-NetEventVmNetworkAdapter
                    Source: powershell.exe, 00000002.00000002.2038802597.0000000003567000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FcheSecondaryMSFT_NetEventVmNetworkAdatper.cdxml
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00F87ED0 CheckRemoteDebuggerPresent,4_2_00F87ED0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    .NET source code references suspicious native API functions
                    Source: 0.2.sZXuT60Q6P.exe.2cec34c.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: MyGetProcAddress(hProcess, Name)
                    Source: 0.2.sZXuT60Q6P.exe.2cec34c.0.raw.unpack, QJDLGErGwGLnDsDTGnUfx.csReference to suspicious API methods: LoadLibraryA(ref name)
                    Source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, W4ip.csReference to suspicious API methods: ve645LMXEKU.OpenProcess(lUA9OgW.DuplicateHandle, bInheritHandle: true, (uint)aT9Qdac.ProcessID)
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\szxut60q6p.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\command-line.exe'
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" ??????????-??????????e??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????p??????????o??????????l??????????i??????????c??????????y?????????? ??????????b??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????c?????????o?????????p?????????y?????????-?????????i?????????t?????????e?????????m 'c:\users\user\desktop\szxut60q6p.exe' 'c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\command-line.exe'Jump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Users\user\Desktop\sZXuT60Q6P.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0014~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.SecureBoot.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.SecureBoot.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.WindowsAuthenticationProtocols.Commands\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.WindowsAuthenticationProtocols.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package0012~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\UEV\Microsoft.Uev.Commands.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-WOW64-Package00~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\Microsoft.WindowsErrorReporting.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\sZXuT60Q6P.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sZXuT60Q6P.exe PID: 6696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3668, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.4483187709.0000000002884000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sZXuT60Q6P.exe PID: 6696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3668, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3c622a0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b9b420.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.sZXuT60Q6P.exe.3b4adf0.4.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: sZXuT60Q6P.exe PID: 6696, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 3668, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts231
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API                    		Boot or Logon Initialization Scripts11
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		44
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts1
                    Command and Scripting Interpreter                    		Logon Script (Windows)Logon Script (Windows)21
                    Obfuscated Files or Information                    		Security Account Manager541
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Screen Capture                    		2
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model1
                    Email Collection                    		13
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets271
                    Virtualization/Sandbox Evasion                    		SSH21
                    Input Capture                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNC1
                    Clipboard Data                    		Multiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job271
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    sZXuT60Q6P.exe18%ReversingLabsByteCode-MSIL.Trojan.Generic
                    sZXuT60Q6P.exe35%VirustotalBrowse
                    sZXuT60Q6P.exe100%Joe Sandbox ML

                    Dropped Files

                    No Antivirus matches

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                    https://contoso.com/License0%URL Reputationsafe
                    https://contoso.com/License0%URL Reputationsafe
                    https://api.ipif80%URL Reputationsafe
                    https://contoso.com/Icon0%URL Reputationsafe
                    http://www.microsoft.0%URL Reputationsafe
                    http://go.micros0%URL Reputationsafe
                    https://contoso.com/0%URL Reputationsafe
                    https://vksdr.com/goesrecv-monitor0%VirustotalBrowse

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/sZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                  		high
                                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmptrue
                                  • URL Reputation: malware
                                  		unknown
                                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://contoso.com/Licensepowershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      https://api.ipif8RegAsm.exe, 00000004.00000002.4483187709.00000000028F8000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://contoso.com/Iconpowershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://crl.ver)svchost.exe, 00000005.00000002.3637582487.000001876F400000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		low
                                        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000005.00000003.2027291394.000001876F1A0000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.5.dr, edb.log.5.drfalse
                                          		high
                                          https://api.ipify.org/pRegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.microsoft.RegAsm.exe, 00000004.00000002.4498237173.0000000005C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://api.ipify.org/tRegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://github.com/sam210723/goesrecv-monitor/releases/latestsZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmpfalse
                                                		high
                                                http://go.microspowershell.exe, 00000002.00000002.2040580784.000000000561D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://github.com/Pester/Pesterpowershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://api.ipify.orgRegAsm.exe, 00000004.00000002.4483187709.00000000028FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://g.live.com/odclientsettings/Prod/C:edb.log.5.drfalse
                                                      		high
                                                      https://api.ipify.orgsZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://vksdr.com/goesrecv-monitorsZXuT60Q6P.exe, 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, sZXuT60Q6P.exe, 00000000.00000002.2034102813.0000000005430000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                                        http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000002.00000002.2040580784.00000000052C6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://contoso.com/powershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2045407904.00000000061D5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://aka.ms/pscore6lBhqpowershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://ip-api.comRegAsm.exe, 00000004.00000002.4483187709.0000000002920000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002871000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002937000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.ipify.org/TRegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2040580784.0000000005171000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.0000000002821000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.4483187709.00000000028E4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    208.95.112.1
                                                                    		ip-api.comUnited States
                                                                    		53334TUT-ASUSfalse
                                                                    104.26.12.205
                                                                    		api.ipify.orgUnited States
                                                                    		13335CLOUDFLARENETUSfalse

                                                                    Private

                                                                    IP
                                                                    127.0.0.1

                                                                    General Information

                                                                    Joe Sandbox version:40.0.0 Tourmaline
                                                                    Analysis ID:1430171
                                                                    Start date and time:2024-04-23 08:45:07 +02:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 9m 24s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Number of analysed new started processes analysed:8
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:0
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:sZXuT60Q6P.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:94f2ae1b5174532d81d5ea169b7f7726.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/11@2/3
                                                                    EGA Information:
                                                                    • Successful, ratio: 66.7%
                                                                    HCA Information:
                                                                    • Successful, ratio: 100%
                                                                    • Number of executed functions: 80
                                                                    • Number of non-executed functions: 19
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                    • Excluded IPs from analysis (whitelisted): 104.77.8.139
                                                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target powershell.exe, PID 3176 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                    • Report size getting too big, too many NtCreateKey calls found.
                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    TimeTypeDescription
                                                                    08:45:55API Interceptor20x Sleep call for process: powershell.exe modified
                                                                    08:45:56API Interceptor3x Sleep call for process: svchost.exe modified
                                                                    08:45:57API Interceptor12044296x Sleep call for process: RegAsm.exe modified

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    208.95.112.1Comprobante.xlam.xlsxGet hashmaliciousGuLoaderBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    BNP Paribas_RemittanceAdviceNotification106173036326.docGet hashmaliciousAgentTeslaBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    Unpaid Orders.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • ip-api.com/line/?fields=hosting
                                                                    104.26.12.205Sonic-Glyder.exeGet hashmaliciousStealitBrowse
                                                                    • api.ipify.org/?format=json
                                                                    Sky-Beta.exeGet hashmaliciousStealitBrowse
                                                                    • api.ipify.org/?format=json
                                                                    SecuriteInfo.com.Backdoor.Win32.Agent.myuuxz.13708.17224.exeGet hashmaliciousBunny LoaderBrowse
                                                                    • api.ipify.org/
                                                                    lods.cmdGet hashmaliciousRemcosBrowse
                                                                    • api.ipify.org/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    ip-api.comComprobante.xlam.xlsxGet hashmaliciousGuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 208.95.112.1
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 208.95.112.1
                                                                    TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    BNP Paribas_RemittanceAdviceNotification106173036326.docGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    Unpaid Orders.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    api.ipify.orgUrgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    PO No. 2430800015.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.13.205
                                                                    Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.13.205
                                                                    DHL_RF_20200712_BN_N0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.13.205
                                                                    gmb.xlsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.12.205
                                                                    Swift_Message#1234323456.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 172.67.74.152
                                                                    QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    https://florideskser.online/loginGet hashmaliciousUnknownBrowse
                                                                    • 172.67.74.152

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    CLOUDFLARENETUSShadowFury.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3
                                                                    anuwhqTXGt.dllGet hashmaliciousUnknownBrowse
                                                                    • 172.67.207.72
                                                                    ShadowFury.exeGet hashmaliciousUnknownBrowse
                                                                    • 162.159.61.3
                                                                    anuwhqTXGt.dllGet hashmaliciousUnknownBrowse
                                                                    • 104.21.45.11
                                                                    Urgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 172.67.74.152
                                                                    Gam.xlsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.180.182
                                                                    Quotation.xlsGet hashmaliciousRemcosBrowse
                                                                    • 172.67.206.230
                                                                    Invoice.docGet hashmaliciousUnknownBrowse
                                                                    • 172.67.175.222
                                                                    171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    Gam.xlsGet hashmaliciousUnknownBrowse
                                                                    • 172.67.180.182
                                                                    TUT-ASUSComprobante.xlam.xlsxGet hashmaliciousGuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 208.95.112.1
                                                                    dekont.pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 208.95.112.1
                                                                    TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    BNP Paribas_RemittanceAdviceNotification106173036326.docGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    QUOTE RNP002673CC1F68.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    Unpaid Orders.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1
                                                                    rPayment_AdviceJ001222042024.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 208.95.112.1
                                                                    doc.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 208.95.112.1

                                                                    JA3 Fingerprints

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    3b5074b1b5d032e5620f69f9f700ff0eUrgent PO 18-3081 Confirmation.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    171385176494b902dcff1b37e29676f3c17c0cb0090fe4b0a33f3f6a97431f2344b56a8ec2497.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    PO No. 2430800015.exeGet hashmaliciousAgentTeslaBrowse
                                                                    • 104.26.12.205
                                                                    PO 26519PZ F30 59.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    Texas_Tool_Purchase_Order#T18834-1.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    DHL_RF_20200712_BN_N0095673441.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    e-dekont_swift-details.vbsGet hashmaliciousUnknownBrowse
                                                                    • 104.26.12.205
                                                                    TRANSPORT_INSTRUCTION_MR.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    Gesti#U00f3n Pago a Proveedores - Liquidaci#U00f3n anticipo.htaGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                    • 104.26.12.205
                                                                    shipping document.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 104.26.12.205

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8192
                                                                    Entropy (8bit):0.3588072191296206
                                                                    Encrypted:false
                                                                    SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                    MD5:663C5D6018506231E334FB3EA962ED1C
                                                                    SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                    SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                    SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.8336933431872641
                                                                    Encrypted:false
                                                                    SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugJ:gJjJGtpTq2yv1AuNZRY3diu8iBVqF/
                                                                    MD5:03A79232D13F7E7AF73DABE38E434788
                                                                    SHA1:5AABAF3C4D4FB7E518E609266FD7660F554531C2
                                                                    SHA-256:5C8025DEDEA9B5ADF07BEEC82C7AFCB52EA23F6EBE503C531D0D0F093338BB51
                                                                    SHA-512:E9C152F66A9FDCCE5BF29A7A44F392CA2B2B882BE1D3C8EC676D37B11F4E4025BD2A27E7418D20EAFFA09139CCC0A56DDA09397253E265B47D1047F736C29B97
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:Extensible storage engine DataBase, version 0x620, checksum 0x43ee7967, page size 16384, Windows version 10.0
                                                                    Category:dropped
                                                                    Size (bytes):1310720
                                                                    Entropy (8bit):0.6584273642412415
                                                                    Encrypted:false
                                                                    SSDEEP:1536:5SB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:5aza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                    MD5:184588FBF1FE9492EBE68E1D3A007F1F
                                                                    SHA1:D3B1E0F9B5CB2F1D7DADD57D5F6E8039CFAE545C
                                                                    SHA-256:072A40EC170823AB5B9B08D1C893E5A6A75B1ED264C21C32E3470763E4589CF5
                                                                    SHA-512:7D07F47519579AA2A605C26094F2CFDFB77438A4AF98A65F9C3643307F693823CEFB5B8F8435D69F336926159430862A3CD795C24B29BE65BE09CF2AE26AF170
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:C.yg... ...............X\...;...{......................T.~......1...|..9-...|=.h.|......1...|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{......................................1...|...................S:.1...|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):16384
                                                                    Entropy (8bit):0.07905187549098011
                                                                    Encrypted:false
                                                                    SSDEEP:3:vS/lUetYerSUZgjKGKf3OhiO6yBll58Kgvvl/QoeP/ll:eNzrSAmKGKfO6Kz8KgR+t
                                                                    MD5:3A7B6AE7DF773C31AB84DDAAB2BB25B2
                                                                    SHA1:32E08061766F7FA28C9104594D53C1826BA219F7
                                                                    SHA-256:75121D5590FC6521513159C7B132AB357AC66984892BC511F4DFB7DC915E0522
                                                                    SHA-512:9DA7E552907A3B1C930AA49FD7E394179F2A4397A2CCBFD8F5977F899A63FD72C13FF6AF90D57F618E86CF88907EC050192FBDB0F7F4BF6FC805C08431280DEC
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:.c......................................;...{..9-...|]..1...|...........1...|...1...|......1...|....................S:.1...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sZXuT60Q6P.exe.log

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\sZXuT60Q6P.exe
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):1396
                                                                    Entropy (8bit):5.337066511654157
                                                                    Encrypted:false
                                                                    SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhgLE4qXKIE4oKNzKoZAE4Kze0E4qE4x84j:MIHK5HKH1qHiYHKh3ogLHitHo6hAHKze
                                                                    MD5:55A2AF8F9FCA3AE99FBA235D3E16A53F
                                                                    SHA1:32F34219599006657BFF0B868257916A0C393AAA
                                                                    SHA-256:2E0B5859D8501D26669B982BD18005B625352435DB8E1D8B944EED350C1DB0B3
                                                                    SHA-512:F6EB6E6AA729963FF23349B6DF3B558896C7B294BF15F6601C4FEF2B1034DEBE207CE04A85F14124CBC41B168157778A23BAA06FCCFE13B0EE262CF2D80FDDA6
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c5619

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):64
                                                                    Entropy (8bit):1.1510207563435464
                                                                    Encrypted:false
                                                                    SSDEEP:3:Nlllul9kLZ:NllUG
                                                                    MD5:087D847469EB88D02E57100D76A2E8E4
                                                                    SHA1:A2B15CEC90C75870FDAE3FEFD9878DD172319474
                                                                    SHA-256:81EB9A97215EB41752F6F4189343E81A0D5D7332E1646A24750D2E08B4CAE013
                                                                    SHA-512:4682F4457C1136F84C10ACFE3BD114ACF3CCDECC1BDECC340A5A36624D93A4CB3D262B3A6DD3523C31E57C969F04903AB86BE3A2C6B07193BF08C00962B33727
                                                                    Malicious:false
                                                                    Preview:@...e.................................,..............@..........

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2oeooidd.gzn.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hj3hruci.d22.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_i3oo04i5.rk3.ps1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rpol341l.nff.psm1

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:ASCII text, with no line terminators
                                                                    Category:dropped
                                                                    Size (bytes):60
                                                                    Entropy (8bit):4.038920595031593
                                                                    Encrypted:false
                                                                    SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                    MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                    SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                    SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                    SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                    Malicious:false
                                                                    Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                    C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                    Download File
                                                                    Process:C:\Windows\System32\svchost.exe
                                                                    File Type:JSON data
                                                                    Category:dropped
                                                                    Size (bytes):55
                                                                    Entropy (8bit):4.306461250274409
                                                                    Encrypted:false
                                                                    SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                    MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                    SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                    SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                    SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                    Malicious:false
                                                                    Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                    Entropy (8bit):5.336421024349973
                                                                    TrID:
                                                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                                                    File name:sZXuT60Q6P.exe
                                                                    File size:793'600 bytes
                                                                    MD5:94f2ae1b5174532d81d5ea169b7f7726
                                                                    SHA1:a6f144862293920e5376e5b53a1723502c9de2fb
                                                                    SHA256:d1b0b9a6b80f54be2a14ff19f3bd682185848d92443fa555a08cb07fa630a230
                                                                    SHA512:297ad4f0d9368a9b64c0b1fa06daa8fbd4e93c9cb917b9c1245b761e1aa059c951883ec343767c2ed5668d262161ec5b37ce9d1fa5733e96cf2bfc9b80c517c8
                                                                    SSDEEP:6144:otQiMdN7Lcgh1yba6tPIyJJ8thhzzb84f8r7SzCx16Nm/7UMGLEfSAB2c6H5RNov:X7JYbtPX23fffzjA/oMFiT
                                                                    TLSH:28F49DF2D24458D5EC6E13B1D8374C2A2227FDA9B8F5D91E56AE71225BB33D20027D0B
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0..x..........~.... ........@.. .......................`............@................................

                                                                    File Icon

                                                                    Icon Hash:4c001a0100000001

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x45967e
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x83DBA3F9 [Tue Feb 7 06:40:57 2040 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:4
                                                                    OS Version Minor:0
                                                                    File Version Major:4
                                                                    File Version Minor:0
                                                                    Subsystem Version Major:4
                                                                    Subsystem Version Minor:0
                                                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    jmp dword ptr [00402000h]
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al
                                                                    add byte ptr [eax], al

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x596280x53.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x5a0000x69fea.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x20000x576840x57800a63ac8da0a6fd0d6a519092fb9999901False0.9025530133928571data7.950055534042309IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rsrc0x5a0000x69fea0x6a000e32048688f8c669a83efe8e994ff2e15False0.07613732679834906data1.839656211272816IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0xc40000xc0x200d35ff0300259193a624899830de059baFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0x5a2b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/m0.2765957446808511
                                                                    RT_ICON0x5a7180x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304, resolution 5905 x 5905 px/m0.21106557377049182
                                                                    RT_ICON0x5b0a00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/m0.1824577861163227
                                                                    RT_ICON0x5c1480x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/m0.14398340248962654
                                                                    RT_ICON0x5e6f00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/m0.11319083608880491
                                                                    RT_ICON0x629180x5488Device independent bitmap graphic, 72 x 144 x 32, image size 20736, resolution 5905 x 5905 px/m0.10646950092421442
                                                                    RT_ICON0x67da00x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 36864, resolution 5905 x 5905 px/m0.09217994534370401
                                                                    RT_ICON0x712480x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/m0.07982373121968532
                                                                    RT_ICON0x81a700x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144, resolution 5905 x 5905 px/m0.0636890848300145
                                                                    RT_GROUP_ICON0xc3a980x84data0.7045454545454546
                                                                    RT_VERSION0xc3b1c0x2e4data0.4391891891891892
                                                                    RT_MANIFEST0xc3e000x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                    Imports

                                                                    DLLImport
                                                                    mscoree.dll_CorExeMain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 23, 2024 08:45:57.978689909 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:57.978776932 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:57.978924990 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:57.983285904 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:57.983319998 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.181328058 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.181428909 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.188265085 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.188283920 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.188595057 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.228363991 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.237476110 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.284115076 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.447551966 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.447623014 CEST44349707104.26.12.205192.168.2.5
                                                                    Apr 23, 2024 08:45:58.447675943 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.453114986 CEST49707443192.168.2.5104.26.12.205
                                                                    Apr 23, 2024 08:45:58.547826052 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 23, 2024 08:45:58.640819073 CEST8049708208.95.112.1192.168.2.5
                                                                    Apr 23, 2024 08:45:58.640916109 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 23, 2024 08:45:58.641047001 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 23, 2024 08:45:58.736219883 CEST8049708208.95.112.1192.168.2.5
                                                                    Apr 23, 2024 08:45:58.790879965 CEST4970880192.168.2.5208.95.112.1
                                                                    Apr 23, 2024 08:46:58.612241983 CEST8049708208.95.112.1192.168.2.5

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Apr 23, 2024 08:45:57.880966902 CEST6463753192.168.2.51.1.1.1
                                                                    Apr 23, 2024 08:45:57.969527006 CEST53646371.1.1.1192.168.2.5
                                                                    Apr 23, 2024 08:45:58.458319902 CEST5357253192.168.2.51.1.1.1
                                                                    Apr 23, 2024 08:45:58.546960115 CEST53535721.1.1.1192.168.2.5

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Apr 23, 2024 08:45:57.880966902 CEST192.168.2.51.1.1.10x2b90Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                    Apr 23, 2024 08:45:58.458319902 CEST192.168.2.51.1.1.10xa995Standard query (0)ip-api.comA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Apr 23, 2024 08:45:57.969527006 CEST1.1.1.1192.168.2.50x2b90No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                    Apr 23, 2024 08:45:57.969527006 CEST1.1.1.1192.168.2.50x2b90No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                    Apr 23, 2024 08:45:57.969527006 CEST1.1.1.1192.168.2.50x2b90No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                    Apr 23, 2024 08:45:58.546960115 CEST1.1.1.1192.168.2.50xa995No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • api.ipify.org
                                                                    • ip-api.com

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.549708208.95.112.1803668C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Apr 23, 2024 08:45:58.641047001 CEST80OUTGET /line/?fields=hosting HTTP/1.1
                                                                    Host: ip-api.com
                                                                    Connection: Keep-Alive
                                                                    Apr 23, 2024 08:45:58.736219883 CEST175INHTTP/1.1 200 OK
                                                                    Date: Tue, 23 Apr 2024 06:45:58 GMT
                                                                    Content-Type: text/plain; charset=utf-8
                                                                    Content-Length: 6
                                                                    Access-Control-Allow-Origin: *
                                                                    X-Ttl: 60
                                                                    X-Rl: 44
                                                                    Data Raw: 66 61 6c 73 65 0a
                                                                    Data Ascii: false


                                                                    HTTPS Proxied Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.549707104.26.12.2054433668C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    2024-04-23 06:45:58 UTC155OUTGET / HTTP/1.1
                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                                    Host: api.ipify.org
                                                                    Connection: Keep-Alive
                                                                    2024-04-23 06:45:58 UTC211INHTTP/1.1 200 OK
                                                                    Date: Tue, 23 Apr 2024 06:45:58 GMT
                                                                    Content-Type: text/plain
                                                                    Content-Length: 14
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    CF-Cache-Status: DYNAMIC
                                                                    Server: cloudflare
                                                                    CF-RAY: 878be4cfaf59428e-EWR
                                                                    2024-04-23 06:45:58 UTC14INData Raw: 31 35 34 2e 31 36 2e 31 39 32 2e 31 36 33
                                                                    Data Ascii: 154.16.192.163


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:08:45:54
                                                                    Start date:23/04/2024
                                                                    Path:C:\Users\user\Desktop\sZXuT60Q6P.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\sZXuT60Q6P.exe"
                                                                    Imagebase:0x640000
                                                                    File size:793'600 bytes
                                                                    MD5 hash:94F2AE1B5174532D81D5EA169B7F7726
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2029959997.0000000003AA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:08:45:55
                                                                    Start date:23/04/2024
                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"Powershell.exe" ??????????-??????????E??????????x??????????e??????????c??????????u??????????t??????????i??????????o??????????n??????????P??????????o??????????l??????????i??????????c??????????y?????????? ??????????B??????????y??????????p??????????a??????????s??????????s?????????? ??????????-??????????c??????????o??????????m??????????m??????????a??????????n??????????d ?????????C?????????o?????????p?????????y?????????-?????????I?????????t?????????e?????????m 'C:\Users\user\Desktop\sZXuT60Q6P.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\command-line.exe'
                                                                    Imagebase:0x60000
                                                                    File size:433'152 bytes
                                                                    MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:3
                                                                    Start time:08:45:55
                                                                    Start date:23/04/2024
                                                                    Path:C:\Windows\System32\conhost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                    Imagebase:0x7ff6d64d0000
                                                                    File size:862'208 bytes
                                                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:08:45:56
                                                                    Start date:23/04/2024
                                                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                    Imagebase:0x630000
                                                                    File size:65'440 bytes
                                                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.4475240542.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.4483187709.0000000002884000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:5
                                                                    Start time:08:45:56
                                                                    Start date:23/04/2024
                                                                    Path:C:\Windows\System32\svchost.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                    Imagebase:0x7ff7e52b0000
                                                                    File size:55'320 bytes
                                                                    MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:5.5%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:28
                                                                      Total number of Limit Nodes:0
                                                                      execution_graph 39524 293b1f0 39527 293b2d9 39524->39527 39525 293b1ff 39528 293b2f9 39527->39528 39529 293b31c 39527->39529 39528->39529 39535 293b571 39528->39535 39539 293b580 39528->39539 39529->39525 39530 293b520 GetModuleHandleW 39532 293b54d 39530->39532 39531 293b314 39531->39529 39531->39530 39532->39525 39536 293b594 39535->39536 39538 293b5b9 39536->39538 39543 293a668 39536->39543 39538->39531 39540 293b594 39539->39540 39541 293b5b9 39540->39541 39542 293a668 LoadLibraryExW 39540->39542 39541->39531 39542->39541 39544 293b760 LoadLibraryExW 39543->39544 39546 293b7d9 39544->39546 39546->39538 39547 293d580 39548 293d5c6 39547->39548 39549 293d6b3 39548->39549 39552 293db58 39548->39552 39555 293db68 39548->39555 39558 293d7bc 39552->39558 39556 293db96 39555->39556 39557 293d7bc DuplicateHandle 39555->39557 39556->39549 39557->39556 39559 293dbd0 DuplicateHandle 39558->39559 39560 293db96 39559->39560 39560->39549

                                                                      Executed Functions

                                                                      Function 02933CF4 Relevance: 2.0, Strings: 1, Instructions: 743COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 839 2933cf4-29345e3 842 29345e5 839->842 843 29345ea-29346b5 call 29340e8 839->843 842->843 855 29346b7-29346b8 843->855 856 29346bd-2934751 843->856 857 293477b-29347b1 855->857 967 2934754 call 4f966e9 856->967 968 2934754 call 4f966f8 856->968 860 29347b3-29347b4 857->860 861 29347b9-2934878 857->861 863 2934883-29348bb 860->863 861->863 868 29348c3-293495e 863->868 869 29348bd-29348be 863->869 900 293496a-293498c 868->900 871 2934997-29349d5 869->871 876 29349d7-29349d8 871->876 877 29349dd-2934adc 871->877 881 2934ae7-2934b4e 876->881 877->881 894 2934b50-2934b74 881->894 895 2934b79-2934c7f 881->895 887 293475a-2934760 896 293476a-2934770 887->896 898 2934c85-2934cd5 894->898 895->898 896->857 902 2934cd7-2934d13 898->902 903 2934d18-2934e22 898->903 900->871 905 2934e28-2934e90 902->905 903->905 910 2934e92-2934ee6 905->910 911 2934eeb-2935041 905->911 913 2935047-29350d2 910->913 911->913 917 2935155-2935337 913->917 918 29350d8-2935150 913->918 920 293533d-2935402 call 29340f8 917->920 918->920 954 2935407-293540f 920->954 967->887 968->887
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Pphq
                                                                      • API String ID: 0-882776299
                                                                      • Opcode ID: 3bf67e13e0bee732038ec3daed923e391c2615f87787bfb68977e6b83ebe4a1d
                                                                      • Instruction ID: 8e957d8deaa34379ac8738609aa233b5ad102c723a13ce8b2f64f6ce05681dea
                                                                      • Opcode Fuzzy Hash: 3bf67e13e0bee732038ec3daed923e391c2615f87787bfb68977e6b83ebe4a1d
                                                                      • Instruction Fuzzy Hash: 84926078E012298FDB65DF69D984BD9BBB2EB49300F1081E9980DA7364DB359E85CF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293B2D9 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 969 293b2d9-293b2f7 970 293b323-293b327 969->970 971 293b2f9-293b306 call 2939594 969->971 973 293b33b-293b37c 970->973 974 293b329-293b333 970->974 976 293b308 971->976 977 293b31c 971->977 980 293b389-293b397 973->980 981 293b37e-293b386 973->981 974->973 1027 293b30e call 293b571 976->1027 1028 293b30e call 293b580 976->1028 977->970 982 293b3bb-293b3bd 980->982 983 293b399-293b39e 980->983 981->980 988 293b3c0-293b3c7 982->988 985 293b3a0-293b3a7 call 293a610 983->985 986 293b3a9 983->986 984 293b314-293b316 984->977 987 293b458-293b518 984->987 990 293b3ab-293b3b9 985->990 986->990 1020 293b520-293b54b GetModuleHandleW 987->1020 1021 293b51a-293b51d 987->1021 991 293b3d4-293b3db 988->991 992 293b3c9-293b3d1 988->992 990->988 994 293b3e8-293b3f1 call 293a620 991->994 995 293b3dd-293b3e5 991->995 992->991 1000 293b3f3-293b3fb 994->1000 1001 293b3fe-293b403 994->1001 995->994 1000->1001 1002 293b421-293b425 1001->1002 1003 293b405-293b40c 1001->1003 1025 293b428 call 293b880 1002->1025 1026 293b428 call 293b850 1002->1026 1003->1002 1005 293b40e-293b41e call 293a630 call 293a640 1003->1005 1005->1002 1008 293b42b-293b42e 1010 293b451-293b457 1008->1010 1011 293b430-293b44e 1008->1011 1011->1010 1022 293b554-293b568 1020->1022 1023 293b54d-293b553 1020->1023 1021->1020 1023->1022 1025->1008 1026->1008 1027->984 1028->984
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0293B53E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 1c3ea55a04e2f343409f0b8e7c99f3cd02b21711b7e1766722524118416d0073
                                                                      • Instruction ID: 5ff11ca86cab944d503332ec84b28c736b32a4241566b4f1959a106242e74d00
                                                                      • Opcode Fuzzy Hash: 1c3ea55a04e2f343409f0b8e7c99f3cd02b21711b7e1766722524118416d0073
                                                                      • Instruction Fuzzy Hash: B1814670A00B158FD725DF29D05475ABBF5FF88308F00892ED48ADBA50DB34E94ACB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293D7BC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1029 293d7bc-293dc64 DuplicateHandle 1031 293dc66-293dc6c 1029->1031 1032 293dc6d-293dc8a 1029->1032 1031->1032
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0293DB96,?,?,?,?,?), ref: 0293DC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 59a212fe8a640e8af4449440f5b163c0c87feab09e71724d8b3acf2b4ee219a0
                                                                      • Instruction ID: e07b70165c7097b0a11db8e043371691f751137761d164288a4998f275d330e0
                                                                      • Opcode Fuzzy Hash: 59a212fe8a640e8af4449440f5b163c0c87feab09e71724d8b3acf2b4ee219a0
                                                                      • Instruction Fuzzy Hash: 1E21E3B59002489FDB10CF9AD584AEEBBF9EB48310F14845AE918B3350D378A950CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293DBC9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1035 293dbc9-293dc64 DuplicateHandle 1036 293dc66-293dc6c 1035->1036 1037 293dc6d-293dc8a 1035->1037 1036->1037
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0293DB96,?,?,?,?,?), ref: 0293DC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: f066dbd5fe1cdca08bff10365398e240435913f5a9058fa635d284b56843d08a
                                                                      • Instruction ID: ff4b67ff5ddc708d2bdfcdc497242aad8ef1557c8b7e2afbe2e325a889cb9483
                                                                      • Opcode Fuzzy Hash: f066dbd5fe1cdca08bff10365398e240435913f5a9058fa635d284b56843d08a
                                                                      • Instruction Fuzzy Hash: 5321E4B59002089FDB10CF9AD584ADEFFF9FB48310F14801AE958A3350D378A941CFA4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293A668 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1168 293a668-293b7a0 1170 293b7a2-293b7a5 1168->1170 1171 293b7a8-293b7d7 LoadLibraryExW 1168->1171 1170->1171 1172 293b7e0-293b7fd 1171->1172 1173 293b7d9-293b7df 1171->1173 1173->1172
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0293B5B9,00000800,00000000,00000000), ref: 0293B7CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 023fb15e083529ddc2ee1dc661d198f6971e32344fac65de2f42927dc6e0a8a6
                                                                      • Instruction ID: 7872861ac73e1c58309ec317a825e4a5ce2797065d7db270dfe706ec206b49f7
                                                                      • Opcode Fuzzy Hash: 023fb15e083529ddc2ee1dc661d198f6971e32344fac65de2f42927dc6e0a8a6
                                                                      • Instruction Fuzzy Hash: 991112B69003099FDB10DF9AC484B9EFBF8EB88314F10842AE519A7610C379A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293B758 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1176 293b758-293b7a0 1177 293b7a2-293b7a5 1176->1177 1178 293b7a8-293b7d7 LoadLibraryExW 1176->1178 1177->1178 1179 293b7e0-293b7fd 1178->1179 1180 293b7d9-293b7df 1178->1180 1180->1179
                                                                      APIs
                                                                      • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0293B5B9,00000800,00000000,00000000), ref: 0293B7CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad
                                                                      • String ID:
                                                                      • API String ID: 1029625771-0
                                                                      • Opcode ID: 6459e96384f4ae29e9d6fb5f5fffce86db422e97428156bd973c91d472de7316
                                                                      • Instruction ID: 0ff733ee12db955f1659a5bd424c0657946f1471133b179fe01f6b6aa1e63bfc
                                                                      • Opcode Fuzzy Hash: 6459e96384f4ae29e9d6fb5f5fffce86db422e97428156bd973c91d472de7316
                                                                      • Instruction Fuzzy Hash: DB11F3B6D002099FDB10CF9AD584ADEFBF8EF88714F10842AD519A7610C379A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293B4D8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1183 293b4d8-293b518 1184 293b520-293b54b GetModuleHandleW 1183->1184 1185 293b51a-293b51d 1183->1185 1186 293b554-293b568 1184->1186 1187 293b54d-293b553 1184->1187 1185->1184 1187->1186
                                                                      APIs
                                                                      • GetModuleHandleW.KERNELBASE(00000000), ref: 0293B53E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 81693f5999e2137189b5f0e4fa8c3b6370c21c2678ff4cb84b6457d6e459a350
                                                                      • Instruction ID: d773cb9cd60ad60e1f4cd60c8dd6218765602ce3432fed0bf9158bf64e2e58a4
                                                                      • Opcode Fuzzy Hash: 81693f5999e2137189b5f0e4fa8c3b6370c21c2678ff4cb84b6457d6e459a350
                                                                      • Instruction Fuzzy Hash: 7711F2B6C003498FDB10DF9AD444ADEFBF8EF88314F14846AD519A7210D379A545CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9C138 Relevance: 1.4, Strings: 1, Instructions: 171COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1189 4f9c138-4f9c14b 1190 4f9c14d-4f9c14f 1189->1190 1191 4f9c157-4f9c159 1189->1191 1190->1191 1192 4f9c162-4f9c17c 1191->1192 1193 4f9c2cf-4f9c31f 1192->1193 1194 4f9c182-4f9c187 1192->1194 1195 4f9c189 1194->1195 1196 4f9c1e1-4f9c1e6 1194->1196 1199 4f9c18c-4f9c18f 1195->1199 1197 4f9c1e8-4f9c1f1 1196->1197 1198 4f9c206-4f9c20f 1196->1198 1197->1193 1201 4f9c1f7-4f9c204 1197->1201 1202 4f9c228-4f9c22e 1198->1202 1203 4f9c211-4f9c225 1198->1203 1199->1193 1204 4f9c195-4f9c1a1 1199->1204 1205 4f9c231-4f9c23a 1201->1205 1202->1205 1203->1202 1206 4f9c1a3-4f9c1b8 1204->1206 1207 4f9c1c4-4f9c1cd 1204->1207 1205->1193 1211 4f9c240-4f9c268 1205->1211 1206->1207 1215 4f9c1ba-4f9c1c3 1206->1215 1207->1193 1209 4f9c1d3-4f9c1df 1207->1209 1209->1196 1209->1199 1211->1193 1214 4f9c26a-4f9c288 1211->1214 1216 4f9c28a-4f9c294 1214->1216 1217 4f9c2c2-4f9c2ce 1214->1217 1216->1217 1220 4f9c296-4f9c2ba 1216->1220 1220->1217
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: d
                                                                      • API String ID: 0-2564639436
                                                                      • Opcode ID: efd46f74a2f6ec1c79fb8bc774ce99c389e621e18e9b987d60962ed65bbb403a
                                                                      • Instruction ID: 952f86da5f48f71a25849bb5a4949a5efc9c46c12233ab0f762e9b0be0609eee
                                                                      • Opcode Fuzzy Hash: efd46f74a2f6ec1c79fb8bc774ce99c389e621e18e9b987d60962ed65bbb403a
                                                                      • Instruction Fuzzy Hash: 9D618970A0060A9FCB18CF99D5C08AAF7F6FF88300711CA6AD91997615DB30FC52CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F96CE8 Relevance: 1.3, Strings: 1, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq
                                                                      • API String ID: 0-3911794826
                                                                      • Opcode ID: 151a57d3114796f8a61354e6d907018e43061642428bc7c18221cb47b0d4c6f8
                                                                      • Instruction ID: b685fce9a6a62939adcd30086ced3e31228e5e5840c597b00fd246e8d8e8a4f4
                                                                      • Opcode Fuzzy Hash: 151a57d3114796f8a61354e6d907018e43061642428bc7c18221cb47b0d4c6f8
                                                                      • Instruction Fuzzy Hash: A6D0A7611496544FD7192A3475B14E83B62EF812403020486C441069A7CF180D0BC342
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9DB48 Relevance: .3, Instructions: 296COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: af5124ddde9e44a2fa2551a5115da8f8faaeb22fb7e91f58a70cadf994d4d0d7
                                                                      • Instruction ID: b0e04f468359711a450bbe2aa8b3059f42eb662dfc5b712d62ceff3d99f8af38
                                                                      • Opcode Fuzzy Hash: af5124ddde9e44a2fa2551a5115da8f8faaeb22fb7e91f58a70cadf994d4d0d7
                                                                      • Instruction Fuzzy Hash: 71B15731B046028FEF25DF39D544AAAB7E6FF84300B24482AE546C7691EB75FD42CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F97E6B Relevance: .3, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cb4e8c2dd1aca013aa83eef27d09d684562d433b277f9df790505e91a0192428
                                                                      • Instruction ID: 6918284af613e2e72f1218c931897d9974f7dc51910d307f4779a5945f554d40
                                                                      • Opcode Fuzzy Hash: cb4e8c2dd1aca013aa83eef27d09d684562d433b277f9df790505e91a0192428
                                                                      • Instruction Fuzzy Hash: EEB1AE306403458FC715DF28E994D5ABBB6FF8931471089A9E04A8B376DB34FD4ACB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F97EB8 Relevance: .2, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: df9f073ec1222b3aa9aeca2e611b6676590388b707200f2d0170e3c0b8e01a77
                                                                      • Instruction ID: 2ed7ae49305cc78a0e8d8e0c7e79bbc7b63efdb01135e0dc3a4b719f6d6bbf73
                                                                      • Opcode Fuzzy Hash: df9f073ec1222b3aa9aeca2e611b6676590388b707200f2d0170e3c0b8e01a77
                                                                      • Instruction Fuzzy Hash: 27A19D346006059FC715DF28EA84D6DBBB6FF883147108A69E40A9B376DB34FD4ACB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFEC30 Relevance: .2, Instructions: 211COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40222e6e8adeae538e04eff1d6c4d1750b9f60d64100d91db65cbe6b91f749dd
                                                                      • Instruction ID: 9d02242aa807041fba977c19b130ab45f56e2fa7ef47f715a0794ec13687d317
                                                                      • Opcode Fuzzy Hash: 40222e6e8adeae538e04eff1d6c4d1750b9f60d64100d91db65cbe6b91f749dd
                                                                      • Instruction Fuzzy Hash: 5291D475A0060A9FDB15CFA8D984AEEBBF2FF48310F048569E92997360D730E951CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9A290 Relevance: .2, Instructions: 181COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2738ff845512da709adbc6105ead721c02d39b81c754117107ab7ceda4d85aba
                                                                      • Instruction ID: 7973938132b7583ecc521d23a65652de5e0f6b79c80bd1f3a61cc170c914d619
                                                                      • Opcode Fuzzy Hash: 2738ff845512da709adbc6105ead721c02d39b81c754117107ab7ceda4d85aba
                                                                      • Instruction Fuzzy Hash: 12619D71A0020A9FDB05DF58D980DAEFBBAFF84314B14C929D5199B225DB35FD06CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFEF98 Relevance: .2, Instructions: 171COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c86df963dbbd8b91dfe9e106fdc5d66be7e2356cd287e94706caa01333a5870b
                                                                      • Instruction ID: c1a13a610981cb0fc3ba2d5018b04d7d3e5c8cb68ac4232a0a4cb74f0a2be250
                                                                      • Opcode Fuzzy Hash: c86df963dbbd8b91dfe9e106fdc5d66be7e2356cd287e94706caa01333a5870b
                                                                      • Instruction Fuzzy Hash: D2715E75A01209AFCB15DF69D884DAEBBB6FF88714B114099FA01AB371D731E882CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9CD20 Relevance: .2, Instructions: 169COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a3ddda0abb87a6f3888076d30cb5ad92db26c7b163c5eb69fb4b0b000107fc8c
                                                                      • Instruction ID: 69d51ef01aba542acb44a71b0e456c24e6c504078c1b5bba5fc283e09835deba
                                                                      • Opcode Fuzzy Hash: a3ddda0abb87a6f3888076d30cb5ad92db26c7b163c5eb69fb4b0b000107fc8c
                                                                      • Instruction Fuzzy Hash: B7512432B056904FDB269F28D99085ABBE5EFC572431984BED559CB352CA35FC03C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9BA6F Relevance: .2, Instructions: 156COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 33ee9342ec27d2d76f553e409601ce4d8f5133e8d9ef9c3b137b9bba3feb87fe
                                                                      • Instruction ID: d6982631d83d6294ca120d1ee65f521765f45b49980e03eb893de00d5969b263
                                                                      • Opcode Fuzzy Hash: 33ee9342ec27d2d76f553e409601ce4d8f5133e8d9ef9c3b137b9bba3feb87fe
                                                                      • Instruction Fuzzy Hash: EC51C3302407049FD315EB34E995A6E7BF6EF89344B04892ED1468B666DF39ED0BCB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9AAB8 Relevance: .1, Instructions: 119COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 520d4e043f16017518525033c9f73917d1bd22678cb075650a9e3a36cd37e150
                                                                      • Instruction ID: 8e5a7ef66000715ccc51166ddb79c79e4ba45a84bc0a0dfa606e67f63b1013b6
                                                                      • Opcode Fuzzy Hash: 520d4e043f16017518525033c9f73917d1bd22678cb075650a9e3a36cd37e150
                                                                      • Instruction Fuzzy Hash: 574180302407015FE319EB24EA41E5ABBA6EF81314F41CA6DD2469B666DF78F90DCB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9BAB8 Relevance: .1, Instructions: 118COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a894ec830a51bda0b9d18c759321381bcdedb6d497a8df04f60fa63558b67ff
                                                                      • Instruction ID: f0125724291a1f74fdc0300ac51f5100db868da1b46d3be6b5c0d2c646fcbc8e
                                                                      • Opcode Fuzzy Hash: 4a894ec830a51bda0b9d18c759321381bcdedb6d497a8df04f60fa63558b67ff
                                                                      • Instruction Fuzzy Hash: 464170302406049FD329EB34EA54E2EB7AAEFC4344B04892DD1468B665DF79FD0ACB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9AAC8 Relevance: .1, Instructions: 112COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3e20d1268d7c7eaac6845469b45201f770bcac470e9f16a11d60a5ca83ba2204
                                                                      • Instruction ID: e22c9948549b1fbde55b92ea9c0fce582f83892bba73ff3c9044968c3c077c93
                                                                      • Opcode Fuzzy Hash: 3e20d1268d7c7eaac6845469b45201f770bcac470e9f16a11d60a5ca83ba2204
                                                                      • Instruction Fuzzy Hash: 324190301407015FE319EB24EA40F5A7BA6EF81314F40CA6DD2469B666DF78F909CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B068 Relevance: .1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c16b0d1a7e710a1ee583350daf855aba92f998b7cd8162b3aa05896c940e5815
                                                                      • Instruction ID: 31297f081046882a06b722339f5aa885532ad6f6544f51d7a40de68374052082
                                                                      • Opcode Fuzzy Hash: c16b0d1a7e710a1ee583350daf855aba92f998b7cd8162b3aa05896c940e5815
                                                                      • Instruction Fuzzy Hash: D6216D313802052BF318AA31AD61B7E3757DFC02A4F08892CE5029F1A8DD79FE4B9390
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFF848 Relevance: .1, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c4d2bc8bf2dde803674fd7cddf987108f988876300e2009d0d50a55564d47fb1
                                                                      • Instruction ID: 93cac3a4a977c8a94c22ea80e161b8cf58f51a42fe593ae02099d1b2516cfdf2
                                                                      • Opcode Fuzzy Hash: c4d2bc8bf2dde803674fd7cddf987108f988876300e2009d0d50a55564d47fb1
                                                                      • Instruction Fuzzy Hash: DD218C307006018FCB289B38D855A2A73EAEF85718B50847AE606CB3B0DB72EC06CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9E171 Relevance: .1, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1733ae0d8db732df21db9b13f1870819107dd0608bc47e7544027297bca836a1
                                                                      • Instruction ID: 7d1d3cd3f43475857bf0c4f6717a1a19bf6bb9b0a6803754415bb53f4e25419c
                                                                      • Opcode Fuzzy Hash: 1733ae0d8db732df21db9b13f1870819107dd0608bc47e7544027297bca836a1
                                                                      • Instruction Fuzzy Hash: 271193327452149FEB185F76B458669BBABFFC1626318007EE00AC7281CF29DC83CB60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0100D01C Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028130800.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_100d000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                                                      • Instruction ID: 687392504a8df6364959c844a15efb463b1305f1ad171d1b705db70cf2823275
                                                                      • Opcode Fuzzy Hash: d5786064e1af2c6a82c4c0e8d491b08a0552bbebcd6f13af2239756ce9cb20fb
                                                                      • Instruction Fuzzy Hash: 6A21D371604204DFEB16DFA8D984B16BFA5EB84354F20C5A9E98D4B296C33AD406CB72
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9E2D0 Relevance: .1, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8f0a5ac2f8724da9a7797c4e1904751ee7e85f4e72a714a598871c4efdc19d7b
                                                                      • Instruction ID: dc2084eb33da857e78aee26fad899812d570bcca2d50e2fbe31954d10c152842
                                                                      • Opcode Fuzzy Hash: 8f0a5ac2f8724da9a7797c4e1904751ee7e85f4e72a714a598871c4efdc19d7b
                                                                      • Instruction Fuzzy Hash: FD117F35B047009FE7258F6AE584E16BBE6FF85324B18856AD54E87252C731FC86C750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B180 Relevance: .1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 8d27c81a10f995f7bee279d227044cc3fc88ae54b15332259a7fc1bf02150279
                                                                      • Instruction ID: 7769db35ce41c35c5bef5f0cad7727d70a95ebae8fac59802c947c85f1134f68
                                                                      • Opcode Fuzzy Hash: 8d27c81a10f995f7bee279d227044cc3fc88ae54b15332259a7fc1bf02150279
                                                                      • Instruction Fuzzy Hash: 6211D071B003068FDB14DFA8E98496ABBE5FFC4264700462DE9168B315EB38ED06CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9E388 Relevance: .1, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c6d7ba7d5da98f93c296f5a6adc3915fb91a6eb5ab450d5965ed8670262df8be
                                                                      • Instruction ID: d621e5f5973552a102f7548d8cca2689f2e445763d616293f6e829db7a99ad95
                                                                      • Opcode Fuzzy Hash: c6d7ba7d5da98f93c296f5a6adc3915fb91a6eb5ab450d5965ed8670262df8be
                                                                      • Instruction Fuzzy Hash: BD014031B441115BFF24967E9944B6B7ADEEFC4740F14803AAA0AC73C4DE6AEC439261
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9C129 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79b1871ae048856cb198a53a1e2c58f3cd9da9c67462e0664d22adc69eecfb7c
                                                                      • Instruction ID: 100e771f5dfeff0eff051793a11d7c6de29b9352d86b7452458d4b6ce9fd6837
                                                                      • Opcode Fuzzy Hash: 79b1871ae048856cb198a53a1e2c58f3cd9da9c67462e0664d22adc69eecfb7c
                                                                      • Instruction Fuzzy Hash: 0E11BB71A002498FCF15CF99D8C08AABBF6FF88310710846AEA19D7251D730BD12CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9A497 Relevance: .1, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b00a664b85ebd123580054c854127b1a8cc6b5a5a3e4c6ecbd1282c74356caa5
                                                                      • Instruction ID: daf80dc6b832540c62807b450bca3f96ff8a5360f52b677227ee06933cd4e540
                                                                      • Opcode Fuzzy Hash: b00a664b85ebd123580054c854127b1a8cc6b5a5a3e4c6ecbd1282c74356caa5
                                                                      • Instruction Fuzzy Hash: 931184706407055FD719EB24E94095ABBAAEF813583148A2DD01A8B666DB75FD0BCB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B190 Relevance: .1, Instructions: 57COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f59a41d0cfe75efb224b601fa7ff73f6b2a45cb38e3b2a631aa23fb613c9b9a7
                                                                      • Instruction ID: 47baf71d796ef8775373248eacb3410d823b6ae9c6b8d01b13a7690b2a8c5519
                                                                      • Opcode Fuzzy Hash: f59a41d0cfe75efb224b601fa7ff73f6b2a45cb38e3b2a631aa23fb613c9b9a7
                                                                      • Instruction Fuzzy Hash: B7118F71B003168FDB149FA9E98496AB7E5FFC4264710462DE9168B314DB79EC05CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0100D017 Relevance: .1, Instructions: 53COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028130800.000000000100D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0100D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_100d000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                      • Instruction ID: 71ea15a3db48f15bd8586a592fdbed05223a2e802ec7b629684331fa5f31c809
                                                                      • Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
                                                                      • Instruction Fuzzy Hash: 8711D075504280CFDB12CF94D5C4B15FFA2FB44314F24C6AAE84D4B696C33AD40ACB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9A4A8 Relevance: .1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c188bd0a379b8eadce291efe7e1f58ce97bec6b4f1d41012f75ee69824fcc310
                                                                      • Instruction ID: dd2dead81e57635877b1fa10a3ceeb22a2bd247cc2e2adb7935ea776b3644fdf
                                                                      • Opcode Fuzzy Hash: c188bd0a379b8eadce291efe7e1f58ce97bec6b4f1d41012f75ee69824fcc310
                                                                      • Instruction Fuzzy Hash: A01151302007055FC729DB28E950C5EBBAAEFC03583148A2DD05A8B665DF76FD0BCB80
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9D240 Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ed590bbac31f5676c993b5cdb787b1e9e174f7ceacab1ddaf45068c6dcedf1ab
                                                                      • Instruction ID: 25a77d9d92dbb3a692bcb3b998134f36aecda40c24edf79fad910a96e7a0965f
                                                                      • Opcode Fuzzy Hash: ed590bbac31f5676c993b5cdb787b1e9e174f7ceacab1ddaf45068c6dcedf1ab
                                                                      • Instruction Fuzzy Hash: 1301A7717402046FE318967D9A14B2BBADAEFCD254B10803EE60AD7385DE35EC02C760
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9D23C Relevance: .0, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2a5392ae04f89457ccc5d1dccb780da11275ef606a6b986698bf337d122184a8
                                                                      • Instruction ID: 86b4bf4229c121143d8d4fc27de094a65bc18bb9223ad5826e85e4239d477cd0
                                                                      • Opcode Fuzzy Hash: 2a5392ae04f89457ccc5d1dccb780da11275ef606a6b986698bf337d122184a8
                                                                      • Instruction Fuzzy Hash: 9901A7717402446FE318967DAA24B2ABADAEFCD254B10803EE60AD7385DE35EC02C750
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F96B43 Relevance: .0, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d9b0aa2f16422660b9be25cfd4714b477f78e26def1351b360a47dcefb20abeb
                                                                      • Instruction ID: 9670d3c1d52b5fcdc7e24d18250fb0f3a6ba5ee09e8fd4bc9f33ab30c0a69af2
                                                                      • Opcode Fuzzy Hash: d9b0aa2f16422660b9be25cfd4714b477f78e26def1351b360a47dcefb20abeb
                                                                      • Instruction Fuzzy Hash: AE014C721483854FD712CF2CE4514CA3FB5EF92300705449AE4818F253EA24FD0AC3E2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9D3F8 Relevance: .0, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e4768bb88d6c52a6cbd5abfda73ec4da0bb730c4f298d0c8284a3782440073c7
                                                                      • Instruction ID: 68fae3e0229124a20c49085f80f244eb06ff57253c8a46bd9e2706c2df66d37d
                                                                      • Opcode Fuzzy Hash: e4768bb88d6c52a6cbd5abfda73ec4da0bb730c4f298d0c8284a3782440073c7
                                                                      • Instruction Fuzzy Hash: E1F0A43220420AAFD714DAA9EC40C9FB7ADFF84364700853AE118C7150EA32E801C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFF439 Relevance: .0, Instructions: 42COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7026bbbe377b17af34f718471432fd2fc70cec109a4d87d358f0e70458b9229d
                                                                      • Instruction ID: c2cf8581be9c9ffdf401885bed900658a6a76ce1e8cf3ecc63aa30f1afa1bf05
                                                                      • Opcode Fuzzy Hash: 7026bbbe377b17af34f718471432fd2fc70cec109a4d87d358f0e70458b9229d
                                                                      • Instruction Fuzzy Hash: 6DF01D353005108FD744D76EC899A6937DADFC9615B1480A6E609CB374DE61EC028B60
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F98248 Relevance: .0, Instructions: 40COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: cd6ef53cd5975a937852ea2445b344d73c79808cbc882eefb5748cdd3bed6ae4
                                                                      • Instruction ID: 8a23fee4f80b5bdfc13ab838d47a9eac9b84261873d108d946f3dd2a00d57c88
                                                                      • Opcode Fuzzy Hash: cd6ef53cd5975a937852ea2445b344d73c79808cbc882eefb5748cdd3bed6ae4
                                                                      • Instruction Fuzzy Hash: D0012832715D019FEB07AF18E9C42193BB2FBC1384B1AC051D5018B296DB31FC438B55
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F96B60 Relevance: .0, Instructions: 37COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0dc0551d82f29b7167c1c0bdd5ae96064a715e6dbf03e65781360e9d1a24cab5
                                                                      • Instruction ID: 318eac51586aa7ff07238dd1ea6e659a0b9d6272fdaf3aa088a3c0ab104ac393
                                                                      • Opcode Fuzzy Hash: 0dc0551d82f29b7167c1c0bdd5ae96064a715e6dbf03e65781360e9d1a24cab5
                                                                      • Instruction Fuzzy Hash: F3F0C2322406194BDB21DE6CE54099E7BEAEFC0310B048929F8428B355EF74FD0A83A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFF448 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6d222e4e4301d78c56fa11206865f1b1e78b31803c7ac10e25cdc1583272e0a1
                                                                      • Instruction ID: bc3cd67ec6dfc3bfc59224552542cc7803c1bf788eff09d616f6706eaaed6def
                                                                      • Opcode Fuzzy Hash: 6d222e4e4301d78c56fa11206865f1b1e78b31803c7ac10e25cdc1583272e0a1
                                                                      • Instruction Fuzzy Hash: CBF01D353101108FC744DB6ED89896A77EAEFCD611B1440ABE60ACB375DE70EC028BA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9D3F6 Relevance: .0, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 64c6cf1871d7c8fc3518467b5827d8c39503e21d90c95cbdd8f7a26cc03c2864
                                                                      • Instruction ID: 1af89f288e05bb36bb7c91c9193d11958fe64125ce222e4396be336f6301c771
                                                                      • Opcode Fuzzy Hash: 64c6cf1871d7c8fc3518467b5827d8c39503e21d90c95cbdd8f7a26cc03c2864
                                                                      • Instruction Fuzzy Hash: 5FF0963220020AAFCB14DFA4ED40C9FB7A9FF84354700853AE519C7224EB71ED02C790
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9E2C0 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a681d93c09c4c587f2181bf8373220f4866611389e4b4b00d2868a408bdc41e9
                                                                      • Instruction ID: f72bf86d6fa51908f8a681d9fd4c5657cff9bf84b48fc4c767af99cf6778450f
                                                                      • Opcode Fuzzy Hash: a681d93c09c4c587f2181bf8373220f4866611389e4b4b00d2868a408bdc41e9
                                                                      • Instruction Fuzzy Hash: ABF089352093805FE322CF76EA44852BFE6EFC625431585AED549C7662D721EC47C721
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F966E9 Relevance: .0, Instructions: 34COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 024645411dfa334aa240dc6f3548d5239eba9ebc577bfe3255c7246ab5fdfa28
                                                                      • Instruction ID: dd829c5c0f22bc3eee4a7d63494f6bdc4183597d49d5fb525508cf21088d015b
                                                                      • Opcode Fuzzy Hash: 024645411dfa334aa240dc6f3548d5239eba9ebc577bfe3255c7246ab5fdfa28
                                                                      • Instruction Fuzzy Hash: 31F027736042297FE7000E55AC20ABF7FA9EB802B1F04406BFE4483240D9368E14A360
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F966F8 Relevance: .0, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca76030e51d738eb073623f62cdaaed321a193aa3260b657fc45e98953f3974d
                                                                      • Instruction ID: 927e0ac1c0b86f41bc29172b665d766dfc96a469a7d08abaec2580c302f24677
                                                                      • Opcode Fuzzy Hash: ca76030e51d738eb073623f62cdaaed321a193aa3260b657fc45e98953f3974d
                                                                      • Instruction Fuzzy Hash: B0E092376002297FE704198AAC10ABF7B9EFB842B1F04402AFA44C2240CA369E54A3A0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B268 Relevance: .0, Instructions: 27COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ae8b32c02890a17f8d1860a7bba27bcba7ebaa93c8038ab360b50c4350da727a
                                                                      • Instruction ID: 4abe12ecc8dd7c611c3b4fda7464ce60522b261c42dcd62035e05d8e53189015
                                                                      • Opcode Fuzzy Hash: ae8b32c02890a17f8d1860a7bba27bcba7ebaa93c8038ab360b50c4350da727a
                                                                      • Instruction Fuzzy Hash: 70F015B1D09208AFCB45DBA8E89608CBFB0EB46300B0080EAD40897265EA341A0BCB81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9E4F0 Relevance: .0, Instructions: 26COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f8468060dd7f187561c12df818a31b398f0404b5fd4ead2faf5aa0827e630ee7
                                                                      • Instruction ID: fa6caf3e0a0893b7149f99bba58272211543c45cd5c736cbd365929d5055d812
                                                                      • Opcode Fuzzy Hash: f8468060dd7f187561c12df818a31b398f0404b5fd4ead2faf5aa0827e630ee7
                                                                      • Instruction Fuzzy Hash: C7E04F763001145B87209A5EE404D9ABBADEBD87717148037F608C7360CA72DC5287A4
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B278 Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4a4eaad0560f25e5142d863af6224fb333060555aafd2b7f76acaba8bd5d2047
                                                                      • Instruction ID: b86193f487a59a68671131973285aa99bb56be06405953a1aa291ccf1c443740
                                                                      • Opcode Fuzzy Hash: 4a4eaad0560f25e5142d863af6224fb333060555aafd2b7f76acaba8bd5d2047
                                                                      • Instruction Fuzzy Hash: 7CE09270E0430CAFCB44EFA9E54559DBBF9EB48300F0085A99809A7354EA345A498F81
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9B240 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c41ba2b4de74e1ee1edf2e3c37a2928491d8fe3ff5fc0def53bd43241124d9a0
                                                                      • Instruction ID: 12d9d56d6730c33f1309d24f3840de69fe11d0ce30ee69dc70fd15d837388e2b
                                                                      • Opcode Fuzzy Hash: c41ba2b4de74e1ee1edf2e3c37a2928491d8fe3ff5fc0def53bd43241124d9a0
                                                                      • Instruction Fuzzy Hash: 9DD0C9A6D0B3485FD7168BA4B8970C97F64EA2760470101D6D5488B623E5255A139392
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9C941 Relevance: .0, Instructions: 17COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 13e94789ac2ae3c132103517ba6b2ece256be4fff98c2232d1aa17b4776d2214
                                                                      • Instruction ID: 2f1fec1ee7639a68c41b6973288c971329dc9c4ffce2d50b08ebfab21ce4c296
                                                                      • Opcode Fuzzy Hash: 13e94789ac2ae3c132103517ba6b2ece256be4fff98c2232d1aa17b4776d2214
                                                                      • Instruction Fuzzy Hash: 9CD0C992C0D7C14FEF2353B454AA0D83FA0DD2320470E55D6C4C4AB063D614944FD752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9BD20 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: c65d45b3751d115a5e4478e3dbb168e62a476bf8b61faf8533d39c2d018936e9
                                                                      • Instruction ID: 7356acd268aa8a38af0702a52aa62107cb96754c304abb1efa3cc45976f81899
                                                                      • Opcode Fuzzy Hash: c65d45b3751d115a5e4478e3dbb168e62a476bf8b61faf8533d39c2d018936e9
                                                                      • Instruction Fuzzy Hash: 0DD0C9E2C0A7818FEB12563451A60C83FB1E96221530A55C6D4918B123E11C590B9726
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9C969 Relevance: .0, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b6a516b3b0c5bc26c7a99eaf6d5f5674b0e3ae169744cda6de1ee4c2bac9c667
                                                                      • Instruction ID: a51654f4495bda65d6a20165bb94188df2eadbc7b675a4992fca92bbe223cbaf
                                                                      • Opcode Fuzzy Hash: b6a516b3b0c5bc26c7a99eaf6d5f5674b0e3ae169744cda6de1ee4c2bac9c667
                                                                      • Instruction Fuzzy Hash: 20D012728596890FD70227B0F54B2D43F24DE4650470641A1D48C6A017E6580A4F8B91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9BD47 Relevance: .0, Instructions: 15COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 355dda75fdf52dbabe146b86831035b8cf20855d56a65f604051dcaeee500437
                                                                      • Instruction ID: b7507d44733eb4e000801af40ff0cb63f992a7fdf7a2631511615c5416402bb1
                                                                      • Opcode Fuzzy Hash: 355dda75fdf52dbabe146b86831035b8cf20855d56a65f604051dcaeee500437
                                                                      • Instruction Fuzzy Hash: 0EC080B3C156468FC7022F10B9DE5C43F74FD116153440151DC4B4A517791C190797A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9CE90 Relevance: .0, Instructions: 14COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 1e1813bc13fdec6fa8a58493c961585260e3c65b016a91c062a9a28fc84240eb
                                                                      • Instruction ID: 775c46bc870709ea26050c8f4a69926f1b0c045b5d113e384eaeb606b31c6ab2
                                                                      • Opcode Fuzzy Hash: 1e1813bc13fdec6fa8a58493c961585260e3c65b016a91c062a9a28fc84240eb
                                                                      • Instruction Fuzzy Hash: 4CD097B45442810FD3048B348EC04067FA3EF80300F80C07DD2008F0A5C87D9C07CB12
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9BD58 Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7189ab52b7747392bc4aebe37541954de1c4bfa92e3f4fcdfb1e91432913c348
                                                                      • Instruction ID: 682d089d6d1cb00f264aa6fa34ca7a22174b6d4fd912b836c452a9afa9a69441
                                                                      • Opcode Fuzzy Hash: 7189ab52b7747392bc4aebe37541954de1c4bfa92e3f4fcdfb1e91432913c348
                                                                      • Instruction Fuzzy Hash: 20B0123145060F8FC5007B54FA09D043B6DF9407157C01220E00E0B0195B6D6D0586E9
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9C978 Relevance: .0, Instructions: 7COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2706641f755d31247a8e4b1bc63c1c447392212f34ce039ef3451a604b1dd32f
                                                                      • Instruction ID: b5b1bc48b1b6a2b8d0bc6f9bd87090f36ffea2d7894704835d2e66b9b31183b0
                                                                      • Opcode Fuzzy Hash: 2706641f755d31247a8e4b1bc63c1c447392212f34ce039ef3451a604b1dd32f
                                                                      • Instruction Fuzzy Hash: C1B0123105060F4FC5017BE4F605A25371DEDC0605B400120E10D06419AF6D7D05C6D5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 04FFD380 Relevance: 7.1, Strings: 5, Instructions: 830COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (ohq$(ohq$,lq$,lq$Hlq
                                                                      • API String ID: 0-2131233575
                                                                      • Opcode ID: 6239d0d0fbedfaaa115310318e1c29f6941ce1e0167dff81ce9b7d7ce85a76b5
                                                                      • Instruction ID: 23c57e19996ad77c58ac5caee3d293b9f0c523bbe64ffddd81cabd2825049d2b
                                                                      • Opcode Fuzzy Hash: 6239d0d0fbedfaaa115310318e1c29f6941ce1e0167dff81ce9b7d7ce85a76b5
                                                                      • Instruction Fuzzy Hash: 69626035B00115DFCB18DF69D888A6EBBB2BF85310B158169E916DB3B1DB35EC42CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FF6960 Relevance: 1.8, Strings: 1, Instructions: 591COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Hbiq
                                                                      • API String ID: 0-2810847684
                                                                      • Opcode ID: 2e9e05d7cccfe27f34f7e5407167b0a3f9ffa2144d21c35b789df74d7ac70d3c
                                                                      • Instruction ID: 1993c8a6af832d782fae2538501b94ce8c59a198d6efae075851b319e611b829
                                                                      • Opcode Fuzzy Hash: 2e9e05d7cccfe27f34f7e5407167b0a3f9ffa2144d21c35b789df74d7ac70d3c
                                                                      • Instruction Fuzzy Hash: 35424A35A006099FDB14DF68C984AAEBBF2FF48310F158599E945AB361DB30FD46CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F9EC78 Relevance: 1.3, Instructions: 1271COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b8a4a0ad38b9170312348001c0a0040bbe89be75b72aa8c81920500e62b8889b
                                                                      • Instruction ID: 3f7c894f967fc1cfde8dbb999544be8a8b09a4e11531756999adc1e71ec4e542
                                                                      • Opcode Fuzzy Hash: b8a4a0ad38b9170312348001c0a0040bbe89be75b72aa8c81920500e62b8889b
                                                                      • Instruction Fuzzy Hash: 4EC21834A00219CFEB25DF64D954AADBBB2FF89305F1085A9D80AE7254DB35ED82CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFAE98 Relevance: .8, Instructions: 815COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0852435c1cd2044bc9c7adce868ff582945d8559c86766e88608417a1de73531
                                                                      • Instruction ID: c469e7512e1c6b276f8e9fd8ee6fae57edb5f06932cb004802a801bbd02478fc
                                                                      • Opcode Fuzzy Hash: 0852435c1cd2044bc9c7adce868ff582945d8559c86766e88608417a1de73531
                                                                      • Instruction Fuzzy Hash: 55625C75E002599FDB11CF58C984AAEBBB2FF88310F198495E915AB366D734FC42CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FF25C0 Relevance: .6, Instructions: 602COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 13764aa49540ccb674dd84ab0235ae765821d45f3912ddb252de41bd9eb8d6bf
                                                                      • Instruction ID: 9cc8e4d943bec1dd14257372e246189e75fcba82d358d11750e7c793883b0a78
                                                                      • Opcode Fuzzy Hash: 13764aa49540ccb674dd84ab0235ae765821d45f3912ddb252de41bd9eb8d6bf
                                                                      • Instruction Fuzzy Hash: 59326F35B002099FDB14DFA4D944AAEBBF6FF88310F158069EA059B365DB35ED42CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FF54D0 Relevance: .5, Instructions: 455COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f44d129f6efc765d5462e9192e0778fc43b4b6b0acab0a86f39657d9fdeae83
                                                                      • Instruction ID: 3cc849d7bfc5438bc3ec03f051559ab4eb8521c8b8cac05244802afbd6d6232d
                                                                      • Opcode Fuzzy Hash: 9f44d129f6efc765d5462e9192e0778fc43b4b6b0acab0a86f39657d9fdeae83
                                                                      • Instruction Fuzzy Hash: CA126C75A002059FDB05DF68CA84A6ABBF2FF88300B15C499E509DB366D734FD46CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FF3818 Relevance: .4, Instructions: 391COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ca18b44ed9cead9d2985881b6def416a3de4baca04b8a5370fd09007c9531ccf
                                                                      • Instruction ID: f0473b6a9d09c81e9c10d87b4da36deb0f7917836ec482c8dc47909e4faea651
                                                                      • Opcode Fuzzy Hash: ca18b44ed9cead9d2985881b6def416a3de4baca04b8a5370fd09007c9531ccf
                                                                      • Instruction Fuzzy Hash: 0CF15975A00605CFDB25CF69C984A6ABBF2FF48300F148569E9569B7A2DB34F842CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F903F0 Relevance: .3, Instructions: 315COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3739163624e38c8e895efff764acda50886106a7669591756a6881581d173ccb
                                                                      • Instruction ID: bded91ad237d93179426de31ea808f8d30e99c1068ca0e91e18529b99ba7fab7
                                                                      • Opcode Fuzzy Hash: 3739163624e38c8e895efff764acda50886106a7669591756a6881581d173ccb
                                                                      • Instruction Fuzzy Hash: 591296B0401746EAD310CFA7E95C18A3BB1FB8531EF504649E2612F2E9DBBC595ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FF786A Relevance: .3, Instructions: 295COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 585dc32d20313f4dfa14383e9302228f60bf63c13827311fd94fd82c6f2bda3a
                                                                      • Instruction ID: 9cde36c7b5a58f006fde1bf34e0dc46b07f2c7bca76cfbbdc8f75c54deca5a52
                                                                      • Opcode Fuzzy Hash: 585dc32d20313f4dfa14383e9302228f60bf63c13827311fd94fd82c6f2bda3a
                                                                      • Instruction Fuzzy Hash: E3C1E975B006058FDB04DF69C994AAABBF2FF49310B1584A9EA059B376DB34EC42CB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293DAFC Relevance: .3, Instructions: 264COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: de658d21362dcfd720e0ab25757691292fd401f8fb8a20f2f80fc32bb6a2bc3c
                                                                      • Instruction ID: 6ab2c6615937ef8455a435f841c85921657012cbc241a937f9b76e18fd20e0ed
                                                                      • Opcode Fuzzy Hash: de658d21362dcfd720e0ab25757691292fd401f8fb8a20f2f80fc32bb6a2bc3c
                                                                      • Instruction Fuzzy Hash: 9BA15C32E002198FCF0ADFB5C9449DEB7B6FF85304B15856AE806AB225DB35E916CF50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04F903E0 Relevance: .2, Instructions: 222COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031546316.0000000004F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04F90000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4f90000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9782b6b5e2ba7b36d2f1328491175171d6a50cac9217580d9e0bf2c52183c7e7
                                                                      • Instruction ID: d91099265daac38e680c515f80912ab0871ce0275fafc66aa39dd3edad093c7d
                                                                      • Opcode Fuzzy Hash: 9782b6b5e2ba7b36d2f1328491175171d6a50cac9217580d9e0bf2c52183c7e7
                                                                      • Instruction Fuzzy Hash: ACC119B0801746EAD710CFA7E95818A3BB1FB8531EF514209E2612F2E9DBBC594ACF44
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 02932448 Relevance: .2, Instructions: 167COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5fc7ac7b2e8642c056413935a27f5a8eab9cff0e320fb488b4ab0f626ad2f693
                                                                      • Instruction ID: 97597ceccd90f2f697220d323ca73c453766669dbc969b6a61724854ab5fa351
                                                                      • Opcode Fuzzy Hash: 5fc7ac7b2e8642c056413935a27f5a8eab9cff0e320fb488b4ab0f626ad2f693
                                                                      • Instruction Fuzzy Hash: 5041D643C65A2C8FD72347BE68F62C15744DBAF17CB54A261C86C996E6F5480E8BC3C2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0293246B Relevance: .1, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2028808729.0000000002930000.00000040.00000800.00020000.00000000.sdmp, Offset: 02930000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_2930000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 876bdb122bc6dc58e0600a26ed5d7895597f07b3037e4b31a292e77406b5d2d0
                                                                      • Instruction ID: 22ab12644d58b4c863404a1503608068a385101ebc0e1f96bc9583efe862e4e2
                                                                      • Opcode Fuzzy Hash: 876bdb122bc6dc58e0600a26ed5d7895597f07b3037e4b31a292e77406b5d2d0
                                                                      • Instruction Fuzzy Hash: 23219503D54A288BDB27477E48BA3C1178597EF17CB54A211C96C547FAF6884D4BC382
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 04FFCD30 Relevance: 7.8, Strings: 6, Instructions: 327COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.2031889371.0000000004FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FF0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_4ff0000_sZXuT60Q6P.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: (ohq$(ohq$,lq$,lq$Hlq$d8mq
                                                                      • API String ID: 0-2572861041
                                                                      • Opcode ID: 4be95fe23fef38831617f732de41893a8a6a6e4c0ffb4c8315358ff789f8ddae
                                                                      • Instruction ID: cae5b6ac0f572cebece9359d1fce7944f56df0dd1f987290e5047e06a4800619
                                                                      • Opcode Fuzzy Hash: 4be95fe23fef38831617f732de41893a8a6a6e4c0ffb4c8315358ff789f8ddae
                                                                      • Instruction Fuzzy Hash: 31C14D30B102189FCB149F69D958AAE7BB6BF88740F148069E906D73A5DF34EC42DB91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Executed Functions

                                                                      Function 07E41C10 Relevance: 5.6, Strings: 4, Instructions: 601COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq$4'hq$4'hq$4'hq
                                                                      • API String ID: 0-1943722090
                                                                      • Opcode ID: 58bc853d276d979033895ad2be039223c0305de37fac563a3a07d65ef563f7ae
                                                                      • Instruction ID: 9de9700c7c381a29a73f58fbc847f85816bda789aa6b654962a4bd377d8ffc1d
                                                                      • Opcode Fuzzy Hash: 58bc853d276d979033895ad2be039223c0305de37fac563a3a07d65ef563f7ae
                                                                      • Instruction Fuzzy Hash: DA127BB1B053198FCB158B69A8117BABBA6AFC2315F14C0BBD905CF651DB31C8C1C7A2
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 037B4C20 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039793578.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_37b0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /o^
                                                                      • API String ID: 0-2733036372
                                                                      • Opcode ID: ec63a83ab79227435d39b9398b154c923958cff2ed8496669caee181012435c5
                                                                      • Instruction ID: a29424dbcdc19b5299d579996c81334f7eb97478a9847d09350fcf11e9b3be38
                                                                      • Opcode Fuzzy Hash: ec63a83ab79227435d39b9398b154c923958cff2ed8496669caee181012435c5
                                                                      • Instruction Fuzzy Hash: 3841727490A3D55FC703DB7CD8A09DABFF4AF46210B0540D7D484DB263D628D849CBA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 037B29F0 Relevance: .2, Instructions: 208COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039793578.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_37b0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 39ccbb08e146a6f493f181ec55df3aaad44b2c066ecb4117c0709855261732f9
                                                                      • Instruction ID: f6fe119411ecbf33fa437a850258ef3414b0a12039f1301459aa494be0d54cef
                                                                      • Opcode Fuzzy Hash: 39ccbb08e146a6f493f181ec55df3aaad44b2c066ecb4117c0709855261732f9
                                                                      • Instruction Fuzzy Hash: 97915A70A01605CFCB15CF58C594ABEFBB5FF49310B288599D815AB3A6C735EC91CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07E41BF0 Relevance: .1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 4b9a849e3f832e63f44300227c0d2a0764b309775e332000cc34bcd657720f93
                                                                      • Instruction ID: e095920c068189256cffde5fe58596b36d9c587aa31e1ad858be027566105e04
                                                                      • Opcode Fuzzy Hash: 4b9a849e3f832e63f44300227c0d2a0764b309775e332000cc34bcd657720f93
                                                                      • Instruction Fuzzy Hash: F74149F1B4630A8FCF25CF25A941AB977B2AF82349F0590A6C804DF655DB31C8C4C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 037B2B00 Relevance: .1, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039793578.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_37b0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fccdac762157dffe3c04af838ba3f395f342d1bd8dca062af32328347b397dc3
                                                                      • Instruction ID: eca5f3beba9f5f8dcc3c19a74fabf76148db6ec4190e48eae98c2ff9e76504ce
                                                                      • Opcode Fuzzy Hash: fccdac762157dffe3c04af838ba3f395f342d1bd8dca062af32328347b397dc3
                                                                      • Instruction Fuzzy Hash: 4F412674A015099FCB05CF58C598AFAFBB1FF48310B1585A9D815AB366C732EC91CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 037B4C10 Relevance: .1, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039793578.00000000037B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 037B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_37b0000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7cc0968cf18ae15f71b47d99324f3d17abde8da611a631960b0f3d9e4213b19b
                                                                      • Instruction ID: a55fd8600665c5e6cbacf864184e8d3f7531922d6e768b4486fe0f68fd2efd1a
                                                                      • Opcode Fuzzy Hash: 7cc0968cf18ae15f71b47d99324f3d17abde8da611a631960b0f3d9e4213b19b
                                                                      • Instruction Fuzzy Hash: 5C211A74A042498FCB00CF99D9809AEFBB5FF89310B158199D815AB362C331ED45CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0369D006 Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039389938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_369d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: fe77faff44345ac7bc7b75ffd78859b9a857da86fbea1067758a60d53ad93b2b
                                                                      • Instruction ID: cf96f02ba51f6e550cf6868c9bb2c8da2855bb5a33dd8b16529d30b59b22b8ed
                                                                      • Opcode Fuzzy Hash: fe77faff44345ac7bc7b75ffd78859b9a857da86fbea1067758a60d53ad93b2b
                                                                      • Instruction Fuzzy Hash: F7014C714093809FEB128F258D84752BFA8EF53224F19849BE9888F2A7C2795845CB71
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0369D01D Relevance: .0, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2039389938.000000000369D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0369D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_369d000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 56f9e0ed6b3fd31ed49aaac21d8d5bea4ff5cdececbd5da749e58dbee1c02f12
                                                                      • Instruction ID: 622b4eecb13db656cbccbd80cc4ad247f8d1c0f9383d73b36383417fc3d948be
                                                                      • Opcode Fuzzy Hash: 56f9e0ed6b3fd31ed49aaac21d8d5bea4ff5cdececbd5da749e58dbee1c02f12
                                                                      • Instruction Fuzzy Hash: 670184714053449AEB20CE15CD84B66FF9CEF46324F1DC57AED480B246C2799842C6B1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 07E40D30 Relevance: 12.9, Strings: 10, Instructions: 428COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq$4'hq$tPhq$tPhq$tPhq$tPhq$$hq$$hq$$hq$$hq
                                                                      • API String ID: 0-1426614148
                                                                      • Opcode ID: 77d319cb929d9014a21d2aa391e7822907b53ac1c27a044d5b229e551a39d411
                                                                      • Instruction ID: 4f20de2fb33c18a341642cbc3bd56794c6d70ae6bd8011644e757318a60aad66
                                                                      • Opcode Fuzzy Hash: 77d319cb929d9014a21d2aa391e7822907b53ac1c27a044d5b229e551a39d411
                                                                      • Instruction Fuzzy Hash: 16D15C717063499FCB258B6DA8157A7BBB6AF82314F14C0BBD505CB291DA35C8C4C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07E41270 Relevance: 9.1, Strings: 7, Instructions: 382COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq$4'hq$tPhq$tPhq$$hq$$hq$$hq
                                                                      • API String ID: 0-1980957156
                                                                      • Opcode ID: 8fe14a6644c2f0dc20462e786defe1c38f8ffff1d94033bfe98eb8b84e93e31b
                                                                      • Instruction ID: bce1dfe197cad6b16ec2279bf857078514d58d8fcb79660e76dd0483de182cd9
                                                                      • Opcode Fuzzy Hash: 8fe14a6644c2f0dc20462e786defe1c38f8ffff1d94033bfe98eb8b84e93e31b
                                                                      • Instruction Fuzzy Hash: AEC148B27053198FCF209B6DA4112AABBE6EFC2214F1980BAD805CB751DA35DCC5C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07E404E0 Relevance: 9.1, Strings: 7, Instructions: 325COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq$4'hq$tPhq$tPhq$$hq$$hq$$hq
                                                                      • API String ID: 0-1980957156
                                                                      • Opcode ID: 1e7670c990f6bb21411c25780136e7a5ef48e10effc8cccf5ac114d997397e4c
                                                                      • Instruction ID: 5df07a60d7d00776d67bd7e08491bfc4ff42671f0293423466bdfa6370965971
                                                                      • Opcode Fuzzy Hash: 1e7670c990f6bb21411c25780136e7a5ef48e10effc8cccf5ac114d997397e4c
                                                                      • Instruction Fuzzy Hash: C2A16DB27053158FC7219B79A8106BBBBA6EFC5214F1884FBD605CB692DB35CC81C7A1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07E43228 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: $hq$$hq$$hq$$hq
                                                                      • API String ID: 0-3863560591
                                                                      • Opcode ID: e92f64b9278092ece9143fbf2ba3f78f6b5f39a03beaa4eaca6b2cc79ca925b0
                                                                      • Instruction ID: 67e9c4ef03e47d1055d00be7601a47acc5763d834f45e78aa9e722844a78e652
                                                                      • Opcode Fuzzy Hash: e92f64b9278092ece9143fbf2ba3f78f6b5f39a03beaa4eaca6b2cc79ca925b0
                                                                      • Instruction Fuzzy Hash: D42188B13153165BD724592FA801767BB9BAFC1724F24942AE804DB785DD36C880C378
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 07E40308 Relevance: 5.0, Strings: 4, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000002.00000002.2048817125.0000000007E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 07E40000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_2_2_7e40000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 4'hq$4'hq$$hq$$hq
                                                                      • API String ID: 0-646479249
                                                                      • Opcode ID: 060baacb594875a48a6528b8a50754157510bdf1a97687b050576d62619f4b12
                                                                      • Instruction ID: 2a8c5477ca7e128146be5851c35917f935aaa829e81e25618b6b8800c02ac68a
                                                                      • Opcode Fuzzy Hash: 060baacb594875a48a6528b8a50754157510bdf1a97687b050576d62619f4b12
                                                                      • Instruction Fuzzy Hash: D101266130A3854FC72B566968302B63FB6AFC2510B1A41FBD181CB792CD1A4C45C7BB
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Execution Graph

                                                                      Execution Coverage:12%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:1.2%
                                                                      Total number of Nodes:258
                                                                      Total number of Limit Nodes:31
                                                                      execution_graph 23758 f80848 23760 f8084e 23758->23760 23759 f8091b 23760->23759 23762 f81380 23760->23762 23764 f81396 23762->23764 23763 f814aa 23763->23760 23764->23763 23770 f88b78 23764->23770 23774 f88b2f 23764->23774 23778 f88b68 23764->23778 23782 6607c08 23764->23782 23788 6607bf8 23764->23788 23771 f88b8e 23770->23771 23772 f88c3f 23771->23772 23794 f88cfa 23771->23794 23772->23764 23775 f88ae6 23774->23775 23775->23774 23776 f88c3f 23775->23776 23777 f88cfa 4 API calls 23775->23777 23776->23764 23777->23775 23779 f88b5b 23778->23779 23779->23778 23780 f88c3f 23779->23780 23781 f88cfa 4 API calls 23779->23781 23780->23764 23781->23779 23783 6607c1a 23782->23783 23786 6607ccb 23783->23786 23951 6607904 23783->23951 23785 6607c91 23956 6607924 23785->23956 23786->23764 23789 6607c07 23788->23789 23790 6607904 GetModuleHandleW 23789->23790 23792 6607ccb 23789->23792 23791 6607c91 23790->23791 23793 6607924 KiUserCallbackDispatcher 23791->23793 23792->23764 23793->23792 23795 f88d19 23794->23795 23796 f890cd 23795->23796 23800 f8a148 23795->23800 23805 f8a1eb 23795->23805 23810 f8a139 23795->23810 23796->23771 23802 f8a165 23800->23802 23801 f8a201 23801->23801 23802->23801 23815 f8a237 23802->23815 23821 f8a248 23802->23821 23807 f8a1c0 23805->23807 23806 f8a201 23807->23806 23808 f8a237 4 API calls 23807->23808 23809 f8a248 4 API calls 23807->23809 23808->23807 23809->23807 23812 f8a148 23810->23812 23811 f8a201 23811->23811 23812->23811 23813 f8a237 4 API calls 23812->23813 23814 f8a248 4 API calls 23812->23814 23813->23812 23814->23812 23817 f8a1fe 23815->23817 23816 f8a322 23817->23815 23817->23816 23827 f8a758 23817->23827 23842 f8a880 23817->23842 23857 f8aa7e 23817->23857 23823 f8a262 23821->23823 23822 f8a322 23823->23822 23824 f8a758 4 API calls 23823->23824 23825 f8aa7e 4 API calls 23823->23825 23826 f8a880 4 API calls 23823->23826 23824->23823 23825->23823 23826->23823 23831 f8a789 23827->23831 23828 f8aaad 23828->23817 23829 f8ab63 23829->23817 23830 f8aaba 23830->23829 23834 f8a758 4 API calls 23830->23834 23835 f8aa7e 4 API calls 23830->23835 23836 f8a880 4 API calls 23830->23836 23886 f8aad0 23830->23886 23831->23828 23831->23830 23838 f8a758 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23831->23838 23839 f8aa7e OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23831->23839 23840 f8a880 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23831->23840 23841 f8aad0 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23831->23841 23872 f8e1a8 23831->23872 23879 f8e198 23831->23879 23834->23829 23835->23829 23836->23829 23838->23831 23839->23831 23840->23831 23841->23831 23845 f8a789 23842->23845 23843 f8aaad 23843->23817 23844 f8aaba 23846 f8ab63 23844->23846 23853 f8a758 4 API calls 23844->23853 23854 f8aa7e 4 API calls 23844->23854 23855 f8a880 4 API calls 23844->23855 23856 f8aad0 4 API calls 23844->23856 23845->23843 23845->23844 23847 f8a758 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23845->23847 23848 f8aa7e OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23845->23848 23849 f8a880 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23845->23849 23850 f8aad0 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23845->23850 23851 f8e1a8 4 API calls 23845->23851 23852 f8e198 4 API calls 23845->23852 23846->23817 23847->23845 23848->23845 23849->23845 23850->23845 23851->23845 23852->23845 23853->23846 23854->23846 23855->23846 23856->23846 23860 f8a789 23857->23860 23858 f8aaad 23858->23817 23859 f8ab63 23859->23817 23860->23858 23861 f8aaba 23860->23861 23862 f8e1a8 4 API calls 23860->23862 23863 f8e198 4 API calls 23860->23863 23868 f8a758 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23860->23868 23869 f8aa7e OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23860->23869 23870 f8a880 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23860->23870 23871 f8aad0 OleInitialize OleInitialize OleGetClipboard OleGetClipboard 23860->23871 23861->23859 23864 f8a758 4 API calls 23861->23864 23865 f8aa7e 4 API calls 23861->23865 23866 f8a880 4 API calls 23861->23866 23867 f8aad0 4 API calls 23861->23867 23862->23860 23863->23860 23864->23859 23865->23859 23866->23859 23867->23859 23868->23860 23869->23860 23870->23860 23871->23860 23873 f8e1b7 23872->23873 23874 f8e217 23872->23874 23873->23831 23875 f8e2d7 23874->23875 23893 f8e5b8 23874->23893 23906 f8e5a8 23874->23906 23875->23831 23876 f8e5a1 23876->23831 23880 f8e1b7 23879->23880 23881 f8e217 23879->23881 23880->23831 23883 f8e2d7 23881->23883 23884 f8e5b8 4 API calls 23881->23884 23885 f8e5a8 4 API calls 23881->23885 23882 f8e5a1 23882->23831 23883->23831 23884->23882 23885->23882 23887 f8aaec 23886->23887 23888 f8ab63 23887->23888 23889 f8a758 4 API calls 23887->23889 23890 f8aa7e 4 API calls 23887->23890 23891 f8a880 4 API calls 23887->23891 23892 f8aad0 4 API calls 23887->23892 23888->23829 23889->23888 23890->23888 23891->23888 23892->23888 23894 f8e5ca 23893->23894 23895 f8e5e5 23894->23895 23897 f8e629 23894->23897 23902 f8e5b8 4 API calls 23895->23902 23903 f8e5a8 4 API calls 23895->23903 23896 f8e5eb 23896->23876 23919 f8e758 23897->23919 23899 f8e6c7 23899->23876 23900 f8e6a9 23900->23876 23902->23896 23903->23896 23907 f8e5b8 23906->23907 23908 f8e5e5 23907->23908 23910 f8e629 23907->23910 23917 f8e5b8 4 API calls 23908->23917 23918 f8e5a8 4 API calls 23908->23918 23909 f8e5eb 23909->23876 23916 f8e758 2 API calls 23910->23916 23911 f8e6a5 23913 f8e6a9 23911->23913 23914 f8e880 2 API calls 23911->23914 23915 f8e870 2 API calls 23911->23915 23912 f8e6c7 23912->23876 23913->23876 23914->23912 23915->23912 23916->23911 23917->23909 23918->23909 23920 f8e770 23919->23920 23934 f8e790 23920->23934 23939 f8e780 23920->23939 23921 f8e6a5 23921->23900 23924 f8e880 23921->23924 23929 f8e870 23921->23929 23925 f8e895 23924->23925 23926 f8e8bb 23925->23926 23944 f8e928 23925->23944 23947 f8e91c 23925->23947 23926->23899 23930 f8e880 23929->23930 23931 f8e8bb 23930->23931 23932 f8e928 OleGetClipboard 23930->23932 23933 f8e91c OleGetClipboard 23930->23933 23931->23899 23932->23930 23933->23930 23935 f8e79b 23934->23935 23936 f8e7ab 23935->23936 23937 f8e7d9 OleInitialize 23935->23937 23938 f8e7e0 OleInitialize 23935->23938 23936->23921 23937->23936 23938->23936 23940 f8e790 23939->23940 23941 f8e7ab 23940->23941 23942 f8e7d9 OleInitialize 23940->23942 23943 f8e7e0 OleInitialize 23940->23943 23941->23921 23942->23941 23943->23941 23945 f8e982 OleGetClipboard 23944->23945 23946 f8e9c2 23945->23946 23948 f8e928 OleGetClipboard 23947->23948 23950 f8e9c2 23948->23950 23952 660790f 23951->23952 23960 6608db3 23952->23960 23966 6608dc8 23952->23966 23953 6607e6a 23953->23785 23957 660792f 23956->23957 23959 660f94b 23957->23959 23988 660e39c 23957->23988 23959->23786 23961 6608dc8 23960->23961 23972 6609331 23961->23972 23962 6608e76 23963 6608308 GetModuleHandleW 23962->23963 23964 6608ea2 23962->23964 23963->23964 23967 6608df3 23966->23967 23971 6609331 GetModuleHandleW 23967->23971 23968 6608e76 23969 6608308 GetModuleHandleW 23968->23969 23970 6608ea2 23968->23970 23969->23970 23971->23968 23973 660936d 23972->23973 23974 66093ee 23973->23974 23976 660950f 23973->23976 23977 660951a 23976->23977 23984 6608308 23977->23984 23979 660963a 23980 6608308 GetModuleHandleW 23979->23980 23982 66096b4 23979->23982 23981 6609688 23980->23981 23981->23982 23983 6608308 GetModuleHandleW 23981->23983 23982->23974 23983->23982 23985 66097f0 GetModuleHandleW 23984->23985 23987 6609865 23985->23987 23987->23979 23989 660f960 KiUserCallbackDispatcher 23988->23989 23991 660f9ce 23989->23991 23991->23957 23992 c1d030 23993 c1d048 23992->23993 23994 c1d0a2 23993->23994 23999 660aa50 23993->23999 24003 660843c 23993->24003 24011 660f372 23993->24011 24020 660aa42 23993->24020 24000 660aa76 23999->24000 24001 660843c 5 API calls 24000->24001 24002 660aa97 24001->24002 24002->23994 24004 6608447 24003->24004 24005 660f401 24004->24005 24007 660f3f1 24004->24007 24036 660e344 24005->24036 24024 660f528 24007->24024 24030 660f518 24007->24030 24008 660f3ff 24012 660f37a 24011->24012 24015 660f38a 24011->24015 24012->23994 24013 660f401 24014 660e344 5 API calls 24013->24014 24017 660f3ff 24014->24017 24015->24013 24016 660f3f1 24015->24016 24018 660f528 5 API calls 24016->24018 24019 660f518 5 API calls 24016->24019 24018->24017 24019->24017 24021 660aa76 24020->24021 24022 660843c 5 API calls 24021->24022 24023 660aa97 24022->24023 24023->23994 24026 660f536 24024->24026 24025 660e344 5 API calls 24025->24026 24026->24025 24027 660f612 24026->24027 24043 660f9f0 24026->24043 24048 660fa00 24026->24048 24027->24008 24032 660f529 24030->24032 24031 660e344 5 API calls 24031->24032 24032->24031 24033 660f612 24032->24033 24034 660fa00 4 API calls 24032->24034 24035 660f9f0 4 API calls 24032->24035 24033->24008 24034->24032 24035->24032 24037 660e34f 24036->24037 24038 660f714 24037->24038 24039 660f66a 24037->24039 24040 660843c 4 API calls 24038->24040 24041 660f6c2 CallWindowProcW 24039->24041 24042 660f671 24039->24042 24040->24042 24041->24042 24042->24008 24044 660fa1f 24043->24044 24045 660fa78 24044->24045 24046 f8e1a8 4 API calls 24044->24046 24047 f8e198 4 API calls 24044->24047 24045->24026 24046->24044 24047->24044 24050 660fa1f 24048->24050 24049 660fa78 24049->24026 24050->24049 24051 f8e1a8 4 API calls 24050->24051 24052 f8e198 4 API calls 24050->24052 24051->24050 24052->24050 23751 f87ed0 23752 f87f14 CheckRemoteDebuggerPresent 23751->23752 23753 f87f56 23752->23753 24053 660e798 DuplicateHandle 24054 660e82e 24053->24054 24055 660a898 24056 660a900 CreateWindowExW 24055->24056 24058 660a9bc 24056->24058 23754 66097ea 23755 66097f0 GetModuleHandleW 23754->23755 23757 6609865 23755->23757

                                                                      Executed Functions

                                                                      Function 00F87ED0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1316 f87ed0-f87f54 CheckRemoteDebuggerPresent 1318 f87f5d-f87f98 1316->1318 1319 f87f56-f87f5c 1316->1319 1319->1318
                                                                      APIs
                                                                      • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00F87F47
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CheckDebuggerPresentRemote
                                                                      • String ID:
                                                                      • API String ID: 3662101638-0
                                                                      • Opcode ID: 202eb557a4098277979cade251672c94be68c163863fcf4f60a5bfd471f04c42
                                                                      • Instruction ID: 68064eeb35a20dcfb229be535633691867d14b9e41482d09ea2291ea65a86745
                                                                      • Opcode Fuzzy Hash: 202eb557a4098277979cade251672c94be68c163863fcf4f60a5bfd471f04c42
                                                                      • Instruction Fuzzy Hash: E92137B19012598FCB10DF9AD884BEEFBF4EF49320F14845AE559B3250D778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660A892 Relevance: 1.6, APIs: 1, Instructions: 117COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1236 660a892-660a8fe 1238 660a900-660a906 1236->1238 1239 660a909-660a910 1236->1239 1238->1239 1240 660a912-660a918 1239->1240 1241 660a91b-660a953 1239->1241 1240->1241 1242 660a95b-660a9ba CreateWindowExW 1241->1242 1243 660a9c3-660a9fb 1242->1243 1244 660a9bc-660a9c2 1242->1244 1248 660aa08 1243->1248 1249 660a9fd-660aa00 1243->1249 1244->1243 1250 660aa09 1248->1250 1249->1248 1250->1250
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0660A9AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 5a1af7538e275933870df6d5c3e821df2bb65d18b00e4bd8acf360ccbe9aabe2
                                                                      • Instruction ID: 956cdfd70210cf94595beb00987ba07a626fd6f728de35f25dc214e8ab2640ce
                                                                      • Opcode Fuzzy Hash: 5a1af7538e275933870df6d5c3e821df2bb65d18b00e4bd8acf360ccbe9aabe2
                                                                      • Instruction Fuzzy Hash: 3851C0B1D103099FDB14CF9AC984ADEBBB5BF48310F24852AE418AB254D775A845CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660A898 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1251 660a898-660a8fe 1252 660a900-660a906 1251->1252 1253 660a909-660a910 1251->1253 1252->1253 1254 660a912-660a918 1253->1254 1255 660a91b-660a9ba CreateWindowExW 1253->1255 1254->1255 1257 660a9c3-660a9fb 1255->1257 1258 660a9bc-660a9c2 1255->1258 1262 660aa08 1257->1262 1263 660a9fd-660aa00 1257->1263 1258->1257 1264 660aa09 1262->1264 1263->1262 1264->1264
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 0660A9AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CreateWindow
                                                                      • String ID:
                                                                      • API String ID: 716092398-0
                                                                      • Opcode ID: 6765d9aeef82f7c883d4d3ec242c521fa306f64f790a7f6906777cc664249a1b
                                                                      • Instruction ID: 1a0196e5832dce182f50d9f141f8acb6bc359318089a031597c810386892ef6d
                                                                      • Opcode Fuzzy Hash: 6765d9aeef82f7c883d4d3ec242c521fa306f64f790a7f6906777cc664249a1b
                                                                      • Instruction Fuzzy Hash: 3041D0B1D103099FDB14CFDAC984ADEBBB5FF48310F24852AE818AB250D775A885CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660E344 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1265 660e344-660f664 1268 660f714-660f734 call 660843c 1265->1268 1269 660f66a-660f66f 1265->1269 1276 660f737-660f744 1268->1276 1271 660f671-660f6a8 1269->1271 1272 660f6c2-660f6fa CallWindowProcW 1269->1272 1279 660f6b1-660f6c0 1271->1279 1280 660f6aa-660f6b0 1271->1280 1273 660f703-660f712 1272->1273 1274 660f6fc-660f702 1272->1274 1273->1276 1274->1273 1279->1276 1280->1279
                                                                      APIs
                                                                      • CallWindowProcW.USER32(?,?,?,?,?), ref: 0660F6E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CallProcWindow
                                                                      • String ID:
                                                                      • API String ID: 2714655100-0
                                                                      • Opcode ID: d06a59ea40ed94a9ca978a906e2dfe1e8f7c6ada24861140106e63cab4d374c7
                                                                      • Instruction ID: c428e51b67065019a25c04377e333f448dc3daec2be6f4d69ace7993e47e5315
                                                                      • Opcode Fuzzy Hash: d06a59ea40ed94a9ca978a906e2dfe1e8f7c6ada24861140106e63cab4d374c7
                                                                      • Instruction Fuzzy Hash: 7E415AB5A00305DFDB58CF99C888AABBBF5FF88314F24C459D919A7360D734A841CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F8E91C Relevance: 1.6, APIs: 1, Instructions: 79comclipboardCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1282 f8e91c-f8e9c0 OleGetClipboard 1285 f8e9c9-f8ea17 1282->1285 1286 f8e9c2-f8e9c8 1282->1286 1291 f8ea19-f8ea1d 1285->1291 1292 f8ea27 1285->1292 1286->1285 1291->1292 1293 f8ea1f-f8ea22 call f80ab8 1291->1293 1294 f8ea28 1292->1294 1293->1292 1294->1294
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard
                                                                      • String ID:
                                                                      • API String ID: 220874293-0
                                                                      • Opcode ID: 766dce09004cf182a40ef3a91f5acfd0c8210aeb99cc227ee5cfa1f7e8ea119c
                                                                      • Instruction ID: f3ed7e863e72176a8a8e1876f0eee62382add46d978b3d42060d426df812d09d
                                                                      • Opcode Fuzzy Hash: 766dce09004cf182a40ef3a91f5acfd0c8210aeb99cc227ee5cfa1f7e8ea119c
                                                                      • Instruction Fuzzy Hash: 703123B0D01248DFDB14DFA9C985BDEBBF5BF48714F248019E504BB294CBB86885CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F8E928 Relevance: 1.6, APIs: 1, Instructions: 71comclipboardCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1296 f8e928-f8e9c0 OleGetClipboard 1298 f8e9c9-f8ea17 1296->1298 1299 f8e9c2-f8e9c8 1296->1299 1304 f8ea19-f8ea1d 1298->1304 1305 f8ea27 1298->1305 1299->1298 1304->1305 1306 f8ea1f-f8ea22 call f80ab8 1304->1306 1307 f8ea28 1305->1307 1306->1305 1307->1307
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard
                                                                      • String ID:
                                                                      • API String ID: 220874293-0
                                                                      • Opcode ID: d6a525c3cac169cb3ae15e0170a896f220f2876918044de2f560f168d2778574
                                                                      • Instruction ID: 17fb807c7bd61408d40961711f892ec016cfdba5b17f3730ecc3f241df3eff37
                                                                      • Opcode Fuzzy Hash: d6a525c3cac169cb3ae15e0170a896f220f2876918044de2f560f168d2778574
                                                                      • Instruction Fuzzy Hash: 603100B0D01248DFDB14EF99C984BCDBBF5BF48714F248019E404BB294CBB8A945CBA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F87ECA Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1309 f87eca-f87f54 CheckRemoteDebuggerPresent 1312 f87f5d-f87f98 1309->1312 1313 f87f56-f87f5c 1309->1313 1313->1312
                                                                      APIs
                                                                      • CheckRemoteDebuggerPresent.KERNEL32(?,?), ref: 00F87F47
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CheckDebuggerPresentRemote
                                                                      • String ID:
                                                                      • API String ID: 3662101638-0
                                                                      • Opcode ID: f81773926d76fbc7f9774aecefcabd3a98fc260a7e8358acdc07427813b903e2
                                                                      • Instruction ID: 2dc6727fc923277d6a05c4812bd635944d8ee383c86df71cf5613c67d99700ca
                                                                      • Opcode Fuzzy Hash: f81773926d76fbc7f9774aecefcabd3a98fc260a7e8358acdc07427813b903e2
                                                                      • Instruction Fuzzy Hash: 7B214AB18002598FDB10DF9AD484BEEBBF4EF49324F14846AE559B3350C778A944CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660E790 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1322 660e790-660e797 1323 660e798-660e82c DuplicateHandle 1322->1323 1324 660e835-660e852 1323->1324 1325 660e82e-660e834 1323->1325 1325->1324
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0660E81F
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: ab7274a6ae53fd416d1790fdcbc7cc5e8a39f0c1480aa3a36f3371790f309e4e
                                                                      • Instruction ID: 633ccad59aaf16598805bc387af8cd06a01e4a69ce5c6e7032ba673050d700da
                                                                      • Opcode Fuzzy Hash: ab7274a6ae53fd416d1790fdcbc7cc5e8a39f0c1480aa3a36f3371790f309e4e
                                                                      • Instruction Fuzzy Hash: 1821E9B5D01248AFDB10CFA9D984ADEBFF4FB48310F14841AE914A7350D774A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660E798 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1328 660e798-660e82c DuplicateHandle 1329 660e835-660e852 1328->1329 1330 660e82e-660e834 1328->1330 1330->1329
                                                                      APIs
                                                                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0660E81F
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: DuplicateHandle
                                                                      • String ID:
                                                                      • API String ID: 3793708945-0
                                                                      • Opcode ID: 396c99896c67a02f431173b893eb9d0fe2793eadd40e4e5f93c647cb143b5af6
                                                                      • Instruction ID: f5ced993a82f9a943e79c1336287d8d7018908b2755513210095d8974177c0ff
                                                                      • Opcode Fuzzy Hash: 396c99896c67a02f431173b893eb9d0fe2793eadd40e4e5f93c647cb143b5af6
                                                                      • Instruction Fuzzy Hash: 6221C4B5D00259AFDB10CFAAD984ADEBFF4FB48310F14841AE918A3350D379A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 066097EA Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1333 66097ea-6609830 1335 6609832-6609835 1333->1335 1336 6609838-6609863 GetModuleHandleW 1333->1336 1335->1336 1337 6609865-660986b 1336->1337 1338 660986c-6609880 1336->1338 1337->1338
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 06609856
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: 81fb4ded58b222718e1cd3fafc8b5aee1497fb26e2e528e04ee69e2574581dee
                                                                      • Instruction ID: 31457aa4fe78bafb08a474d36aa28e47130c9142c6b565eea49b781d030bc243
                                                                      • Opcode Fuzzy Hash: 81fb4ded58b222718e1cd3fafc8b5aee1497fb26e2e528e04ee69e2574581dee
                                                                      • Instruction Fuzzy Hash: 041123B5C002499EDB10CF9AD844ADEFBF8EF49310F10852AD419A7300C378A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 06608308 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1340 6608308-6609830 1342 6609832-6609835 1340->1342 1343 6609838-6609863 GetModuleHandleW 1340->1343 1342->1343 1344 6609865-660986b 1343->1344 1345 660986c-6609880 1343->1345 1344->1345
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000), ref: 06609856
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: HandleModule
                                                                      • String ID:
                                                                      • API String ID: 4139908857-0
                                                                      • Opcode ID: d24accbe56b0fcdcbafbc4728c8ff3a97a57ae69d06d11c006630696c50b619b
                                                                      • Instruction ID: a57a7ace363722268c14e9cf0974e79c5e6b1e60f4de0948fbd662d141537b7f
                                                                      • Opcode Fuzzy Hash: d24accbe56b0fcdcbafbc4728c8ff3a97a57ae69d06d11c006630696c50b619b
                                                                      • Instruction Fuzzy Hash: 241120B6C002498FDB14DF9AD844ADEFBF5EB88314F10852AD919B7301C378A545CFA1
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660E39C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0660F935), ref: 0660F9BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 56c447e842bd164ca08a99338f2b89ded7701c65d47834bdf37b326029b36023
                                                                      • Instruction ID: fb0eecf7ec8b14779238654f191b0d8812422c4780bc89e537b88583c91fb8dd
                                                                      • Opcode Fuzzy Hash: 56c447e842bd164ca08a99338f2b89ded7701c65d47834bdf37b326029b36023
                                                                      • Instruction Fuzzy Hash: 5B1136B58002488FDB60DF99D444B9EBBF4EB49324F20841AD919B3240C774A944CFE5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F8E7D9 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: 4021d3b4cd018c478581b4a2dd913cb888dc66c66fced4113f25087e6baf094a
                                                                      • Instruction ID: fcac7d98afd5245f331d4df615c6301c978409678fed1e999daec4d71fa38dcd
                                                                      • Opcode Fuzzy Hash: 4021d3b4cd018c478581b4a2dd913cb888dc66c66fced4113f25087e6baf094a
                                                                      • Instruction Fuzzy Hash: 2E1115B5D002488FCB10DFAAD544BDEFFF4EB48324F248459D518A7210C379A945CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0660F958 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0660F935), ref: 0660F9BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4500165694.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_6600000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: CallbackDispatcherUser
                                                                      • String ID:
                                                                      • API String ID: 2492992576-0
                                                                      • Opcode ID: 42d733c8b790a04edd0138b787be1a8fd8fed86ad96f4b01ff589db872569c68
                                                                      • Instruction ID: ab7fd6d065aab5c0a9867e4979c13805f2cc813fe8f06ecb6657df5229535ef1
                                                                      • Opcode Fuzzy Hash: 42d733c8b790a04edd0138b787be1a8fd8fed86ad96f4b01ff589db872569c68
                                                                      • Instruction Fuzzy Hash: CF1148B18002498FCB20DF99C444BDEFFF4EF49324F20841AD519A7240C774A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00F8E7E0 Relevance: 1.5, APIs: 1, Instructions: 43comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4479775287.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_f80000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID: Initialize
                                                                      • String ID:
                                                                      • API String ID: 2538663250-0
                                                                      • Opcode ID: 247a23c96d3f997e89f1c01ea7a5ec8d6cb4b159c832227ffdbf3b3a877d0857
                                                                      • Instruction ID: 5b2dd35a020d2310a38d555e392338b930255066f9f6d70af800e455d278e34f
                                                                      • Opcode Fuzzy Hash: 247a23c96d3f997e89f1c01ea7a5ec8d6cb4b159c832227ffdbf3b3a877d0857
                                                                      • Instruction Fuzzy Hash: EA11E2B59006488FCB20DF9AD549BDEBFF4EB48324F248459D518A7210C779A944CFA5
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1D005 Relevance: .1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4476958604.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_c1d000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: dd38066480902fa044d9e9aad3366df995e4414f41f852f5f3f55e62a467ef4b
                                                                      • Instruction ID: 9e37f0128faba9492c2ffbb1c189ae28faf9fc5d414eacb0b59f108c44339cee
                                                                      • Opcode Fuzzy Hash: dd38066480902fa044d9e9aad3366df995e4414f41f852f5f3f55e62a467ef4b
                                                                      • Instruction Fuzzy Hash: D5316B7150D3C49FCB03CB24C994711BF71AB47214F29C5EBD9898F2A3C23A984ADB62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 00C1D030 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000004.00000002.4476958604.0000000000C1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C1D000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_4_2_c1d000_RegAsm.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 16686f6682520f9601e2cef589636c58d942f8a5e4504504f63d3064baa93416
                                                                      • Instruction ID: 86a0d3662c146175a436c4bd9d6fe0416eebfa36d61f48b7b6042d7c3a64d835
                                                                      • Opcode Fuzzy Hash: 16686f6682520f9601e2cef589636c58d942f8a5e4504504f63d3064baa93416
                                                                      • Instruction Fuzzy Hash: 35212271504204DFCB14DF14D980B26BBA5EB89314F24C669D80A4B256C33AD886EA62
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%